From isn at c4i.org Wed Feb 1 07:24:22 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:22 -0600 (CST) Subject: [ISN] 'Electronic Discovery' Industry Blooming Message-ID: http://www.casperstartribune.net/articles/2006/01/31/ap/hitech/d8fep9do0.txt By BRIAN BERGSTEIN January 31, 2006 EDEN PRAIRIE, Minn. - Even just a few years ago, lawyers in corporate lawsuits sometimes agreed not to poke around in their opponents' e-mails. Instead they'd confine themselves to paper memos and other documents on file as they pursued evidence. Now, however, with so much work done via e-mail, instant messaging and other online platforms, "nothing's in the file cabinets anymore," said Michele Lange, staff attorney for legal technologies at Kroll Ontrack Inc. Instead, the memos, presentations and other scraps of corporate intelligence are increasingly finding their way into vast "electronic discovery" centers like the one Kroll Ontrack operates here near Minneapolis. Day and night, rows of whirring, blinking computers sock away enormous batches of digital records sent by companies involved in lawsuits. Other files are discovered deep in hard drives _ wedged between everything from personal e-mails to pornography _ by Kroll Ontrack forensic teams whose code names keep their missions secret. All this once was an arcane backwater of the legal-services field. Electronic discovery was commonly performed by local computer experts who played golf with law firm procurement officers. But several factors _ including the inexpensive abundance of data storage, high-profile lawsuits and strict new laws such as Sarbanes-Oxley that demand thorough corporate archiving _ are making electronic discovery a lucrative and competitive slice of information technology. The overall market is worth close to $2 billion and growing at about 35 percent a year, says Michael Clark, who analyzes the field at EDDix LLC. The number of companies offering computer-related evidence gathering appears to have doubled in the past two or three years, with several hundred now hanging a shingle. This surge has led Kroll Ontrack to quadruple the size of its data-crunching center in less than 18 months, from a half-petabyte of storage to two petabytes. That's 2 million gigabytes. Consider that the Internet Archive, which aims to store almost every public Web page ever to appear, currently totals one petabyte. Rival e-discovery vendor Fios Inc. had 48 employees three years ago. This year, the Portland, Ore.-based company expects to employ more than 120, with revenue of $30 million _ nearly double its 2004 figure. Increasingly, e-discovery customers are not just law firms enmeshed in big corporate cases. More and more, companies are working proactively with e-discovery vendors, getting a handle on their data troves so they can meet regulatory requirements _ or just in case they are sued. After all, 90 percent of U.S. corporations are engaged in some type of litigation, according to research by the law firm Fulbright & Jaworski LLP. The average company bigger than $1 billion is wrestling with 147 lawsuits. "The big risk for companies is too much data that there's really no business need for, being kept in ways that if they had to go looking for it, would be uneconomic," said e-discovery pioneer John Jessen, who founded Electronic Evidence Discovery Inc. in 1987. (It began after Jessen, who had a small computer business in his basement, was able to find a seemingly absent mailing list on a defendant's PC.) Partial credit for the recent e-discovery boom goes to two 2005 cases involving investment banks. In one, former UBS AG equities trader Laura Zubulake won a $29 million award in a federal gender discrimination suit in which she had requested that the bank turn over all internal communications about her. The bank produced 350 pages of documents, but Zubulake knew there were more _ she had retained some herself. The case set several precedents about how e-discovery ought to proceed and who should pay for it. In one key ruling, the judge slapped UBS for failing to recognize that the missing e-mails likely would end up being relevant to future litigation. Later, financier Ron Perelman won $1.6 billion from Morgan Stanley & Co. after a judge said the firm had failed to turn over e-mails and other digital evidence in a lawsuit stemming from its role in the 1998 sale of Perelman's Coleman camping gear company to Sunbeam Corp. The case is being appealed, but still proving instructive. "In litigation today, if e-discovery is done wrong, it can have huge implications," said Jonathan Redgrave, a partner at Redgrave Daley Ragan & Wagner LLP who specializes in electronic document issues. In addition to these cases and laws such as Sarbanes-Oxley that tighten record-retention requirements, new changes in rules of civil procedure set strict standards for what companies should do with their files the moment they are sued. "Some of those standards are fairly onerous even to sophisticated, highly litigious businesses," said Gerald Massey, head of Fios. Complicating matters, other rules _ including European data-privacy laws and the new Fair and Accurate Credit Transactions Act _ require companies to go in the opposite direction and dispose of certain kinds of records. Much of what e-discovery companies do is similar _ but offered under different names or pricing schemes. Generally, a vendor gets raw material from corporate computers and backup tapes, then dives in _ with specialized software rather than humans _ to remove duplicate files or records that have no bearing on a case, while zeroing in on those that might. Later the vendors can be asked to testify how the searches were conducted. Sometimes the findings are virtual smoking guns, like the infamous e-mail in which investment banker Frank Quattrone endorsed a recommendation that colleagues destroy files. Other times evidence comes not from what's in a file, but from its "metadata" _ the automatically applied labels that explain such things as when a file was made, reviewed, changed or transferred. >From there, even the end product comes in digital form. The evidence found by electronic discovery firms can be put on secure Web sites for legal teams to pore over, mark up and redact if necessary. This kind of service often runs well into six figures, but there will be pressure to bring that down as cost-conscious companies replace law firms as the direct clients. And that figures to change the sprawling field. Some think software providers and tech-services giants will step in and begin baking electronic discovery capabilities into other data-retention products. For example, storage systems can include "litigation hold" functions that let a company instantly preserve certain records if necessary. "The ultimate buyers of a company like ours have only just begin to emerge in our space," said Massey at Fios. "The names we'll associate with the services we provide in three, four, five years from now will be like IBM and EMC and Oracle." From isn at c4i.org Wed Feb 1 07:24:35 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:35 -0600 (CST) Subject: [ISN] The case of the sneaky daughter and the wireless card Message-ID: http://www.networkworld.com/columnists/2006/012306nutter.html By Ron Nutter NetworkWorld.com 01/23/06 My 16 year old daughter has wireless Internet access with her notebook computer. My wife and I control the signal by putting the modem on a timer, thus not allowing her to access the Internet after 12:00 am. She's a high-school student and we want her off the Internet after midnight. However, she's learned to access other available Wi-Fi signals, so us turning off the modem does no good whatsoever. Other than confiscating her wireless card, is there any way we can keep her off the Internet after her curfew? Is there a way to block incoming signals to our home? Or is there a way to program her computer blocking her access to Wi-Fi other than our secured network? --Dan Meyerson If her notebook computer is running XP Home, one option would be to enable logging in by username. Give her username enough to do what she needs do to but restrict her from making any changes such as selecting alternate access points. Depending on how the wireless card driver is written, this might be enough to prevent her from changing to another access point. This assumes that the SSID of your access point is unique and not running the default used by the manufacturer when it was made. This will also give you another possible option. Use the XP's Scheduled Tasks function to run batch files to disable (and then re-enable) the wireless card at set times. It is possible to use one script to run automatically when she logs in and check to see if the network card needs to be enabled or disabled based on time. Another option is to put a hub or switch between the access point and put that hub/switch on a timer. When the power is shut off to the hub/switch, she will still see the access point but can't go anywhere. If you need to use the access point within the house when you don't want your daughter to be able to use it, check within the firmware of the access point to see what kind of access control is available to control when a given workstation can and cannot access the Internet. Not all access points have this, so you may need to change access point vendors if your current access point doesn't allow this. If you have a friend who is an Amateur Radio operator and has experience with the Oscar satellites, he may have another option for you. Some of the newer satellites can operate in the 2.4 Ghz range. See if he has a signal source for this frequency range. What you are looking for is a signal source that is weak enough to not disturb your neighbors wireless access but to effectively make your daughters notebook "deaf" to hearing other access points. This signal source would need to be placed in a location close to where the notebook is normally used in order to be effective. It could be placed on a timer to only have power during the hours when you want to restrict wireless access. From isn at c4i.org Wed Feb 1 07:24:49 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:49 -0600 (CST) Subject: [ISN] Honeywell Investigates Security Breach Message-ID: http://www.durantdemocrat.com/articles/2006/01/31/ap/hitech/d8ffvnug4.txt February 1, 2006 MORRISTOWN, N.J. - Honeywell International is offering credit monitoring and identity theft insurance to approximately 19,000 current and former employees whose personal information _ including Social Security numbers and bank account information _ was posted on an Internet Web site. The company notified employees about the breach within a day of learning of it on Jan. 20, according to spokesman Robert C. Ferris. "The company immediately contacted the relevant service provider, had the page removed from the Internet and is continuously monitoring the Internet to ensure that the Web page and any copies of it remain taken down," said Ferris. He said the company was working with federal and state investigators to determine who posted the data. Ferris said he didn't know whether the posting was the work of a disgruntled employee or resulted from an administrative error or other cause. "Honeywell will aggressively pursue those responsible for this breach," Ferris said. In a Jan. 24 letter to employees, the company's vice president of global security, John E. McClurg, said the Identity Theft and Fraud Division of insurer AIG would help them protect themselves. "They will provide you with a tool kit of resources and hands-on support to address any issues you encounter," he said. The Morristown-based industrial and aerospace conglomerate employs about 120,000 people worldwide. Incidents like the Honeywell security breach are on the rise as thieves and pranksters take aim at corporate America, according to Ron Teixeira, executive director of the National Cyber Security Alliance, a Washington, D.C.-based nonprofit dedicated to educating individuals and corporations about cyber safety. "There are a number of reasons why this could have happened. When it's put out on the Web, hackers do that to show they could get access to the information and show the company their security was lacking. Other times, hackers are actually thieves or try to sell the information to thieves to commit ID theft. "Any time your info is posted on a Web site, you never know who's using it and what they're using it for," said Teixeira. ? Durant Democrat From isn at c4i.org Wed Feb 1 07:25:00 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:25:00 -0600 (CST) Subject: [ISN] Data Loss Mailing List Announcement Message-ID: Forwarded from: lyger In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a mail list that covers topics such as news releases regarding large-scale data loss, data theft, and identify theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen data is encouraged. To subscribe to Data Loss, send a mail to: dataloss-subscribe at attrition.org To unsubscribe from this list, send a mail to: dataloss-unsubscribe at attrition.org From isn at c4i.org Wed Feb 1 07:24:03 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:24:03 -0600 (CST) Subject: [ISN] State takes new look at computer security Message-ID: http://kennebecjournal.mainetoday.com/news/local/2383457.shtml By SUSAN M. COVER Staff Writer January 31, 2006 AUGUSTA -- The state is taking steps to limit access to critical computer systems in response to a report that showed deficiencies in security. The Office of Program Evaluation and Government Accountability released a report Monday that revealed weaknesses in the way the state runs its computer systems. Part of the report, which was given to lawmakers and others in a closed session last month, indicated that the state needs to make sure only those who have proper credentials can get access to critical information. However, the state system was not affected by hackers who tapped into Rhode Island's state Web site and got access to credit card numbers, said Richard Thompson, chief information officer for the state. The company that manages the Rhode Island site also works for the Maine government Web site. The breach, which occurred in December, was made public Friday. Thompson said he had staff working all weekend, but they did not find any record that Maine's site had been illegally accessed. "We are convinced, at least as of today, we are in good shape," he said. Rep. A. David Trahan, R-Waldoboro, said he's heard from people who are concerned about the security of state computer systems. "The urgency of this is greater now because of what just happened," he said. A review of state computer security procedures conducted by Jefferson Wells International found that "system access controls do not measure up to industry standards." Also, the state has not adequately put in writing what steps it would take if a major computer system fails or if offices could not be used because of a terrorist threat, according to the report. Thompson, who is in the process of reorganizing how state agencies purchase and manage computer systems, said at least some of the criticism is due to a lack of paperwork. "The weaknesses Jefferson Wells identified was, 'We can't tell you what we've got' ," he said. "It wasn't that we didn't have enough security." Other parts of the report detailed a piecemeal approach in state government when it comes to purchasing new computers. State agencies, often using federal government money, move ahead on an individual basis without consulting other agencies. And although Thompson is in charge of the executive branch computer systems, he does not have jurisdiction over the Legislature or judicial branch. Also, it's difficult for the program evaluation office to find out how much is being spent on computers and computer software because it is scattered throughout state government, said Beth Ashcroft, director of the evaluation office. "The goal here from (the program evaluation office) perspective is to shine a light on information technology and how it's being managed," she said. "Right now, there's no good way to get a handle on that." Another inefficiency is that it's hard to combine data from different agencies and some data is duplicated in several systems, she said. The program evaluation oversight committee, which is made up of 12 legislators, will meet again to discuss what action it can take to address some of the concerns in the report. Copyright ? 2005 Blethen Maine Newspapers Inc. From isn at c4i.org Wed Feb 1 07:25:14 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:25:14 -0600 (CST) Subject: [ISN] Boston Globe in credit card data snafu Message-ID: http://money.cnn.com/2006/01/31/news/companies/security_bostonglobe.reut/ January 31, 2006 SAN FRANCISCO (Reuters) - Two Massachusetts newspapers owned by The New York Times Co., the Boston Globe and Worcester Telegram & Gazette, said Tuesday they had mistakenly sent out slips of paper with the credit card data of up to nearly a quarter million subscribers. The credit card numbers were printed on routing slips attached to 9,000 bundles of newspapers sent to retailers and carriers last weekend, according to the newspapers. "Immediate steps have been taken internally at the Globe and Telegram & Gazette to increase security around credit card reporting," Richard H. Gilman, publisher of the Boston Globe, said in a statement. The credit card data of up to 240,000 subscribers may have been exposed, they said. The blunder comes amid heightened concern over the security of consumer data in the wake of several incidents of lost or stolen personal records involving companies such as data broker ChoicePoint Inc., Bank of America Corp. and shoe retailer DSW Inc. So far, the newspapers had not received any reports of misuses of the credit cards, and American Express, Discover, MasterCard and Visa had been advised of the situation, said Boston Globe spokesman Al Larkin. Exposure of the data occurred because the Telegram & Gazette, which helps circulate both papers under a shared distribution system, printed the routing slips on recycled paper containing internal reports with subscriber credit card numbers, Larkin said. "We've put a stop to that," Larkin said of the practice of reusing paper. The Globe's circulation was 450,000, according to Larkin. He did not have a daily number for the Telegram & Gazette, but said the Sunday edition had a circulation of 81,000. The newspapers were trying to locate and recover as many of the slips as possible, but believed that most had already been thrown away. The publications had set up a hotline, 1-888-665-2644, for subscribers to check if their data was sent out. The papers are part of The New England Media Group, which is owned by The New York Times Co. From isn at c4i.org Wed Feb 1 07:25:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Feb 2006 06:25:26 -0600 (CST) Subject: [ISN] Spyware probe couple deported to Israel Message-ID: http://www.theregister.co.uk/2006/01/31/spyware_suspect_deportation/ By John Leyden 31st January 2006 Spyware-for-hire suspects Michael and Ruth Haephrati arrived in Israel on Monday to face industrial espionage charges following their extradition from Britain. The couple, alleged masterminds behind a spyware-linked industrial espionage program, face trial in their native Israel after dropping an appeal against deportation. Investigators allege the dynamic duo developed and sold customised spyware or Trojan horse packages designed to evade detection by security tools to three private investigation companies in Israel - Modi'in Ezrahi, Zvi Krochmal, and Philosof-Balali, The Jerusalem Post reports. This spyware code was allegedly installed on victims' PCs by private detectives from a diskette or via email, as part of a spying scam that ran for up to two years. The malware sent stolen documents to an FTP site, allowing unscrupulous firms to swipe confidential documents from rivals. Each software installation allegedly netted the Haephratis ?2,000. Firms suspected of using the malware include Mayer Motors (an importer of Volvo and Honda cars) against Champion Motors (an Audi and Volkswagen dealership), satellite television company Yes is accused of spying on rival cable TV outfit HOT, while Israeli mobile phone firms Pelephone and Cellcom are accused of spying Haaretz reports. The Haephratis are two of 22 people arrested in Israel and the UK in connection with the case, some of who are currently on trial in Israel's Tel Aviv District Court. ? From isn at c4i.org Fri Feb 3 04:28:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:28:29 -0600 (CST) Subject: [ISN] Black Hat USA CFP opens, Europe early bird reminder, Federal news Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello InfoSec News readers, A bunch of announcements from Black Hat. It was easier to bundle them all together instead of send them out bit by bit, so everything from Black Hat Federal coverage to the CFP opening for the summer USA conference is included. Here we go! Black Hat Europe 2006 Final Reminder: Speaker selection for Black Hat Europe 2006 has been finalized. This is our sixth conference in Amsterdam, and we have an impressive line up. Register now and save - our early bird rate closes February 8. http://www.blackhat.com/html/bh-europe-06/bh-eu-06-speakers.html Black Hat Europe 2006 Discount Book Offer: BreakPoint Books, our official bookseller is currently taking pre-orders of select titles for 15% off the suggested retail price which can be picked up at the conference. Orders must be placed by February 8, 2006. Download order form: http://www.blackhat.com/images/bh-europe-06/bh-eu-06-ad.pdf Black Hat USA 2006 Call for Papers opens! The Black Hat USA 2006 Call for Papers opens February 1. Don't hesitate to submit your presentations. Unleash you best kung-fu for the greatest chance of being selected. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-cfp.html Black Hat USA 2006 Hotel: Reserve your hotel early. The Black Hat room block at Caesars Palace is now accepting reservations. The block has sold out 6 weeks prior to the start of the show the last few years, so please make your room arrangements early. Reservations must be made directly through Caesars: http://www.caesars.com/reservations/main.aspx?hotelid=14&specialgroupc ode=SCBL06 Black Hat Federal 06 presentations now on-line: The presentations from the Black Hat Federal '06 show are currently on-line. In addition to PDFs, appropriate source code and white papers are also present. http://www.blackhat.com/html/bh-media-archives/bh-archives-2006.html#f ederal Black Hat Federal 2006 news: Black Hat Federal generated a large amount of interest from the press and blog world. The presentations were more paranoid in nature, dealing with topics from root kits to reverse engineering and physical memory forensics. Read the stories at Slashdot, Washington Post, SecurityFocus, the Register, Government Computer News, and others. * http://it.slashdot.org/article.pl?sid=06/01/27/1327228 * http://www.securityfocus.com/brief/118 * http://blogs.washingtonpost.com/securityfix/2006/01/a_letter_from_b.ht ml * http://www.gcn.com/vol1_no1/daily-updates/38107-1.html * http://www.gcn.com/vol1_no1/daily-updates/38098-1.html * http://www.theregister.co.uk/2006/01/30/good_worms_nematodes_blackhatc onference/ * http://taosecurity.blogspot.com/#113839241238734087 We carry links to these and more on our RSS feed. http://www.blackhat.com/BlackHatRSS.xml Thanks everyone, Jeff Moss -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQ+GFqkqsDNqTZ/G1AQJTgwf/e0uFtSkjISmGCueGBkKymVzx8ZQD7Tm6 kqoY0sC88F4Fn3e+xrPYMUE6XR3Db7u2spa/foK3WQJ1Wb3Wu3D3Guy1sSuTcKAt u+7tLgpzDCTpWNpYeULub2khW7qvuD+psWrgB1Qj5atTyHTpOHExfUUDUJmoIzpa X+t8/z7Msh23PPsgTfPwEV5hll51umLziDnh4L0e3p6KvN8YlGI+X+t4hn/DYQNG AjEcpAlQI7xuXnsdCmliec0KbUzSFDB5QZoCuZ6dnKRHAlXBaUT58p+SDcF8nOOS 0qSdd+Q9NftA6Ehsiyv0pW0Hst5IZoAnGWZGxwKrKMHWE0iojOVwlA== =XBlJ -----END PGP SIGNATURE----- From isn at c4i.org Fri Feb 3 04:29:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:29:56 -0600 (CST) Subject: [ISN] Linux Advisory Watch - February 3rd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 3rd, 2006 Volume 7, Number 5a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. Due to several changes in our advisory archiving scripts, Linux Advisory Watch did not go out last week. This has caused an unusually high number of advisories. The purpose of this week's newsletter is to 'catch up' and ensure that every advisory has been published. We apologize for any inconvenience. Advisories were released for petris, unzip, tetex-bin, koffice, fetchmail, gpdf, tuxpaint, albatross, mantis, antiword, smstools, sudo, ClamAV, kdelibs, crawl, CUPS, trac, libapache-auth-ldap, flyspray, wine, mailman, lsh-utils, ImageMagick, drupal, hylafax, libextractor, unalz, limbmail-audit-perl, pdftohtml, mod_auth_pgsql, poppler, tetex, kdegraphics, ethereal, httpd, openssh, mozilla, firefox, Gallery, LibAST, Paros, MyDNS, xorg-x11, UUlib, SSLeay, mdkonline, gthumb, libgphoto, net-snmp, apache2, thunderbird, bzip2, gzip, libast, gd, and phpMyAdmin. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- A Linux Security Look To The Future By: Pax Dickinson It's much the same story as last year, Windows worms and viruses continually propagate, crossbreed, and multiply while Linux remains above the fray. Sober and the other "newsmaking" viruses all infect and attack Windows while all Linux admins get out of it are a few hits to our Snort rulesets. Yes, there are worms attacking Linux, and Linux, like any other system, is certainly not immune. Linux is, however, more resistant. One reason is made clear when the internet is compared to a biosphere. Linux is a mutt. Every Linux distribution does things slightly differently, Linux runs on very varied hardware, many Linux users compile their own software. Things just aren't as standardized in the Linux world, which is viewed as a flaw by many pundits, though it has many benefits when it comes to security. A Linux security flaw may only affect a certain distribution or application, and most distributions and applications lack the massive marketshare to provide enough sustenance for a worm to really get going. Meanwhile, the applications that do possess large marketshare, such as Apache, tend to be generally secure due to their source code availability. Windows, on the other hand, lacks this genetic diversity. One copy of Windows XP is exactly like the next, and the source is closed so previously unknown flaws are discovered all the time. Yes, Windows does have a greater marketshare making it a bigger target, but I'd wager that if the marketshares of Windows and Linux were even Windows would still have more vulnerabilities. In nature, populations that lack genetic diversity run the risk of being decimated by a virulent disease, and the internet is no different. There's a reason we use biological metaphors like "worm" and "virus" to describe malware. Linux also benefits by tending to not be a primary target for malware authors because they have such a juicy target in Windows. Of course, keeping systems patched has been and will remain key, luckily most Linux distributions available today tend to be very polished in this area, with tools such as apt-get, yum, and portage providing easy application and system upgrades. So much for the good. Looking to the future, things go from bad to beyond ugly. We Linux users should realize how good we have it right now and recognize that the current security situation will not remain so benevolent for us. In an environment of dumb worms and viruses targeted at the least common denominator, Linux is well prepared to hold fast and remain generally secure. However, sinister trends are developing now that may end this state of complacency and need to be addressed. Crime related to spam, spyware, and other online illegalities is said by some experts to have recently passed international drug trafficking in dollars earned, and malicious hacking that used to be performed for fun is now a big business. Websites once hacked only so the culprit could deface them and show off are now penetrated in order to steal customer data and engage in identity theft. Botnets of more than a million compromised hosts are not unknown, used to send spam, host child pornography, and perform distributed DoS attacks. An underground market for botnets has made the creation of viruses and trojans into a thriving business opportunity for the unscrupulous. Read Entire Article: http://www.linuxsecurity.com/content/view/121230/49/ ---------------------- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New petris packages fix buffer overflow 27th, January, 2006 Steve Kemp from the Debian Security Audit project discovered a buffer overflow in petris, a clone of the Tetris game, which may be exploited to execute arbitary code with group games privileges. http://www.linuxsecurity.com/content/view/121285 * Debian: New unzip packages fix unauthorised permissions modification 27th, January, 2006 The unzip update in DSA 903 contained a regression so that symbolic links that are resolved later in a zip archive aren't supported anymore. This update corrects this behaviour. http://www.linuxsecurity.com/content/view/121286 * Debian: New tetex-bin packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in tetex-bin, the binary files of teTeX, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121287 * Debian: New koffice packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in koffice, the KDE Office Suite, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121288 * Debian: New fetchmail packages fix denial of service 27th, January, 2006 Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, that can cause a crash when the program is running in multidrop mode and receives messages without headers. http://www.linuxsecurity.com/content/view/121289 * Debian: New gpdf packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in gpdf, the GNOME version of the Portable Document Format viewer, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121290 * Debian: New tuxpaint packages fix insecure temporary file creation 27th, January, 2006 Javier Fern=EF=BF=BDndez-Sanguino Pe=EF=BF=BDa from the Debian Security Aud= it project discovered that a script in tuxpaint, a paint program for young children, creates a temporary file in an insecure fashion. http://www.linuxsecurity.com/content/view/121291 * Debian: New albatross packages fix arbitrary code execution 27th, January, 2006 A design error has been discovered in the Albatross web application toolkit that causes user supplied data to be used as part of template execution and hence arbitrary code execution. http://www.linuxsecurity.com/content/view/121292 * Debian: New Perl packages fix arbitrary code execution 27th, January, 2006 Jack Louis discovered an integer overflow in Perl, Larry Wall's Practical Extraction and Report Language, that allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via specially crafted content that is passed to vulnerable format strings of third party software. http://www.linuxsecurity.com/content/view/121293 * Debian: New mantis packages fix several vulnerabilities 27th, January, 2006 Several security related problems have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/121294 * Debian: New antiword packages fix insecure temporary file creation 27th, January, 2006 Javier Fern=EF=BF=BDndez-Sanguino Pe=EF=BF=BDa from the Debian Security Aud= it project discovered that two scripts in antiword, utilities to convert Word files to text and Postscript, create a temporary file in an insecure fashion. http://www.linuxsecurity.com/content/view/121295 * Debian: New smstools packages fix format string vulnerability 27th, January, 2006 Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges. http://www.linuxsecurity.com/content/view/121296 * Debian: New sudo packages fix privilege escalation 27th, January, 2006 It has been discovered that sudo, a privileged program, that provides limited super user privileges to specific users, passes several environment variables to the program that runs with elevated privileges. In the case of include paths (e.g. for Perl, Python, Ruby or other scripting languages) this can cause arbitrary code to be executed as privileged user if the attacker points to a manipulated version of a system library. http://www.linuxsecurity.com/content/view/121297 * Debian: New ClamAV packages fix heap overflow 27th, January, 2006 A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system runnig ClamAV. In addition, other potential overflows have been corrected. http://www.linuxsecurity.com/content/view/121298 * Debian: New kdelibs packages fix buffer overflow 27th, January, 2006 Maksim Orlovich discovered that the kjs Javascript interpreter, used in the Konqueror web browser and in other parts of KDE, performs insufficient bounds checking when parsing UTF-8 encoded Uniform Resource Identifiers, which may lead to a heap based buffer overflow and the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121299 * Debian: New crawl packages fix potential group games execution 27th, January, 2006 Steve Kemp from the Debian Security Audit project discovered a security related problem in crawl, another console based dungeon exploration game in the vein of nethack and rogue. The program executes commands insecurely when saving or loading games which can allow local attackers to gain group games privileges. http://www.linuxsecurity.com/content/view/121300 * Debian: New CUPS packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf which are also present in CUPS, the Common UNIX Printing System, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121301 * Debian: New trac packages fix SQL injection and cross-site scripting 27th, January, 2006 Several vulnerabilies have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. The Common Vulnerabilities and Exposures project identifie the following problems: http://www.linuxsecurity.com/content/view/121302 * Debian: New libapache-auth-ldap packages fix arbitrary code execution 27th, January, 2006 "Seregorn" discovered a format string vulnerability in the logging function of libapache-auth-ldap, an LDAP authentication module for the Apache webserver, that can lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121303 * Debian: New flyspray packages fix cross-site scripting 27th, January, 2006 Several cross-site scripting vulnerabilities have been discovered in flyspray, a lightweight bug tracking system, which allows attackers to insert arbitary script code into the index page. http://www.linuxsecurity.com/content/view/121304 * Debian: New wine packages fix arbitrary code execution 27th, January, 2006 H D Moore that discovered that Wine, a free implemention of the Microsoft Windows APIs, inherits a design flaw from the Windows GDI API, which may lead to the execution of code through GDI escape functions in WMF files. http://www.linuxsecurity.com/content/view/121305 * Debian: New clamav packages fix heap overflow 27th, January, 2006 A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system runnig ClamAV. In addition, other potential overflows have been corrected. http://www.linuxsecurity.com/content/view/121306 * Debian: New xpdf packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, that can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121307 * Debian: New mailman packages fix denial of service 27th, January, 2006 Two denial of service bugs were found in the mailman list server. In one, attachment filenames containing UTF8 strings were not properly parsed, which could cause the server to crash. In another, a message containing a bad date string could cause a server crash. http://www.linuxsecurity.com/content/view/121308 * Debian: New lsh-utils packages fix local vulnerabilities 27th, January, 2006 Stefan Pfetzing discovered that lshd, a Secure Shell v2 (SSH2) protocol server, leaks a couple of file descriptors, related to the randomness generator, to user shells which are started by lshd. A local attacker can truncate the server's seed file, which may prevent the server from starting, and with some more effort, maybe also crack session keys. http://www.linuxsecurity.com/content/view/121309 * Debian: New ImageMagick packages fix arbitrary command execution 27th, January, 2006 Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names.=09This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. http://www.linuxsecurity.com/content/view/121310 * Debian: New drupal packages fix several vulnerabilities 27th, January, 2006 Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: http://www.linuxsecurity.com/content/view/121311 * Debian: New kpdf packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, that can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. The same code is present in kpdf which is part of the kdegraphics package. http://www.linuxsecurity.com/content/view/121312 * Debian: New hylafax packages fix arbitrary command execution 27th, January, 2006 Patrice Fournier found that hylafax passes unsanitized user data in the notify script, allowing users with the ability to submit jobs to run arbitrary commands with the privileges of the hylafax server. http://www.linuxsecurity.com/content/view/121313 * Debian: New pound packages fix multiple vulnerabilities 27th, January, 2006 Two vulnerabilities have been discovered in Pound, a reverse proxy and load balancer for HTTP. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/121314 * Debian: New smstools packages fix format string vulnerability 27th, January, 2006 Ulf Harnhammar from the Debian Security Audit project discovered a format string attack in the logging code of smstools, which may be exploited to execute arbitary code with root privileges. http://www.linuxsecurity.com/content/view/121315 * Debian: New libapache2-mod-auth-pgsql packages fix arbitrary code execution 27th, January, 2006 iDEFENSE reports that a format string vulnerability in mod_auth_pgsql, a library used to authenticate web users against a PostgreSQL database, could be used to execute arbitrary code with the privileges of the httpd user. http://www.linuxsecurity.com/content/view/121316 * Debian: New libextractor packages fix arbitrary code execution 27th, January, 2006 "infamous41md" and Chris Evans discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in libextractor, a library to extract arbitrary meta-data from files, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121317 * Debian: New trac packages fix SQL injection and cross-site scripting 30th, January, 2006 This update corrects the search feature in trac, an enhanced wiki and issue tracking system for software development projects, which broke with the last security update. http://www.linuxsecurity.com/content/view/121444 * Debian: New unalz packages fix arbitrary code execution 30th, January, 2006 Ulf H=EF=BF=BDrnhammer from the Debian Audit Project discovered that unalz, a decompressor for ALZ archives, performs insufficient bounds checking when parsing file names. This can lead to arbitrary code execution if an attacker provides a crafted ALZ archive. http://www.linuxsecurity.com/content/view/121446 * Debian: New ImageMagick packages fix arbitrary command execution 31st, January, 2006 Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names.=09This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird. This update filters out the '$' character as well, which was forgotton in the former update. http://www.linuxsecurity.com/content/view/121451 * Debian: New libmail-audit-perl packages fix insecure temporary file use 31st, January, 2006 Niko Tyni discovered that the Mail::Audit module, a Perl library for creating simple mail filters, logs to a temporary file with a predictable filename in an insecure fashion when logging is turned on, which is not the case by default. http://www.linuxsecurity.com/content/view/121452 * Debian: New libmail-audit-perl packages fix insecure temporary file use 31st, January, 2006 Updated package. http://www.linuxsecurity.com/content/view/121461 * Debian: New pdfkit.framework packages fix arbitrary code execution 1st, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121462 * Debian: New pdftohtml packages fix arbitrary code execution 1st, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121463 * Debian: New mydns packages fix denial of service 2nd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121475 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: cups-1.1.23-15.3 27th, January, 2006 This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627. http://www.linuxsecurity.com/content/view/121373 * Fedora Core 3 Update: cups-1.1.22-0.rc1.8.9 27th, January, 2006 This update fixes the pdftops filter's handling of some incorrectly-formed PDF files. Issues fixed are CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627. http://www.linuxsecurity.com/content/view/121374 * Fedora Core 4 Update: kernel-2.6.14-1.1656_FC4 27th, January, 2006 This update fixes several low-priority security problems that were discovered during the development of 2.6.15, and backported. Notably, CVE-2005-4605. http://www.linuxsecurity.com/content/view/121377 * Fedora Core 3 Update: mod_auth_pgsql-2.0.1-6.2 27th, January, 2006 Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. Red Hat would like to thank iDefense for reporting this issue. http://www.linuxsecurity.com/content/view/121378 * Fedora Core 4 Update: mod_auth_pgsql-2.0.1-8.1 27th, January, 2006 Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. Red Hat would like to thank iDefense for reporting this issue. http://www.linuxsecurity.com/content/view/121379 * Fedora Core 3 Update: gpdf-2.8.2-7.2 27th, January, 2006 Chris Evans discovered several flaws in the way CUPS processes PDF files. An attacker could construct a carefully crafted PDF file that could cause CUPS to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. http://www.linuxsecurity.com/content/view/121392 * Fedora Core 4 Update: poppler-0.4.4-1.1 27th, January, 2006 Chris Evans discovered several flaws in the way poppler processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. http://www.linuxsecurity.com/content/view/121393 * Fedora Core 4 Update: xpdf-3.01-0.FC4.6 27th, January, 2006 Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues. Users of xpdf should upgrade to this updated package, which contains a patch to resolve these issues. http://www.linuxsecurity.com/content/view/121395 * Fedora Core 4 Update: tetex-3.0-9.FC4 27th, January, 2006 Several flaws were discovered in the way teTeX processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. This package also updates bindings in texdoc and causes the local texmf tree to be searched first. http://www.linuxsecurity.com/content/view/121396 * Fedora Core 3 Update: tetex-2.0.2-21.7.FC3 27th, January, 2006 Several flaws were discovered in the way teTeX processes PDF files. An attacker could construct a carefully crafted PDF file that could cause poppler to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the names CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, and CVE-2005-3627 to these issues. http://www.linuxsecurity.com/content/view/121397 * Fedora Core 4 Update: kdegraphics-3.5.0-0.2.fc4 27th, January, 2006 Several flaws were discovered in Xpdf. An attacker could construct a carefully crafted PDF file that could cause xpdf to crash or possibly execute arbitrary code when opened. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-3193 to these issues. Users of kdegraphics should upgrade to this updated package, which contains a patch to resolve these issues. http://www.linuxsecurity.com/content/view/121404 * Fedora Core 3 Update: ethereal-0.10.14-1.FC3.1 27th, January, 2006 This update fixes a DoS in Ethereal. http://www.linuxsecurity.com/content/view/121408 * Fedora Core 4 Update: kdelibs-3.5.0-0.4.fc4 27th, January, 2006 A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. Users of KDE should upgrade to these updated packages, which contain a backported patch from the KDE security team correcting this issue http://www.linuxsecurity.com/content/view/121415 * Fedora Core 4 Update: httpd-2.0.54-10.3 27th, January, 2006 This update includes fixes for three security issues in the Apache HTTP Server. http://www.linuxsecurity.com/content/view/121420 * Fedora Core 4 Update: openssh-4.2p1-fc4.10 27th, January, 2006 This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues. http://www.linuxsecurity.com/content/view/121421 * Fedora Core 4 Update: mozilla-1.7.12-1.5.2 2nd, February, 2006 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. http://www.linuxsecurity.com/content/view/121496 * Fedora Core 4 Update: firefox-1.0.7-1.2.fc4 2nd, February, 2006 Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. http://www.linuxsecurity.com/content/view/121497 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: HylaFAX Multiple vulnerabilities 27th, January, 2006 HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities. http://www.linuxsecurity.com/content/view/121318 * Gentoo: KPdf, KWord Multiple overflows in included Xpdf code 27th, January, 2006 KPdf and KWord both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121319 * Gentoo: xine-lib, FFmpeg Heap-based buffer overflow 27th, January, 2006 xine-lib and FFmpeg are vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121320 * Gentoo: ClamAV Remote execution of arbitrary code 27th, January, 2006 ClamAV is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/121321 * Gentoo: HylaFAX Multiple vulnerabilities 27th, January, 2006 HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities. http://www.linuxsecurity.com/content/view/121322 * Gentoo: Blender Heap-based buffer overflow 27th, January, 2006 Blender is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121323 * Gentoo: Wine Windows Metafile SETABORTPROC vulnerability 27th, January, 2006 Fixed packages were issued to fix this vulnerability in Wine, but some of the fixed packages were missing the correct patch. All Wine users should re-emerge Wine to make sure they are safe. The corrected sections appear below. http://www.linuxsecurity.com/content/view/121324 * Gentoo: KDE kjs URI heap overflow vulnerability 27th, January, 2006 KDE fails to properly validate URIs when handling javascript, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121325 * Gentoo: Trac Cross-site scripting vulnerability 27th, January, 2006 Trac is vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution. http://www.linuxsecurity.com/content/view/121326 * Gentoo: Gallery Cross-site scripting vulnerability 27th, January, 2006 Gallery is possibly vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution. http://www.linuxsecurity.com/content/view/121327 * Gentoo: mod_auth_pgsql Multiple format string vulnerabilities 27th, January, 2006 Format string vulnerabilities in mod_auth_pgsql may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121328 * Gentoo: xine-lib, FFmpeg Heap-based buffer overflow 27th, January, 2006 xine-lib and FFmpeg are vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121329 * Gentoo: VMware Workstation Vulnerability in NAT networking 27th, January, 2006 VMware guest operating systems can execute arbitrary code with elevated privileges on the host operating system through a flaw in NAT networking. http://www.linuxsecurity.com/content/view/121330 * Gentoo: ClamAV Remote execution of arbitrary code 27th, January, 2006 ClamAV is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/121331 * Gentoo: Blender Heap-based buffer overflow 27th, January, 2006 Blender is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121332 * Gentoo: Wine Windows Metafile SETABORTPROC vulnerability 27th, January, 2006 There is a flaw in Wine in the handling of Windows Metafiles (WMF) files, which could possibly result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121333 * Gentoo: Sun and Blackdown Java Applet privilege escalation 27th, January, 2006 Sun's and Blackdown's JDK or JRE may allow untrusted applets to elevate their privileges. http://www.linuxsecurity.com/content/view/121334 * Gentoo: Wine Windows Metafile SETABORTPROC vulnerability 27th, January, 2006 There is a flaw in Wine in the handling of Windows Metafiles (WMF) files, which could possibly result in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121335 * Gentoo: LibAST Privilege escalation 29th, January, 2006 A buffer overflow in LibAST may result in execution of arbitrary code with escalated privileges. http://www.linuxsecurity.com/content/view/121434 * Gentoo: Paros Default administrator password 29th, January, 2006 Paros's database component is installed without a password, allowing execution of arbitrary system commands. http://www.linuxsecurity.com/content/view/121435 * Gentoo: MyDNS Denial of Service 30th, January, 2006 MyDNS contains a vulnerability that may lead to a Denial of Service attack. http://www.linuxsecurity.com/content/view/121447 * Gentoo: Xpdf, Poppler, GPdf, libextractor, pdftohtml Heap overflows 30th, January, 2006 Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer overflows that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/121449 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated koffice packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121337 * Mandriva: Updated poppler packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121338 * Mandriva: Updated cups packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121340 * Mandriva: Updated tetex packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121341 * Mandriva: Updated xorg-x11 packages to address several bugs. 27th, January, 2006 Issues have been reported with display corruption for various cards, including several ATI and Nvidia cards when using the free drivers. There was also an issue with the Greek keyboard layout. These should be corrected by the upstream 6.9.0 final, which this package is based on. Updated packages should correct these issues. http://www.linuxsecurity.com/content/view/121342 * Mandriva: Updated kdegraphics packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121343 * Mandriva: Updated kolab packages fix vulnerability 27th, January, 2006 A problem exists in how the Kolab Server transports emails bigger than 8KB in size and if a dot (".") character exists in the wrong place. If these conditions are met, kolabfilter will double this dot and a modified email will be delivered, which could lead to broken clear-text signatures or broken attachments. The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121344 * Mandriva: Updated pdftohtml packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121345 * Mandriva: Updated wine packages fix WMF vulnerability 27th, January, 2006 A vulnerability was discovered by H D Moore in Wine which implements the SETABORTPROC GDI Escape function for Windows Metafile (WMF) files. This could be abused by an attacker who is able to entice a user to open a specially crafted WMF file from within a Wine-execute Windows application, possibly resulting in the execution of arbitrary code with the privileges of the user runing Wine. The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121346 * Mandriva: Updated hylafax packages fix eval injection vulnerabilities 27th, January, 2006 Patrice Fournier discovered the faxrcvd/notify scripts (executed as the uucp/fax user) run user-supplied input through eval without any attempt at sanitising it first. This would allow any user who could submit jobs to HylaFAX, or through telco manipulation control the representation of callid information presented to HylaFAX to run arbitrary commands as the uucp/fax user. (CVE-2005-3539, only 'notify' in the covered versions) Updated packages were also reviewed for vulnerability to an issue where if PAM is disabled, a user could log in with no password. (CVE-2005-3538) In addition, some fixes to the packages for permissions, and the %pre/%post scripts were backported from cooker. (#19679) The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/121348 * Mandriva: Updated clamav packages fix vulnerability 27th, January, 2006 A heap-based buffer overflow was discovered in ClamAV versions prior to 0.88 which allows remote attackers to cause a crash and possibly execute arbitrary code via specially crafted UPX files. This update provides ClamAV 0.88 which corrects this issue and also fixes some other bugs. http://www.linuxsecurity.com/content/view/121349 * Mandriva: Updated mod_auth_ldap packages fix vulnerability 27th, January, 2006 A format string flaw was discovered in the way that auth_ldap logs information which may allow a remote attacker to execute arbitrary code as the apache user if auth_ldap is used for authentication. This update provides version 1.6.1 of auth_ldap which corrects the problem. Only Corporate Server 2.1 shipped with a supported auth_ldap package. http://www.linuxsecurity.com/content/view/121355 * Mandriva: Updated kernel packages fix several vulnerabilities 27th, January, 2006 A number of vulnerabilites have been corrected in the Linux kernel. http://www.linuxsecurity.com/content/view/121356 * Mandriva: Updated kdelibs packages fix vulnerability 27th, January, 2006 A heap overflow vulnerability was discovered in kjs, the KDE JavaScript interpretter engine. An attacker could create a malicious web site that contained carefully crafted JavaScript code that could trigger the flaw and potentially lead to the arbitrary execution of code as the user visiting the site. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121357 * Mandriva: Subject: [Security Announce] Updated ipsec-tools packages fix vulnerability 27th, January, 2006 The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in ipsec-tools racoon before 0.6.3, when running in aggressive mode, allows remote attackers to cause a denial of service (null dereference and crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121359 * Mandriva: Updated xpdf packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functionsin the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier,allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121360 * Mandriva: Subject: [Security Announce] Updated mozilla-thunderbird packages fix vulnerability 27th, January, 2006 GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-complicit attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121361 * Mandriva: Updated perl-Convert-UUlib packages fix vulnerability 27th, January, 2006 A buffer overflow was discovered in the perl Convert::UUlib module in versions prior to 1.051, which could allow remote attackers to execute arbitrary code via a malformed parameter to a read operation. This update provides version 1.051 which is not vulnerable to this flaw. http://www.linuxsecurity.com/content/view/121362 * Mandriva: Updated perl-Net_SSLeay packages fix vulnerability 27th, January, 2006 Javier Fernandez-Sanguino Pena discovered that the perl Net::SSLeay module used the file /tmp/entropy as a fallback entropy source if a proper source was not set via the environment variable EGD_PATH. This could potentially lead to weakened cryptographic operations if an attacker was able to provide a /tmp/entropy file with known content. The updated packages have been patched to correct this problem. http://www.linuxsecurity.com/content/view/121363 * Mandriva: Updated ImageMagick packages fix vulnerabilities 27th, January, 2006 The delegate code in ImageMagick 6.2.4.x allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. http://www.linuxsecurity.com/content/view/121364 * Mandriva: Updated mdkonline package provides url fixes 27th, January, 2006 The mdkonline package for MNF2 was incorrectly connecting to mandrivaonline.net rather than mandrivaonline.com. This update corrects the problem. http://www.linuxsecurity.com/content/view/121365 * Mandriva: Updated dynamic packages fix USB device and Palm detection issues 27th, January, 2006 Dynamic was not calling scripts correctly when hardware was plugged/unplugged. Plugging a digital camera (not usb mass storage, like a Canon camera) was not creating an icon on Desktop (for GNOME) or in the Devices window (for KDE). http://www.linuxsecurity.com/content/view/121366 * Mandriva: Update gthumb packages to fix corrupted UI after photo import 27th, January, 2006 A bug was discovered in gthumb were the UI (User Interface) can get corrupted when importing photos in some non-UTF8 locales (such as French). Some text strings (returned from libgphoto) where not converted into UTF-8 before being used by GTK+. Updated packages have been patched to correct the issue. http://www.linuxsecurity.com/content/view/121367 * Mandriva: Updated libgphoto packages fix bug on disconnection of digital camera 27th, January, 2006 A bug was discovered with libgphoto which was preventing the removal of icons on the desktop (in GNOME) or in the Devices window (in KDE) when a digital camera was unplugged. Updated packages have been patched to correct the issue. http://www.linuxsecurity.com/content/view/121368 * Mandriva: Updated gpdf packages fix several vulnerabilities 27th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121369 * Mandriva: Updated net-snmp packages fix vulnerabilities 27th, January, 2006 The fixproc application in Net-SNMP creates temporary files with predictable file names which could allow a malicious local attacker to change the contents of the temporary file by exploiting a race condition, which could possibly lead to the execution of arbitrary code. As well, a local attacker could create symbolic links in the /tmp directory that point to a valid file that would then be overwritten when fixproc is executed (CVE-2005-1740). A remote Denial of Service vulnerability was also discovered in the SNMP library that could be exploited by a malicious SNMP server to crash the agent, if the agent uses TCP sockets for communication (CVE-2005-2177). The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121370 * Mandriva: Updated apache2 packages fix vulnerabilities 27th, January, 2006 A flaw was discovered in mod_imap when using the Referer directive with image maps that could be used by a remote attacker to perform a cross-site scripting attack, in certain site configurations, if a victim could be forced to visit a malicious URL using certain web browsers (CVE-2005-3352). http://www.linuxsecurity.com/content/view/121371 * Mandriva: Updated mozilla-thunderbird packages merge dropped changes 27th, January, 2006 Recent security updates to mozilla-thunderbird did not include some changes made to the build from the community branch of 2006.0. The changes include corrections to the packaging of language files and some corrections to the uninstall scripts. New builds of the enigmail-es and enigmail-it packages are also included. Updated packages merge both of these builds. http://www.linuxsecurity.com/content/view/121433 * Mandriva: Updated bzip2 packages fix bzgrep vulnerabilities 30th, January, 2006 A bug was found in the way that bzgrep processed file names. If a user could be tricked into running bzgrep on a file with a special file name, it would be possible to execute arbitrary code with the privileges of the user running bzgrep. As well, the bzip2 package provided with Mandriva Linux 2006 did not the patch applied to correct CVE-2005-0953 which was previously fixed by MDKSA-2005:091; those packages are now properly patched. The updated packages have been patched to correct these problems. http://www.linuxsecurity.com/content/view/121448 * Mandriva: Updated gzip packages fix zgrep vulnerabilities 30th, January, 2006 Zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. This was previously corrected in MDKSA-2005:092, however the fix was incomplete. These updated packages provide a more comprehensive fix to the problem. http://www.linuxsecurity.com/content/view/121450 * Mandriva: Updated php packages fix XSS and response splitting vulnerabilities 1st, February, 2006 Multiple response splitting vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers via unknown attack vectors, possibly involving a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. (CVE-2006-0207) Multiple cross-site scripting (XSS) vulnerabilities in PHP allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in "certain error conditions." (CVE-2006-0208). http://www.linuxsecurity.com/content/view/121474 * Mandriva: Updated libast packages fixes buffer overflow vulnerability 2nd, February, 2006 Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121491 * Mandriva: Updated poppler packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Poppler uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121492 * Mandriva: Updated kdegraphics packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Kdegraphics-kpdf uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121493 * Mandriva: Updated xpdf packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121494 * Mandriva: Updated OpenOffice.org packages fix issue with disabled hyperlinks 2nd, February, 2006 OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. Updated packages are patched to address this issue. http://www.linuxsecurity.com/content/view/121495 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: kernel security update 27th, January, 2006 Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. http://www.linuxsecurity.com/content/view/121279 * RedHat: Moderate: tetex security update 27th, January, 2006 Updated tetex packages that fix several integer overflows are now available. http://www.linuxsecurity.com/content/view/121280 * RedHat: Critical: kdelibs security update 27th, January, 2006 Updated kdelibs packages are now available for Red Hat Enterprise Linux 4. http://www.linuxsecurity.com/content/view/121281 * RedHat: Important: kernel security update 1st, February, 2006 Updated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (64 bit architectures). This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121471 * RedHat: Important: kernel security update 1st, February, 2006 Updated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (32 bit architectures) This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121472 * RedHat: Moderate: gd security update 1st, February, 2006 Updated gd packages that fix several buffer overflow flaws are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121473 * RedHat: Critical: mozilla security update 2nd, February, 2006 Updated mozilla packages that fix several security bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121482 * RedHat: Critical: firefox security update 2nd, February, 2006 An updated firefox package that fixes several security bugs is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121483 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: xpdf,kpdf,gpdf,kword 27th, January, 2006 "infamous41md", Chris Evans and Dirk Mueller discovered multiple places in xpdf code where integer variables are insufficiently checked for range or overflow. Specially crafted PDF files could lead to executing arbitrary code. http://www.linuxsecurity.com/content/view/121427 * SuSE: novell-nrm remote heap overflow 27th, January, 2006 iDEFENSE reported a security problem with the Novell Remote Manager. http://www.linuxsecurity.com/content/view/121428 * SuSE: kdelibs3 (SUSE-SA:2006:003) 27th, January, 2006 Maksim Orlovich discovered a bug in the JavaScript interpreter used by Konqueror. UTF-8 encoded URLs could lead to a buffer overflow that causes the browser to crash or execute arbitrary code. Attackers could trick users into visiting specially crafted web sites that exploit this bug (CVE-2006-0019). http://www.linuxsecurity.com/content/view/121429 * SuSE: phpMyAdmin (SUSE-SA:2006:004) 27th, January, 2006 Stefan Esser discovered a bug in in the register_globals emulation of phpMyAdmin that allowes to overwrite variables. An attacker could exploit the bug to ultimately execute code (CVE-2005-4079). http://www.linuxsecurity.com/content/view/121430 * SuSE: nfs-server/rpc.mountd remote code 27th, January, 2006 An remotely exploitable problem exists in the rpc.mountd service in the user space NFS server package "nfs-server". http://www.linuxsecurity.com/content/view/121431 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Fri Feb 3 04:27:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:27:59 -0600 (CST) Subject: [ISN] Millionaire on hacking charge Message-ID: http://www.timesonline.co.uk/article/0,,2087-2015469,00.html Sophie Kirkham January 29, 2006 MATTHEW MELLON, heir to a ?6.6 billion banking and oil fortune, will appear in court next month in connection with an investigation into an alleged phone-tapping and computer hacking gang. The former husband of Tamara Mellon, who runs the Jimmy Choo shoe empire, will appear alongside 17 other defendants accused of involvement in the operation, which allegedly provided clients with confidential information about wealthy people and businesses. Following a tip-off from BT, Scotland Yard has conducted a long investigation into a private detective agency run by a former policeman which it believed was bugging phone calls. It is now alleged the group was also hacking into NHS computers to access confidential medical files to blackmail people, spying on police and bugging their phone calls to get information. There are also several charges of falsifying invoices. One of the group is said to have taken BT overalls, a reflective jacket and tools, along with a BT works barrier and stool, and a shirt from NTL, another other telecoms company. A regular on the London social scene and close friends with Elizabeth Hurley and Hugh Grant, Mellon, 41, inherited a ?14m trust fund at the age of 21. He now has a fortune put by The Sunday Times Rich List at ?50m. His family is held in the same regard in America as the Rockefellers, Vanderbilts and Astors. He met Tamara Yeardye in 1998. The couple?s marriage in 2000 at Blenheim Palace took up eight pages in American Vogue and the bride wore a Valentino wedding dress encrusted with diamonds. More than half the guests were said to be wearing Jimmy Choos. The Mellons spent several years as a golden couple of London society often appearing in magazine pages and at charity functions. In 2002 they had a daughter, Araminta. But the marriage fell apart amid revelations of Mellon?s cocaine habit, which he is said to have battled in the 1990s, and the couple went through an acrimonious divorce last year. After the marriage ended Tamara, who is now worth ?60m in her own right, began seeing Oscar Humphries, the son of Barry, creator of Dame Edna Everage. Mellon has recently said he was planning a change in career from working as chief designer for Harry?s, an upmarket men?s shoe company he launched five years ago ? he has tried his hand at film producing in the past. He remains a colourful figure on the social scene ? his hobbies are said to include nude jet skiing ? and he has had a string of celebrity girlfriends since his marriage break-up. He is currently seeing Noelle Reno, a 24-year-old actress. Mellon, who lives in Belgravia, London, is charged with conspiracy to cause unauthorised modification of computer material. Also in the dock at Bow Street magistrates? court in February will be another wealthy businessman, Adrian Kirby, who made his money from waste disposal units. Kirby, 47, of Haslemere, Surrey, has a fortune put at ?65m by the Rich List. He is charged with conspiracy to intercept communications unlawfully, unauthorised modification of computer material and perverting the course of justice. Former Essex police officer Scott Gelsthorpe, 31, of Kettering, Northamptonshire, is facing 15 charges. The suspects, 17 men and one woman, come from southern England, Lincolnshire and France and are said to have committed the offences between July and September 2004. They will appear before magistrates on February 23. From isn at c4i.org Fri Feb 3 04:28:43 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:28:43 -0600 (CST) Subject: [ISN] DHS wants to improve software security Message-ID: http://www.fcw.com/article92172-02-01-06-Web By Michael Arnone Feb. 1, 2006 The Homeland Security Department wants public comment on two draft documents that are part of a federal program to improve software security, according to today's Federal Register. The documents are part of the Software Assurance Program that DHS created as part of the National Strategy to Secure Cyberspace. The program is designed to reduce vulnerabilities and exploitation of weaknesses to improve software security, particularly in software that critical infrastructure uses. One document, "Security in the Software Lifecycle," aims to help developers and project managers of software applications establish strategies to make sure new software products are more secure. The second, "Secure Software Assurance - Common Body of Knowledge," would help colleges and the private sector create curricula to train people in software assurance. The documents and an online comment form are available at the Build Security In Web site [1]. Comments on the two documents are due by Feb. 21. [1] http://buildsecurityin.us-cert.gov/ From isn at c4i.org Fri Feb 3 04:30:11 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:30:11 -0600 (CST) Subject: [ISN] Russian hackers hawked Windows exploit for $4,000 Message-ID: http://news.com.com/Russian+hackers+hawked+Windows+exploit+for+4%2C000/2100-7349_3-6034591.html By Greg Sandoval Staff Writer, CNET News.com February 2, 2006 Competing hacker groups in Russia were peddling the exploit code responsible for the Windows Meta File attacks last December for $4,000, according to security company Kaspersky Lab. "One of the purchasers of the exploit is involved in the criminal adware/spyware business," read a Kaspersky Lab quarterly report released this week. "It seems likely that this was how the exploit became public." The WMF flaw unsettled security experts after they found that the virus-writing community discovered the vulnerability before they did. A slew of Trojan programs were written to try and take advantage of the exploit. The British Parliament was attacked by hackers who tried to exploit the WMF flaw. MessageLabs, an e-mail filtering provider for the U.K. government, said last month that targeted e-mails were sent to various individuals within government departments in an attempt to take control of their computers. The e-mails contained the exploit code. A statement on the Kaspersky Lab site said more than a thousand instances of malicious code were detected in a week. "As the vulnerability was present in all versions of Windows, the situation threatened to spiral out of control." According to Kaspersky, the situation was mitigated by the holiday season, when Internet use was much lighter than normal. When the corrupt WMF files finally came to the attention of anti-spyware experts, they were traced back to Web sites known to spread advertising software surreptitiously to computers. Security companies have lamented the practice by some Web advertisers of paying others to distribute their software. Some of the more unscrupulous among those are in the business of distributing exploits that let them spread adware without the knowledge of computer users. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Fri Feb 3 04:31:06 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:31:06 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-5 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-01-26 - 2006-02-02 This week : 54 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: A vulnerability has been discovered in Winamp, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited. The vulnerability has been confirmed in version 5.12. Other versions may also be affected. NOTE: An exploit is publicly available. Please refer to the referenced Secunia advisory below for additional details. Reference: http://secunia.com/SA18649 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18649] Winamp Computer Name Handling Buffer Overflow Vulnerability 2. [SA18621] Oracle Products PL/SQL Gateway Security Bypass Vulnerability 3. [SA18629] Cisco VPN 3000 Concentrator HTTP Packet Denial of Service 4. [SA18613] Cisco IOS AAA Command Authentication Bypass Vulnerability 5. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 6. [SA18614] nfs-server "rpc.mountd" Buffer Overflow Vulnerability 7. [SA18628] My Little Forum/Guestbook/Weblog "link" BBcode Script Insertion 8. [SA18630] Debian update for drupal 9. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 10. [SA18529] F-Secure Anti-Virus Archive Handling Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18649] Winamp Computer Name Handling Buffer Overflow Vulnerability [SA18646] @Mail Webmail Attachment Upload Directory Traversal [SA18636] ASPThai Forums Login SQL Injection Vulnerability [SA18668] MailEnable Professional EXAMINE Command Denial of Service UNIX/Linux: [SA18679] Debian update for pdfkit.framework [SA18677] Xpdf PDF Splash Image Handling Vulnerability [SA18675] Debian update for pdftohtml [SA18674] GNUStep PDFKit Framework Xpdf Multiple Vulnerabilities [SA18669] Avaya Products PHP Multiple Vulnerabilities [SA18665] Debian update for unalz [SA18659] Avaya Intuity Audix Lynx Arbitrary Command Execution [SA18654] libpng "png_set_strip_alpha()" Buffer Overflow Vulnerability [SA18653] Gentoo update for mydns [SA18647] Pioneers Long Chat Message Denial of Service Vulnerability [SA18644] Gentoo updates for xpdf/poppler/gpdf/libextractor/pdftohtml [SA18643] GIT "git-checkout-index" Symbolic Link Handling Buffer Overflow [SA18642] pdftohtml xpdf Multiple Integer Overflow Vulnerabilities [SA18631] Debian update for imagemagick [SA18630] Debian update for drupal [SA18627] Gentoo update for gallery [SA18638] SUSE update for nfs-server [SA18663] Avaya Intuity Audix OpenSSL Potential SSL 2.0 Rollback [SA18662] Avaya Intuity Audix TCP Timestamp Denial of Service [SA18661] Avaya Intuity Audix Two OpenSSH Security Issues [SA18625] Gentoo update for trac [SA18635] Mandriva update for net-snmp [SA18626] Gentoo update for paros [SA18660] Avaya Intuity Audix "uidadmin' Buffer Overflow [SA18656] Debian update for libmail-audit-perl [SA18652] Mail::Audit Insecure Log File Creation Vulnerability [SA18639] Mandriva update for perl-Net_SSLeay [SA18632] Gentoo update for libast [SA18623] Debian update for lsh-utils [SA18671] Sun Solaris x64 Kernel Processing Denial of Service [SA18650] Trustix update for openssh Other: [SA18629] Cisco VPN 3000 Concentrator HTTP Packet Denial of Service Cross Platform: [SA18648] CRE Loaded "HTML AREA" File Upload Security Issue [SA18640] CommuniGate Pro Server LDAP BER Decoding Vulnerabilities [SA18634] PmWiki Unregister "register_globals" Layer Bypass [SA18678] MyBB "templatelist" SQL Injection Vulnerability [SA18676] SPIP Cross-Site Scripting and SQL Injection Vulnerabilities [SA18667] Calendarix Basic SQL Injection Vulnerabilities [SA18666] SZUserMgnt "username" SQL Injection Vulnerability [SA18664] IPB Dragoran Portal Module "site" SQL Injection Vulnerability [SA18655] UebiMiau Webmail HTML Email Script Insertion Vulnerability [SA18633] AndoNET Blog "entrada" SQL Injection Vulnerability [SA18628] My Little Forum/Guestbook/Weblog "link" BBcode Script Insertion [SA18624] NewsPHP SQL Injection Vulnerabilities [SA18673] Easy CMS Cross-Site Scripting Vulnerabilities [SA18672] sPaiz-Nuke "query" Cross-Site Scripting Vulnerability [SA18670] Nuked-Klan "letter" Cross-Site Scripting Vulnerability [SA18658] BrowserCRM "query" Cross-Site Scripting Vulnerability [SA18657] Cerberus Helpdesk "contact_search" Cross-Site Scripting [SA18645] PHP-Ping "count" Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18649] Winamp Computer Name Handling Buffer Overflow Vulnerability Critical: Extremely critical Where: From remote Impact: System access Released: 2006-01-30 ATmaCA has discovered a vulnerability in Winamp, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18649/ -- [SA18646] @Mail Webmail Attachment Upload Directory Traversal Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-02 Secunia Research has discovered a vulnerability in @Mail Webmail, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18646/ -- [SA18636] ASPThai Forums Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-30 Emperor Hacking Team has reported a vulnerability in ASPThai Forums, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18636/ -- [SA18668] MailEnable Professional EXAMINE Command Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-01 A vulnerability has been reported in MailEnable Professional, which potentially can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18668/ UNIX/Linux:-- [SA18679] Debian update for pdfkit.framework Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Debian has issued an update for pdfkit.framework. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18679/ -- [SA18677] Xpdf PDF Splash Image Handling Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Dirk Mueller has reported a vulnerability in Xpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18677/ -- [SA18675] Debian update for pdftohtml Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Debian has issued an update for pdftohtml. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18675/ -- [SA18674] GNUStep PDFKit Framework Xpdf Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 Some vulnerabilities have been reported in GNUStep PDFKit Framework, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18674/ -- [SA18669] Avaya Products PHP Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-02-01 Avaya has acknowledged some vulnerabilities in various products, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18669/ -- [SA18665] Debian update for unalz Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-31 Debian has issued an update for unalz. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18665/ -- [SA18659] Avaya Intuity Audix Lynx Arbitrary Command Execution Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18659/ -- [SA18654] libpng "png_set_strip_alpha()" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-01 A vulnerability has been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service) against applications using libpng or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18654/ -- [SA18653] Gentoo update for mydns Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-31 Gentoo has issued an update for mydns. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18653/ -- [SA18647] Pioneers Long Chat Message Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-30 Bas Wijnen has discovered a vulnerability in Pioneers, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18647/ -- [SA18644] Gentoo updates for xpdf/poppler/gpdf/libextractor/pdftohtml Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-31 Gentoo has issued updates for xpdf/poppler/gpdf/libextractor/pdftohtml. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18644/ -- [SA18643] GIT "git-checkout-index" Symbolic Link Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-30 A vulnerability has been reported in GIT, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18643/ -- [SA18642] pdftohtml xpdf Multiple Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-31 Some vulnerabilities have been reported in pdftohtml, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18642/ -- [SA18631] Debian update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-27 Debian has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18631/ -- [SA18630] Debian update for drupal Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-01-27 Debian has issued an update for drupal. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, and conduct script insertion and HTTP response splitting attacks. Full Advisory: http://secunia.com/advisories/18630/ -- [SA18627] Gentoo update for gallery Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-27 Gentoo has issued an update for gallery. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18627/ -- [SA18638] SUSE update for nfs-server Critical: Moderately critical Where: From local network Impact: System access Released: 2006-01-27 SUSE has issued an update for nfs-server. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18638/ -- [SA18663] Avaya Intuity Audix OpenSSL Potential SSL 2.0 Rollback Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18663/ -- [SA18662] Avaya Intuity Audix TCP Timestamp Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions. Full Advisory: http://secunia.com/advisories/18662/ -- [SA18661] Avaya Intuity Audix Two OpenSSH Security Issues Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2006-01-31 Avaya has acknowledged two security issues in Intuity Audix, which can be exploited malicious users to gain escalated privileges or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18661/ -- [SA18625] Gentoo update for trac Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-26 Gentoo has issued an update for trac. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18625/ -- [SA18635] Mandriva update for net-snmp Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-01-27 Mandriva has issued an update for net-snmp. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges, or by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18635/ -- [SA18626] Gentoo update for paros Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2006-01-30 Gentoo has issued an update for paros. This fixes a security issue, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18626/ -- [SA18660] Avaya Intuity Audix "uidadmin' Buffer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-31 Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18660/ -- [SA18656] Debian update for libmail-audit-perl Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-31 Debian has issued an update for libmail-audit-perl. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18656/ -- [SA18652] Mail::Audit Insecure Log File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-31 Niko Tyni has reported a vulnerability in Mail::Audit, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18652/ -- [SA18639] Mandriva update for perl-Net_SSLeay Critical: Less critical Where: Local system Impact: Manipulation of data Released: 2006-01-27 Mandriva has issued an update for perl-Net_SSLeay. This fixes a vulnerability, which can be exploited by malicious, local users to weaken certain cryptographic operations. Full Advisory: http://secunia.com/advisories/18639/ -- [SA18632] Gentoo update for libast Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-30 Gentoo has issued an update for libast. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18632/ -- [SA18623] Debian update for lsh-utils Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2006-01-26 Debian has issued an update for lsh-utils. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18623/ -- [SA18671] Sun Solaris x64 Kernel Processing Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-02-01 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18671/ -- [SA18650] Trustix update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-30 Trustix has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18650/ Other:-- [SA18629] Cisco VPN 3000 Concentrator HTTP Packet Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-27 Eldon Sprickerhoff has reported a vulnerability in Cisco VPN 3000 Concentrator, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18629/ Cross Platform:-- [SA18648] CRE Loaded "HTML AREA" File Upload Security Issue Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-30 kaneda has discovered a security issue in CRE Loaded, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18648/ -- [SA18640] CommuniGate Pro Server LDAP BER Decoding Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-30 Evgeny Legerov has reported some vulnerabilities in CommuniGate Pro Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18640/ -- [SA18634] PmWiki Unregister "register_globals" Layer Bypass Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2006-01-30 Francesco "aScii" Ongaro has discovered a vulnerability in PmWiki, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18634/ -- [SA18678] MyBB "templatelist" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-01 A vulnerability has been discovered in MyBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18678/ -- [SA18676] SPIP Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Cross Site Scripting Released: 2006-02-01 Zone-H Research Team has discovered some vulnerabilities in SPIP, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18676/ -- [SA18667] Calendarix Basic SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-02-01 Aliaksandr Hartsuyeu has discovered two vulnerabilities in Calendarix Basic, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18667/ -- [SA18666] SZUserMgnt "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-02-01 Aliaksandr Hartsuyeu has discovered a vulnerability in SZUserMgnt, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18666/ -- [SA18664] IPB Dragoran Portal Module "site" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-01 SkOd has reported a vulnerability in the Dragoran Portal module for Invision Power Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18664/ -- [SA18655] UebiMiau Webmail HTML Email Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 M.Neset KABAKLI has discovered a vulnerability in UebiMiau, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18655/ -- [SA18633] AndoNET Blog "entrada" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-27 Aliaksandr Hartsuyeu has discovered a vulnerability in AndoNET Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18633/ -- [SA18628] My Little Forum/Guestbook/Weblog "link" BBcode Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-27 Aliaksandr Hartsuyeu has discovered a vulnerability in My Little Forum, My Little Guestbook, and My Little Weblog, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18628/ -- [SA18624] NewsPHP SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-26 SAUDI has reported some vulnerabilities in NewsPHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18624/ -- [SA18673] Easy CMS Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 Preben Nylokken has reported some vulnerabilities in Easy CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18673/ -- [SA18672] sPaiz-Nuke "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 Night_Warrior has reported a vulnerability in sPaiz-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18672/ -- [SA18670] Nuked-Klan "letter" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-31 Night_Warrior has discovered a vulnerability in Nuked-Klan, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18670/ -- [SA18658] BrowserCRM "query" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-01 Preben Nyl?kken has reported a vulnerability in BrowserCRM, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18658/ -- [SA18657] Cerberus Helpdesk "contact_search" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-01 Preben Nyl?kken has reported a vulnerability in Cerberus Helpdesk, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18657/ -- [SA18645] PHP-Ping "count" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-01-30 cvh has discovered a vulnerability in PHP-Ping, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18645/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 3 04:31:20 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:31:20 -0600 (CST) Subject: [ISN] Kama Sutra virus expected to strike Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/03/AR2006020300346.html By Michael Kahn Reuters February 3, 2006 SAN FRANCISCO (Reuters) - A destructive worm posing as a pornographic e-mail may already have infected hundreds of thousands of computers and could erase many everyday files on Friday, security experts warn. The "Kama Sutra" worm, which targets popular Microsoft Corp., Adobe Systems Inc. and ZIP files, is a threat because many users will not know the virus has infected their computers until it is too late, security experts said. They also estimate that the worm -- which spreads by e-mailing itself to addresses in an infected computer's mailbox -- may already have slipped onto 275,000 to 500,000 machines and is now simply waiting to obliterate files on Friday. The virus, also known as Nyxem, Grew.A or MyWife, tricks users by appearing as an e-mail attachment with subject lines such as "Hot Movie," "give me a kiss" and "Miss Lebanon 2006." Some variations refer to the ancient Kama Sutra guide to elaborate sexual positions in order to attract attention and convince victims to open. "It claims to be a movie or picture with some sort of sexual content," said Johannes Ullrich, chief research officer at the nonprofit SANS Institute research group. "That is how it tricks you." The virus causes a keyboard and mouse to freeze up and then disables anti-virus programs when the computer is restarted, leaving a machine vulnerable, said Ken Dunham, rapid response director at VeriSign Corp.'s security unit iDefense. The attack is scheduled to begin at midnight on February 3. The virus mainly has infected computers of vulnerable consumers and small businesses, which are far less likely to have up-to-date security software, he said. The Kama Sutra worm also stands out because its primary purpose is to destroy files rather than to seek financial gain or to take control of a computer, security experts said. Dunham said any users who suspect they may have triggered the worm should reinstall an anti-virus program and make sure the virus has been removed. "It is already underway and will be activated unless people get removal tools," he said. "If you have opened an e-mail and your computer froze up, you should be very concerned." From isn at c4i.org Fri Feb 3 04:31:32 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Feb 2006 03:31:32 -0600 (CST) Subject: [ISN] Hacker hands over laptop Message-ID: http://www.mlive.com/news/fljournal/index.ssf?/base/news-34/1138897570313390.xml&coll=5 By Bernie Hillman THE FLINT JOURNAL February 02, 2006 LINDEN - A Linden High School senior who hacked into school records - possibly for the purpose of changing school grades, police say - handed his laptop over to police Tuesday. The laptop will be delivered to the state police crime lab in Lansing next week, said Argentine Township police Lt. Bruce Coverdill. Coverdill said the 17-year-old, who was suspended Jan. 25 for 10 days, is not talking to police and has an attorney. "He admitted getting into some files," Coverdill said. "We don't know what files - possibly changing school grades; we don't know to what degree." But hacking into a school computer is no easy task, said Thomas Svitkovich, superintendent for the Genesee Intermediate School District. "There are fire walls and protective devices in place at all levels," he said. "The systems are closed systems. You can't just dial up and get into something, but I don't know what he got into or what he was doing." It's too early in the investigation to know if the teen acted alone, said Coverdill, who noted that the hacking may have been going on for some time. "(The school) had suspected something was wrong with their files. They approached him, and he admitted to it," Coverdill said. Superintendent Elizabeth Leonard said she couldn't say much more other than the investigation is ongoing. "Certainly he got into some Linden files," Leonard said. Students will have limits on what they can access via computer until the investigation is complete, but Leonard said she could not say what those limits will be. Senior Jamie Wolverton said the incident was not the talk of the school. She found out about it Wednesday from a teacher in the computer lab class. "Someone said they couldn't save something, and (the teacher) said someone hacked into the system, and now we couldn't do that," Jamie said. "She didn't say how or who. We used to be able to save on a disc or under your own name, and now we can't do that." Leonard said a decision whether to lengthen the suspension was expected to be made today. ?2006 Flint Journal From isn at c4i.org Mon Feb 6 01:39:25 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:39:25 -0600 (CST) Subject: [ISN] Oracle aims to tone security muscle with Fusion Message-ID: http://www.zdnet.com.au/news/security/soa/Oracle_aims_to_tone_security_muscle_with_Fusion/0,2000061744,39236748,00.htm By Joris Evers Special to ZDNet 06 February 2006 Billions of dollars worth of acquisitions have bought Oracle a perhaps unexpected bonus: security lessons. Last year, the technology maker bought more than a dozen companies. Now it's picking up tips from those operations and using them in a major overhaul of its business applications software, an initiative called Project Fusion. Other products and processes are benefiting, too. In return, Oracle is teaching its new employees something about security -- literally. The Redwood Shores, California-based, company found that none of the companies it bought required security-specific training for staff. But Oracle does. So employees brought in from PeopleSoft, JD Edwards, Retek and Oblix purchases, among others, are learning the ropes. All in all, Oracle hopes the security sum will be greater than its parts. "To make the merged organisation successful, we take the best of what they did and the best of what we do, and make it what the combined company does," Mary Ann Davidson, Oracle's chief security officer, said in an interview on Tuesday. Security has been a bugbear for the database specialist, which has drawn criticism for the time it takes to fix flaws and the quality of its patches. Experts will be watching closely to see what comes of any new effort. Moreover, Fusion is a hefty undertaking, with the aim of incorporating the technology of companies Oracle has acquired. And security is only one element of Fusion. Oracle President Charles Phillips recently said the company, one year into the project, is already half done with its work on the next generation of its applications. Yet, Phillips said, the first Fusion applications won't be ready until 2008 -- a schedule that falls in line with previous promises. Oracle isn't saying much about security in Fusion or in any of its other products, but in meetings with ZDNet Australia?s sister site CNET News.com last week, company representatives lifted the veil on the software maker's endeavours to get all its security eggs into one basket. One lesson Oracle has learned from PeopleSoft is that less customisation equals fewer security risks. While Oracle has historically allowed developers to program on top of its applications, PeopleSoft took a more limited approach. Its software was mainly set up to let customers analyse their business processes, then build upon its applications. "What you can do from a security perspective in PeopleSoft is limited, while Oracle is more fine-grained and more customisable," said John Heimann, director of security program management at Oracle. "Sometimes simplicity is good for security, because you can sometimes code yourself into a hole." Oracle's buying spree In 2005 alone, Oracle acquired more than a dozen companies. The security synchronisation effort includes some of these: PeopleSoft (January), Oblix (March), Retek (April), TripleHop (June), TimesTen (June), ProfitLogic (July), Context Media (July), I-flex (August), Siebel (September), G-Log (September), Innobase (October), Thor Technologies (November), OctetString (November), TempoSoft (December) Oracle allows developers to define security roles with a lot of flexibility, increasing the risk of mistakes and thus the introduction of flaws. For example, it is possible to restrict which user can access a specific part of an application based on very detailed rules, Heimann said. PeopleSoft doesn't provide the same level of flexibility, he said. "We're going to try and combine the simplicity and declarative nature of PeopleSoft and PeopleTools with the extensibility and flexibility of the Oracle applications framework," Heimann said. As an indication of that, Oracle executives said a key person working on security for Fusion is Robert Armstrong, a former PeopleSoft security chief. Another lesson partially learned from PeopleSoft is to ship products that have a high level of security out of the box, or at least provide an easy way to increase the security level -- something Oracle calls the Secure Configuration Initiative. "In the past, our products have tended to be developer-friendly out of the box," Heimann said. "There were accounts with easy-to-remember passwords like 'Welcome1', demo code, and things were set with permissions that were wide open." Oracle's 10g database products, which shipped in 2004, delivered on some of the "secure by default" approach, Heimann said. Customers should see more of it in future products, including the next generation of the database family, he added. "It will be there to a much greater extent in 11g, and it is a focus for Fusion," he said. "That is the future: Security by default, and delivering it so you don't have to be a sophisticated developer to implement security rules." For example, Oracle is thinking of allowing a system administrator to change security settings using a simple user interface or with drag-and-drop capabilities, Heimann said. Patchy record Oracle, which has marketed its products as "unbreakable," has faced mounting criticism over its security practices. Security researchers have accused the company of fixing security flaws too late, releasing faulty security updates or not plugging holes at all. "Oracle can no longer be considered a bastion of security," Gartner analyst Rich Mogull wrote in a research note after Oracle released a slew of security patches on 17 January. "Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly." The database specialist has not yet experienced a mass security exploit, but this does not mean that one will never occur, Mogull said in his note. He advises database and application managers to protect and maintain Oracle systems more aggressively. Becoming part of Oracle's line-up could intensify the security community's scrutiny of products previously sold by the companies it acquired. So, in addition to product development, the mergers have also had effects on security processes. For example, each unit has amended how it deals with reports of vulnerabilities and with publishing of security alerts, Oracle executives said. The employees and products of the purchased companies have borne the brunt of changes, said Duncan Harris, the senior director for security assurance at Oracle. "The acquired companies did not have very many vulnerabilities reported to them by external researchers. PeopleSoft was the exception," Harris said. "All were still very much using a manual tracking system like that we had five years ago." As for public announcement of fixes, PeopleSoft and JD Edwards security updates are now part of Oracle's quarterly critical patch bulletins. That's a change from before the acquisition. Oracle's patch alerts offer only few details on specific flaws and their impact, while PeopleSoft's security bulletins had more information. Bug handling for most companies Oracle acquired is now part of Oracle's automated system. However, PeopleSoft still maintains its own way of handling vulnerabilities, Harris said. While Oracle has people whose full-time job is dealing with flaws, PeopleSoft has a council of employees that discusses bugs as a team, he said. Another change is that Harris' team of "ethical hackers" will now expand its scope and may scrutinise the newly acquired products. "We don't declare what products my team looks at, but clearly as Oracle acquires new products, then those are eligible for the hackers to have a look at and do an assessment against," he said. Harris wouldn't say if people from any of the acquired companies have joined his hacking team, which is based in the U.K. He also declined to so how large the team currently is. Still, former PeopleSoft employees appear to have a major role in charting the future of Oracle and will leave their marks, especially when it comes to security. "When I knew that we were going to go ahead and buy PeopleSoft, I immediately wanted to have dibs on certain people," Oracle's Davidson said. Added Heimann: "Fusion is serious. We really learned some good things from them and we're really trying to capture the best of it." From isn at c4i.org Mon Feb 6 01:39:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:39:38 -0600 (CST) Subject: [ISN] Virus floors Russian stock exchange Message-ID: http://www.theregister.co.uk/2006/02/03/virus_hits_stock_exchange/ By John Leyden 3rd February 2006 A computer virus succeeded in bringing down the main Russian stock exchange on Thursday. The Russian Trading System (RTS) was forced to suspend operations in its three markets between 1315 and 1420 GMT after unnamed malware infected systems. Viral infection resulted in a huge upsurge of outgoing traffic, interrupting normal network operations. "The virus got into a computer connected to a test trading system from the internet," RTS vice president Dmitry Shatsky said in the statement issued Friday, Reuters reports. "The infected computer started generating huge volumes of parasitic traffic, which overloaded the RTS's support routers. The result was that normal traffic - data going in to and out of the trading system - was not processed." RTS has since resumed trading. The exchange is playing down concerns that sensitive systems and data might have been exposed by the attack. The attack on the Russian financial system came the day before the widespread Kama Sutra worm began destroying files on infected systems. The effects of the worm were far less than first feared, but the malware did force Milan city hall to turn off 10,000 computers as a precaution after discovering its systems were riddled with infection on Thursday, and deciding there wasn't enough time to mount an effective clean-up operation, AP reports. ? From isn at c4i.org Mon Feb 6 01:39:51 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:39:51 -0600 (CST) Subject: [ISN] Parkview assisting FBI in probe of file hacking Message-ID: http://www.fortwayne.com/mld/journalgazette/13782298.htm By Michael Schroeder The Journal Gazette Feb. 03, 2006 As part of an ongoing FBI investigation into Medical Informatics Engineering and alleged software tampering at Orthopaedics Northeast, Parkview Health confirmed it is cooperating with the investigation. The hacker appears to have breached Orthopaedics Northeast's network by exploiting connections of Parkview and an unnamed medical office from the outside, said Raymond Kusisto, chief executive officer of Orthopaedics Northeast. The FBI is investigating software company Medical Informatics, 4101 W. Jefferson Blvd., in connection with the breach, a Medical Informatics official confirmed. No charges have been filed. "The hacker simply used Parkview as a mule," Kusisto said. "Parkview didn't have anything to do with this." New Medical Informatics competitor triPRACTIX, 1330 Medical Park Drive - which now manages Orthopaedics Northeast software - contacted the FBI on Orthopaedic Northeast's behalf after hiring consultants who determined software problems were caused by outside tampering, Todd Plesko, chief executive officer of triPRACTIX, had said. There were nine cyber-attacks in the first two weeks of January, Kusisto said. The software problems slowed operations and increased overtime work but didn't affect patient safety or records security at Orthopaedics. 12 area locations, Kusisto said. Karen Belcher, spokeswoman for Parkview, said all patient records in Parkview's network are secure. "When we were alerted... that there was a concern, we went ahead and checked out the systems, and we did not find a problem," Belcher said. If a hacker did enter Parkview's network, individual applications are equipped with security systems designed to restrict access. Belcher said cyber security measures include virus protection, monitoring systemwide operations and tracking user activity. Belcher said Parkview is helping the FBI in any way it can. She referred specific questions about the investigation to Assistant U.S. Attorney David Miller, who would not comment on the matter. A Medical Informatics official said the company is eager to see the results of the FBI's investigation. Chief Operating Officer Eric Jones said that "FBI investigators indicated that there was evidence that machines on MIE's (Medical Informatics Engineering's) network were somehow involved in the alleged attack on ONE's (Orthopaedics Northeast's) network." But Jones maintained that the company is innocent. "We don't believe anything like that occurred," Jones said. "That is not the way that we do business." From isn at c4i.org Mon Feb 6 01:40:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:40:11 -0600 (CST) Subject: [ISN] Personal data on hundreds of Americans faxed to Manitoba company Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20060205.wdata0205/BNStory/National/home STEVE LAMBERT Canadian Press 05/02/06 Lockport, Manitoba - Confidential information on hundreds of United States citizens, including social security numbers, health information and bank account numbers, is being sent mistakenly by fax to a small Manitoba company. A 60-centimetre-high stack of data, which also includes people's addresses and salaries, already sits in the offices of North Regent Rx, a herbal remedy distribution company that operates out of a house in Lockport, 15 kilometres north of Winnipeg. "I know how much these people make, I know what their social security number is, I know where they live," North Regent Rx spokesman Jody Baxmeyer told The Canadian Press. "Almost everything a person needs for identity theft is actually faxed to us on a daily basis." Far from using the information for any illicit purposes, Ms. Baxmeyer says his company has been trying to stop the faxes from coming in, but has been unable to reach an agreement with Prudential Financial, the U.S.-based company that is the intended recipient. The problem started as soon as North Regent Rx began operating 15 months ago. The company's toll-free fax number is almost identical to the number used by Prudential's insurance division, which receives faxes from doctors' offices about medical benefits given to patients with Prudential insurance. Employees at many doctors' offices have dialled the wrong number, sending the information to North Regent Rx. The pile in Ms. Baxmeyer's office reveals data about people in many states - a Maryland woman with thyroid trouble, a Massachusetts man suffering from depression, and Kelly McDonough, 43, an Ohio woman who has lost her sight because of diabetes. "That bothers me," McDonough said from her home in Columbus. "I do not appreciate the fact that my social security number is in the hands of someone I don't know. I know that there can be identity theft with as little information as a social security number." McDonough said the mixup has affected her financially, because she initially didn't get reimbursed for the claim that was mistakenly faxed to North Regent Rx. After waiting for a few weeks, she assumed Prudential might have lost the information and had her doctor's office resend the fax, which reached the right destination on the second try. Prudential says it's trying to address the situation. "As soon as we learned that disability forms were being misdirected due to dialer error, Prudential Financial offered to work with North Regent Rx to resolve the matter," the company said in a written statement. "We have asked the six medical providers that we are aware of that have misdialled to be more careful when dialing." Last August, Prudential vice-president Patrick O'Toole wrote to Ms. Baxmeyer to suggest that North Regent Rx send Prudential the faxes they have been receiving. Ms. Baxmeyer says North Regent has forwarded some faxes to Prudential, and has often faxed messages to the clinics to tell them they have misdialled. But he said it's a time-consuming task for a small company. And the ongoing problem has tied up the fax line, he said, preventing North Regent customers from sending in their orders. "The (solution) from our point of view is pretty simple ? buy our toll-free number," Ms. Baxmeyer said. "It would take care of the problem right there." Ms. Baxmeyer said North Regent Rx has approached Prudential about selling the fax number, but the insurance firm has not yet agreed. North Regent Rx would want to be compensated for the cost of changing its toll-free number on advertising and invoices, as well as for fees charged by the telephone company, he said. Prudential's written statement says the company is "eager to continue to work with North Regent Rx to resolve the issue." This is not the first time personal data has been sent over the Canada-U.S. border to the wrong recipient. In November of 2004, The Globe and Mail and CTV reported that between 2001 and 2004, confidential information about hundreds of Canadian Imperial Bank of Commerce customers was faxed to a scrapyard in West Virginia. The scrapyard's owner, Wade Peer, said the volume of faxes prevented him from communicating with his customers and forced him to close one of his businesses. From isn at c4i.org Mon Feb 6 01:40:24 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Feb 2006 00:40:24 -0600 (CST) Subject: [ISN] Chinese Hacker Attacks on Korean Gamers Mushrooming Message-ID: http://english.chosun.com/w21data/html/news/200602/200602030008.html The Chosun Ilbo Feb. 3, 2006 There is no failsafe solution in sight for massive attacks from Chinese hackers who steal the sign-in names and passwords of Korean gamers. More and more websites have become infection points for Trojan viruses that leak users?? personal information since last May, when the MSN Korea website was first infected with the malicious code. IT security firm Geot says about 2,000 websites fell victim to Chinese hackers from November of last year through last month. Of the sites used to spread Trojan-style viruses, 70 percent were Korean and the rest Chinese. Geot presumes the Chinese sites are permanent hosts where the spy codes are permitted to incubate unhindered by security updates. The character of the victim sites is also changing rapidly. Once limited to game portals and media or cable TV homepages, they now include public services including two public broadcasters, two local governments, one office of education and a number of university websites. More than 100 websites including terrestrial broadcasters and sports papers unwittingly inflicted multiple damage because they reacted too late or not at all. The type of information being targeted is changing too, from access details for well-known online games to user information of game item market sites. Experts are worried that the hackers?? range could soon extend to more vital areas such as online banking. The government announced an anti-hacking program for online games as the damage spread, but critics say it fails to get to the core of the problem. To tackle the threat at its root, the government should legalize item exchange so that secure sites can be built and protected by law, they say. From isn at c4i.org Tue Feb 7 04:13:50 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:13:50 -0600 (CST) Subject: [ISN] 2 Tigard High students face discipline over calls Message-ID: http://www.oregonlive.com/metrosouthwest/oregonian/index.ssf?/base/metro_southwest_news/1139291813243370.xml&coll=7 MAYA BLACKMUN February 07, 2006 Two Tigard High School students face possible expulsion after harassing phone calls were made over the weekend to five teachers using home numbers placed on the Web by a student hacker last week, officials said. Susan Stark Haydon, a spokeswoman for the Tigard-Tualatin School District, would not identify the students, citing privacy concerns of minors. She said they face discipline up to expulsion for violating the district's policy on threats of violence, hazing, harassment, intimidation, bullying and menacing. The latest incident follows that of another student who hacked into the school's computer system and placed a slew of personal information on the Web. "It's been a painful learning experience," principal Pam Henslee said, "and we hope that students know this is serious business." She would not describe the calls but said they were considered harassment because of their content, repetition and unwelcome nature. Some teachers reported getting calls nonstop in the middle of the night for two to three hours, only to have the calls stop and start up again the next day. After the teachers reported the phone calls Monday morning, Henslee got on the school's intercom and asked students for help. Two students were identified, and they admitted making the calls, she said. They used information posted sometime during the night of Jan. 30 by another Tigard High student that included the roster of the approximately 100-person school staff, staffers' month and day of birth, home and cell phone numbers, home addresses, 18 e-mail passwords along with two network administration passwords, and the combinations of the school's approximately 2,000 lockers, which subsequently had to be changed. Jim Wolf, a Tigard Police Department spokesman, said the hacking case is under investigation. If teachers want to pursue criminal charges, they would have to report the harassment to police where they live. From isn at c4i.org Tue Feb 7 04:14:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:03 -0600 (CST) Subject: [ISN] Hacker cripples government website in Chengdu Message-ID: http://www.interfax.cn/showfeature.asp?aid=9724 Shanghai. February 7, 2006 INTERFAX-CHINA The official website of the Chengdu Agricultural Committee, a government body that oversees agricultural production in the southwestern Chinese city, was hacked on Monday and has been inaccessible up to now, a government official told Interfax Tuesday. "We have not found out who did this but we are restoring the website, which will be up and running again within one or two days," an official surnamed Wu said. Wu is the director of the Chengdu Agricultural Committee's Network Administration Department. The government website, www.cdagri.gov.cn, was attacked Monday morning and the homepage was replaced with a black page saying that the website was "rubbish." The hacker also claimed to be from China Eagle Union, a Chinese hacker organization, local newspaper Tianfu Morning News (Tianfu Zaobao), reported. However, as the investigation is still in progress, the real identity and purpose of the hacker remain a mystery. "It is definitely impossible for us to do this, because hacking into government websites is illegal," Luo Yuwei, an official with the China Eagle Union, told Interfax. China Eagle Union is a domestic non-profit organization that has been involved in hacker wars against Japanese and American counterparts. The Chengdu Agricultural Committee, meanwhile, is planning to improve its network security after the accident. "We will upgrade our website this year," Wu said. -KW From isn at c4i.org Tue Feb 7 04:14:17 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:17 -0600 (CST) Subject: [ISN] Shock Absorbers Message-ID: http://www.time.com/time/insidebiz/article/0,9171,1156596,00.html By MARYANNE MURRAY BUECHNER Posted Feb. 05, 2006 When 21-year-old Web entrepreneur Alex Tew received a $50,000 ransom demand last month, he remembers thinking, "There's no way on earth I'm paying these guys." Hackers had kidnapped Tew's Million Dollar Homepage, an advertising website, crippling it with a flood of data. Thousands of dollars, six days and two security teams later, the site was back up. "I can understand why gambling sites that accept thousands of dollars a day could choose to pay and be done with it," Tew says, "but I made a point of standing firm." As cyberextortion schemes become increasingly common, their targets have another choice: cyberinsurance. Demand for this emerging category of insurance, which will even cover a ransom payment, has jumped as more companies--and not just tech firms--depend on digital networks to do business. Written premiums topped $200 million in 2005, up from $100 million in 2003, according to Aon Financial Services Group managing director Kevin Kalinich, as corporations realize they have to guard against liability in addition to the hackers themselves. The rise of the hacker as extortionist reflects a broader change in hacker culture. "It used to be teenagers looking for bragging rights," says Johannes Ullrich, chief research officer for the SANS Institute, a security think tank. "Now it's done for profit." And it's done from anywhere in the world, so catching the bad guys can be complicated. Ullrich estimates that there are 10 or 20 cases a day, compared with virtually none three years ago. More sophisticated viruses, spyware and other forms of malicious code, meanwhile, are the new weapons of choice for committing identity theft, bank fraud, even industrial espionage. Computer crime costs U.S. businesses an estimated $67.2 billion a year, according to the FBI. There are two sides to cyberinsurance: first-party coverage helps companies recover losses owing to, say, a network outage. Many first-party policies also include payments to hackers holding your website or customer data hostage, says ACE USA underwriter Brad Gow. Third-party liability covers legal expenses if security fails and someone sues. Annual premium payments range from $7,500 for a medium-size ($25 million in sales) company to hundreds of thousands of dollars for a multinational corporation, according to AIG. To qualify for coverage, companies must adhere to internationally accepted security standards. "You never know what you're going to come up against," says Moira Mooney, senior risk manager for InterActiveCorp, which owns several online businesses. "Having the insurance is a backstop." What has really kicked things off for the cyberinsurance market is new legislation, in effect in some 20 states, that requires companies to notify customers when their personal data may have been compromised. There were 134 such breaches last year, potentially affecting more than 57 million people, according to the Identity Theft Resource Center. "Companies used to bury this stuff," says Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. Now that they must go public, buying insurance can reduce liability risk. Insured or not, the top priority is still prevention. Procter & Gamble, for one, eschews cyberinsurance. "What would be scary for us is if we lost critical data--about R&D, our supply chains, even a marketing plan--to our competitors," says chief information officer Filippo Passerini. "There's no insurance that could cover all the damage." From isn at c4i.org Tue Feb 7 04:13:38 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:13:38 -0600 (CST) Subject: [ISN] Azeri hackers attack Danish web sites Message-ID: http://www.cascfen.org/news.php?nid=1479&cid=6 CASCFEN, Baku 06.02.2006 It seems that the new information-communication technologies are going to be used for taking revenge on the case of cartoons of the holy Muslim Prophet Mohammed. As reports the web site Vlasti.Net, Azerbaijani hackers have attacked several Denmark based web sites as a revenge for publication of Mohammed's offensive cartoons. The hackers themselves explain this attack as the light one and don't touch the databases of the hacked web sites. Hackers expressed their protest by simple defacing of the first pages of the Danish web sites. Following are some URL.s of the Danish web sites provided by Vlasti.Net which are "defaced" by Azerbaijani hackers: http://vaaren.dk; http://www.corecomputer.dk; http://www.roklub-forum.dk; http://www.inchrist.dk and http://www.lamri.dk. An image calling to "Jihad" appears instead of home pages of the web sites. From isn at c4i.org Tue Feb 7 04:14:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:30 -0600 (CST) Subject: [ISN] Group Crafts Standards for Evaluating Outsourcers Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108379,00.html By Jaikumar Vijayan FEBRUARY 06, 2006 COMPUTERWORLD Six large U.S. banks, an industry group and four major accounting firms joined forces in early 2004 to create standards for assessing the security practices of outsourcing vendors that work with financial services firms. The goal was to create consistent standards for use in evaluating the controls that outsourcing vendors use to protect sensitive data, said Faith Boettger, a senior consultant at BITS, the technology arm of the Washington-based Financial Services Roundtable. The standards are now available to the financial services community, following a trial of the program undertaken by five service providers, including IBM, Acxiom Corp. and First Data Corp. The standards program, called the Financial Institution Shared Assessments Program, was developed by BITS, Bank of America Corp., The Bank of New York Co., Citigroup Inc., JPMorgan Chase & Co., U.S. Bancorp and Wells Fargo & Co. Accounting firms Deloitte & Touche LLP, KPMG International, PricewaterhouseCoopers and Ernst & Young International serve as technical advisers for the program. The guidelines can be used to evaluate an outsourcer's controls for access, asset classification, personnel security, physical and environmental security, communications, business continuity and regulatory compliance, Boettger said. The group expects that the standards will result in improved security and risk-management practices, she said. The program will also give auditing firms standard criteria for measuring the security practices of different service providers, she added. "BITS member companies have for a long time been focused on looking at the management of risk within outsourcing relationships," Boettger said. The new programs should help such companies better meet their regulatory and risk management requirements, she explained. Joe Duffy, lead managing partner for the performance improvement practice at PricewaterhouseCoopers, said the initiative is an example of the private sector coming together to address information security issues at a time of heightened regulatory oversight. "What is groundbreaking here is the fact that industry, the accounting profession and the supplier community are coming together and agreeing" on common assessment standards, Duffy said. From isn at c4i.org Tue Feb 7 04:14:43 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:43 -0600 (CST) Subject: [ISN] In QDR, Defense focuses on combating cyberthreats Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38207-1.html By David C. Walsh Special to GCN 02/06/06 As expected, the newly released Quadrennial Defense Review suggests an evolution in Pentagon thinking about the role of IT in countering cyberthreats. Among IT successes, the 113-page review cites the use of computer-guided drone aircraft in Iraq and Afghanistan. These "in-country" unmanned aerial vehicles, noted the QDR [1], are remotely controlled by operators in Nevada. President Bush submitted the QDR to Congress along with his fiscal 2007 budget request. The QDR is a report the Defense Department produces every four years that lays out DOD's 20-year projection for transformation. These "net-centric reach-backs," noted the report, "achieve a level of air-ground integration that was difficult to imagine just a decade ago." The immediacy of such communications assets "is helping joint forces gain greater situational awareness to attack the enemy," enabling "faster decision-making and subsequent actions," according to the QDR. In the larger scheme, net-centricity wasn't only an enterprise asset but "a weapons system to be protected" like other parts of the nation's critical infrastructure. Information security is so vital, the document warns, that even cyberattacks from abroad could result in an unspecified "overwhelming response." Foreign nations, and not just individuals or small groups, may be involved in sabotage attempts. China is identified as among "near-peer competitors" that bear watching, the QDR stressed. Of DOD's $30 billion IT budget, $2 billion a year is spent on information assurance. Guided by the QDR, the 2007 budget request has increased by $500 million. Current and evolving cyberthreats, the review added, underscored the need to "design, operate and defend the network to ensure continuity of joint operations." This includes the core of net-centric operations, the Global Information Grid (GIG), which enables the digital collection, communication, storage and management of data for Defense. Among the steady progress in this area, the QDR stated, is deployment of "an enhanced land-based network and new satellite constellation" - part of the Transformational Communication Architecture. This ensures "high-bandwidth, survivable Internet protocol communications." Notwithstanding successes in integrating data across different enterprises and time zones, the QDR acknowledged "capability gaps" in military information operations. In all of Iraq, only 133 translators or "heritage speakers" are deployed, for example. To close the gaps and ensure seamless communications, DOD would, according to the QDR, "develop new tools and processes for assessing, analyzing and delivering information to key audiences." David Walsh is a freelance writer in Chevy Chase, Md. [1] http://www.defenselink.mil/qdr/report/Report20060203.pdf From isn at c4i.org Tue Feb 7 04:14:57 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Feb 2006 03:14:57 -0600 (CST) Subject: [ISN] Researchers: Popular apps have mismanaged security Message-ID: http://www.networkworld.com/news/2006/020606-application-security.html By Robert McMillan IDG News Service 02/06/06 Big-name companies like America Online (AOL) and Adobe could do a better job of writing secure software, according to a recent report by two Princeton University researchers. The researchers took a look at a number of popular applications, including AOL Instant Messenger and Photoshop, and determined that many of them made changes to the operating system that could allow attackers to bypass some Windows security mechanisms. (Read the report - PDF. [1]) The Princeton team focused on the Windows access control system, which determines what types of things users and applications can do on any given PC. Their conclusion: Many programs ask for too many privileges, opening the door for potential attackers. "Vendors are making mistakes when they write programs for Windows," said Sudhakar Govindavajhala, a Princeton Ph.D. student, and one of the authors of the paper. "It's worrying that your computer can become insecure on installation of new programs." An attacker would first need to gain access to a local account on a computer to take advantage of the problems described in the paper, Govindavajhala said. "These attacks are not exploitable over the Internet, but if someone can get a handle of your machine, then one can do interesting things," he said. After years of focusing on Windows, attackers are increasingly targeting the software that is running on top of the operating system, according to the SANS Institute, a training organization for computer security professionals. SANS lists [2] instant messaging applications, media players and backup software among the most critical areas for new security vulnerabilities. Another Princeton computer scientist who is familiar with the paper said that the research shows just how widespread these "privilege escalation" problems really are. "For the average user, it's a reminder that software applications can open security holes and that application vendors do make mistakes that can cause risks for users," said Ed Felten, a professor of computer science and public affairs. "No application should be considered completely safe." The MediaMax copy protection software used by Sony BMG Music Entertainment was recently discovered to have this kind of privilege escalation flaw, according to Felten. MediaMax's producer, SunnComm, has since patched the problem, he said. The security vulnerabilities that Govindavajhala and his co-author Andrew Appel discovered have been fixed in the AIM client and Adobe's products [3], but there are other programs that suffer from the same problem, Govindavajhala said. Govindavajhala did not want to name specific unpatched products because that information could be used by attackers, he said. [1] http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf [2] http://www.sans.org/top20/ [3] http://www.frsirt.com/english/advisories/2006/0431 From isn at c4i.org Wed Feb 8 03:19:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:19:23 -0600 (CST) Subject: [ISN] Honeywell blames ex-employee in data leak Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108434,00.html By Robert McMillan FEBRUARY 06, 2006 IDG NEWS SERVICE Honeywell International Inc. says a former employee has disclosed sensitive information relating to 19,000 of the company's U.S. employees. Honeywell discovered the information being published on the Web on Jan. 20 and immediately had the Web site in question pulled down, said company spokesman Robert Ferris. In court filings dated Jan. 30, the company accused former employee Howard Nugent of Arizona of accessing the information on a Honeywell computer and then causing "the transmission of that information." Nugent has since been ordered not to disclose any information about Honeywell, including "information about Honeywell's employees (payroll data, Social Security numbers, personal information, etc.)," according to a Jan. 31 order signed by Judge Neil Wake of the U.S. District Court for the District of Arizona. The precise method Nugent is alleged to have used to gain access to the information, and why he may have disclosed it, is not clear. In the court filings, Honeywell claimed that Nugent "intentionally exceeded authorized access to a Honeywell computer," but the integrity of Honeywell's computer systems was not compromised, Ferris said. "Nobody hacked into systems," he said, without disclosing further details on the data breach. Honeywell employees were notified of the breach via e-mail on Jan. 23, just days after it was discovered, and the company has since mailed notices about the compromise to all affected employees, Ferris said. The company is working with federal and local authorities on the case, but Ferris declined to comment on whether criminal charges were expected to be filed. Nugent could not be reached to comment for this story. From isn at c4i.org Wed Feb 8 03:19:51 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:19:51 -0600 (CST) Subject: [ISN] NIST experts craft data removal handbook Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27920-1.html By Joab Jackson Contributing Staff Writer 02/07/06 Wonder no longer about how to remove sensitive data from the hard drives and optical disks you are about to toss. The National Institute of Standards and Technology has issued a set of draft guidelines on how to safely remove information from obsolete forms of storage. Matthew Scholl, Richard Kissel, Steven Skolochenko and Xing Li of the NIST Information Technology Laboratory authored Special Publication 800-88 [1], "Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology," which was sponsored by the Homeland Security Department. "When storage media are transferred, become obsolete or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical or electrical representation of data that has been deleted is not easily recoverable," the guidelines stated. Although the publication summarizes the ways to remove data, it emphasizes that a proper disposal methodology should not be based on the type of storage being disposed, but rather on the confidentiality of the material the medium contains. The authors conclude that there are three general approaches to excising data from various storage technologies: Clearing: This approach usually involves overwriting the data with new random data, or in cases of electronic devices, deleting existing information and performing a manufacturer's hard reset (if one exists). Purging: This approach involves "degaussing" the medium, a procedure that involves generating a magnetic field to neutralize the magnetically encoded information. The report notes that the new Serial ATA hard disk drives have a firmware-based Secure Erase command that can purge information to the same degree of unrecoverability. Destroying: The form of destruction depends on the type of media being used. Shredding could work for paper, while pulverization, melting and incineration (tasks usually outsourced) would be more appropriate for hard disks or optical disks. Sanding off the physical recording surface is another option. The report also shows how to apply these approaches to various technologies such as personal digital assistants, routers, copy machines, hard drives and floppy disks. NIST also urged organizations to establish enterprise governance procedures for erasing material from old technologies. "Ultimately, the head of the organization is responsible for ensuring that adequate resources are applied to the program and for ensuring program success," the report noted. "Senior management is responsible for ensuring that the resources are allocated to correctly identify types and locations of information and to ensure that resources are allocated to properly sanitize the information." [1] http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf From isn at c4i.org Wed Feb 8 03:20:05 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:20:05 -0600 (CST) Subject: [ISN] 'Sleeper bugs' used to steal .1m in France Message-ID: http://www.guardian.co.uk/france/story/0,,1703777,00.html Kim Willsher in Paris February 7, 2006 The Guardian Russian thieves have stolen more than .1m (?680,000) from personal bank accounts in France using "sleeper bugs" to infect computers. French authorities claim the thieves can take control of and empty a bank account in seconds. In one hit, a bank customer lost .40,000. Police say the virus is embedded in emails or websites and remains dormant until the user contacts their bank online. When that happens, the bug becomes active and records passwords and bank codes which are then forwarded to the thieves. They then use the information to check the victim has money in the bank before transferring funds to the accounts of third parties, known as mules, who may have agreed to allow money to pass through their accounts in return for a commission of between 5% and 10%. Police claim this is set up through fictitious companies, including one American firm named World Transfer, although the mules could be unaware that their computers are being used for theft. A dozen Russian thieves, described by police as being typically aged between 20 and 30, and several Ukrainian masterminds of the scam have been arrested in Moscow and St Petersburg. The authorities were alerted in November 2004, when a bank customer noticed a large sum missing from his account. This was followed by other reports of theft all over France. In 11 months, the thieves had stolen .1m. Nicolas Woirhaye, a security expert, said the French authorities were alerted to scams every three weeks. He said the best way to beat pirates was to use up-to-date anti-virus software. "All the French victims were trapped because they didn't have any [computer] protection," he said. From isn at c4i.org Wed Feb 8 03:20:20 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:20:20 -0600 (CST) Subject: [ISN] Cyber Law Enforcement in Nepal Message-ID: http://english.ohmynews.com/articleview/article_view.asp?article_class=4&no=273060&rel_no=1 Bishnu K.C. 2006-02-08 Laws are established and enforced by the authority, legislation, or custom of a given community, state or nation to maintain orderly coexistence. Basically, cyber law deals with child pornography, cyber-stalking, cyber-scams, online fraud, software piracy and much more. Legal experts are working in this field to help educate and guide the Internet community on crime prevention and the reporting of cyber crimes. After many years of discussion and effort, recently the government of Nepal has crafted the much awaited Electronic Transaction and Digital Signature Act-Ordinance (ETDSA)-2061 (2004), popularly known as "Cyber Law." This law has provided new trust to the Information Technology (IT) sector, and computer and IT professionals are hopeful that it will create a favorable situation for conducting IT business. It contains a strong provision of punishment against cyber crimes according to the nature of the crime. As per the provisions of law, the government is fully authorized to punish cyber criminals -- both an individual or institution. To what extent "laws are made to be broken" is the big question facing all Nepali people now. Cyber law exists in Nepal, but it has failed to address many problems. The law is not stringent enough for the holistic deception of cyber related crimes. Problems of online media, as well as fines and imprisonment, are not as big as in the U.S. and Japan. Corruption is seen in every field. Big government and some private organizations are using pirated CDs. Even some security organizations responsible for taking action against this crime are seen as violating the rules. Software CDs can be seen in the footpaths of Kathmandu, which has decreased the value, as well as violated the newly implemented law of the country. People are crowding into these places because the price is low. People want just the CDs. Who cares about the quality and law? Program CDs of great value are found all over the Kathmandu valley and prices range from Rs. 50-100 (U.S.$0.70 -1.40). Though this is not new to any Nepali citizen, it may attract the attention of some foreigners visiting Nepal. But even foreigners are taking numerous pirated software CDs back to their countries, said one seller on New Road in Kathmandu. This problem is not limited to CDs. Even in cybercafes, children of young ages can be seen using porn sites. The proprietor of the cafe, not caring about the law, just wants all his computers to be packed. Different hacker software can be found in each individual's computer. Whenever anyone buys a new software CD, it is shared with all his friends and relatives. So, it has become a habit for all Nepali people to share CDs. The misuse of the Internet can prove to be a haven for all kinds of abuses, but who is responsible for this? Despite its disadvantages, the Internet has been a boon for all humans, regardless of age. It seems as if people who are used to it cannot live without it. One can say it has become a part of life. Everybody everywhere, in the cafes or in their vehicles, can be can busy on the net, either for information or fun. The effective implementation of cyber law will be a necessity. Nepal will not be able to regulate the information technology industries without taking the international legal context into account. The main thing is that regulations are enforced. First of all, the authorities should be self-concerned before awaking the citizens. There still needs a lot of homework to be done if Nepal expects a boom in the IT sector. According to the Ministry of Science and Technology, they are working on bringing out cyber regulations in the days ahead and we should expect it to be crafted very soon. Since the computing field is a dynamic one, policies and laws related to this area need to be revised periodically to reflect the changing trends. At both levels -- the local as well as global. ?2006 OhmyNews From isn at c4i.org Wed Feb 8 03:20:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Feb 2006 02:20:33 -0600 (CST) Subject: [ISN] Microsoft security service to ship in June Message-ID: http://news.com.com/Microsoft+security+service+to+ship+in+June/2100-7350_3-6036290.html By Joris Evers Staff Writer, CNET News.com February 7, 2006 Microsoft plans to ship a new security product in June, charging $49.95 a year to shield up to three PCs against viruses, spyware and other cyberthreats, the company said on Tuesday. As previously reported, Windows OneCare Live's June debut marks Microsoft's long-anticipated entry into the consumer antivirus market. That space has long been the domain of specialized vendors, led by Symantec and McAfee. Microsoft announced its intent to offer antivirus products in June 2003 when it bought Romanian antivirus software developer GeCad Software. OneCare combines antivirus, anti-spyware and firewall software with backup features and several tune-up tools for Windows PCs. The product will be sold online and in stores, Microsoft said. The software maker is following common routes to get its software into consumers' hands. It will offer a free 90-day test period and is working on deals with PC makers to ship OneCare on new computers, said Dennis Bonsall, director of Windows OneCare Live at Microsoft. Buyers can install OneCare on up to three PCs that run Windows XP with Service Pack 2. This is a discount over rival products from Symantec and McAfee, which charge $119.99 and $139.99, respectively, before rebates, for three-user editions of their security suites. The Symantec and McAfee products are often heavily rebated. "Up to three licenses is a real good deal," said Andrew Jaquith, an analyst with The Yankee Group in Boston. "I think it is very consumer-friendly and a good deal for families and SOHO (small office, home office) type businesses." OneCare also includes support at no additional charge via e-mail, online chat or phone, Microsoft said. This compares to oft-criticized, mostly paid-support options from Symantec and McAfee. Microsoft announced its plans for OneCare in May 2005. Invited testers have been trying it out since last July and a public test version was released late last year. About 170,000 people are testing OneCare. As a thank-you, testers can get a discounted rate of $19.95 per year if they sign up in April, Bonsall said. Microsoft will sell OneCare on a subscription basis--a change from the traditional way security software has been sold. As long as a subscription is active, users will get signature and feature updates to guard against the latest attacks. Traditionally, users paid annually for signature updates, while a product upgrade required an additional purchase. Symantec and McAfee sell their boxed security suite products for $69.99, before any rebates, and then charge an annual fee for signature updates. However, both security companies have also been moving to a subscription model. In addition to adding subscription options, established security software sellers have prepared for Microsoft's market entry by adding anti-spyware to their security suites. Symantec later this year also plans to introduce a new product, code-named Genesis, that will be sold on a subscription-only basis and has many of the same features as OneCare. "If Microsoft had not combined the two, you would still see the mainstream antivirus vendors all trying to premium-price all these things separately," Jaquith said. Initially, OneCare will only be available in English on the U.S. market. Microsoft plans to have test versions out in other languages within the next year, a representative said. The global antivirus market is growing; it reached $3.7 billion in revenue in 2004, up 36 percent from 2003, IDC said in December. The market research outfit forecasts the antivirus market will grow to $7.3 billion in 2009. With OneCare, Microsoft is targeting consumers, especially those who do not run security or have let their current product expire. The company says it believes 70 percent of consumers fall into that category. In a recent research note, The Yankee Group estimated the niche as a market worth potentially $15 billion. The company plans to include Windows Defender, an anti-spyware program, within Windows Vista, the update to the operating system scheduled to arrive before the 2006 holiday sales season. However, there are no plans to bundle antivirus software in Vista. Microsoft is also eyeing the enterprise security market. It is working on a new Microsoft Client Protection product to defend business desktops, laptops and file servers against malicious attacks. From isn at c4i.org Thu Feb 9 01:41:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:41:24 -0600 (CST) Subject: [ISN] User Account Control in Windows Vista Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. GuardianEdge Technologies http://list.windowsitpro.com/t?ctl=2030B:4FB69 GuardianEdge Technologies--Sweepstakes http://list.windowsitpro.com/t?ctl=202FB:4FB69 ==================== 1. In Focus: User Account Control in Windows Vista 2. Security News and Features - Recent Security Vulnerabilities - ISA Server 2004 Service Pack 2 Now Available - IE 7.0 Beta 2 Preview Available for Public Review - Researchers Already Scouring IE 7.0 for Holes 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Soft Token, Strong Authentication ==================== ==== Sponsor: GuardianEdge Technologies ==== Encrypt your data--from Active Directory! The Encryption Anywhere Data Protection Platform from GuardianEdge is a powerful tool for protecting data, managing compliance and enhancing mobility. Controlled within Active Directory, the Encryption Anywhere platform is a scalable, modular system for securing data on end-point devices and for applying consistent encryption policies across your organization. The Encryption Anywhere platform leverages what you've already established in AD, letting you distribute and manage encrypted Microsoft clients without changing your current processes. Encryption is the only true way to protect data; the Encryption Anywhere platform is the breakthrough enterprise encryption solution that provides truly robust enterprise management capabilities while leveraging your existing architecture and investment. For more information, visit http://list.windowsitpro.com/t?ctl=2030B:4FB69 ==================== ==== 1. In Focus: User Account Control in Windows Vista ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Microsoft recently released the document "Applying the Principle of Least Privilege to User Accounts on Windows XP" (at the URL below), which aims to help you implement least-privileged user accounts (LUAs) in your Windows XP environment. The LUA terminology has been in use for quite a while now. Even so, Microsoft apparently wanted a clearer phrase for the concept. Initially, LUA was renamed User Account Protection (UAP), and most recently, the company landed on User Account Control (UAC), which will be the terminology used from here on out. http://list.windowsitpro.com/t?ctl=202F7:4FB69 When Windows Vista makes its debut, native UAC will be built into the OS, so you won't have to jump through countless hoops trying to limit use of administrative privileges on your network. Vista will expose new UAC policies that let you better control user accounts. When using Vista, you'll either be considered a standard user or an administrator with privileges and rights appropriate to those two general types of accounts. For example, there will be 14 different types of administrative consent that cover the usual tasks a person might need to perform. In general, Vista will operate a bit more like Linux systems when it comes to administrative access. You'll operate on the desktop with least privileges, and your account will have a policy assigned to handle any need for elevation of privileges. Standard users will either be prompted for credentials (username and password) or denied elevated access outright, depending on the policy settings. Administrative accounts will have both those possibilities, plus a Prompt for Consent option. In the latter case, administrators would simply click Yes or No to elevated privileges instead of having to enter their credentials. Application installation will be an issue for some users, depending on their particular network. Vista will let you control whether elevation takes place when required by an application. Microsoft said that in an enterprise network, such elevation probably won't be required when installation is delegated to Group Policy Software Install (GPSI) or Microsoft Systems Management Server (SMS). Another policy will govern applications that require elevation of privileges. You'll be able to deny elevation if the applications don't have a valid digital signature. To help with legacy applications that don't adhere to Vista's new architecture, you'll also be able to redirect registry and file writing activity to safe areas on the system. In other words, applications that typically write to the HKEY_LOCAL_MACHINE\SOFTWARE registry subkey or the Program Files, Windows, or Windows\System32 directories will still be able to run, but any write I/O will be written to virtualized locations instead of those actual locations. So the applications will run correctly, but sensitive storage areas won't be overly exposed. UAC will be a welcome change in Windows that will surely bring greater security. There will of course be the usual learning curve, so the sooner you get started understanding the ins and out, the better off you'll be when you begin to use the OS. You can catch glimpses of developing UAC functionality by reading Microsoft's UACBlog (at the URL below) on the Microsoft Developer Network (MSDN). http://list.windowsitpro.com/t?ctl=20308:4FB69 ==================== ==== Sponsor: GuardianEdge Technologies ==== Win a TUMI Laptop Bag from GuardianEdge Register to win one of four quality TUMI laptop computer bags from the company that brings you the Encryption Anywhere Data Protection Platform. GuardianEdge Technologies (formerly PC Guardian) will exhibit at the RSA Conference in San Jose, Feb 14 to 16 in Booth #1827. We are using the show to demonstrate Encryption Anywhere Hard Disk, which delivers full-volume encryption of XP computers right from Active Directory and the Microsoft Management Console. Register online for the contest. You do not have to be at the conference to win. Visit: http://list.windowsitpro.com/t?ctl=202FB:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=202FD:4FB69 ISA Server 2004 Service Pack 2 Now Available Microsoft released ISA Server 2004 Service Pack 2 (SP2). The new service pack brings new features, including enhanced caching, HTTP compression, and traffic prioritization. http://list.windowsitpro.com/t?ctl=20303:4FB69 IE 7.0 Beta 2 Preview Available for Public Review Microsoft released a public beta of the long-awaited Internet Explorer (IE) 7.0. The new browser includes numerous security features that will help make Web surfing much safer than it was with previous versions of IE. http://list.windowsitpro.com/t?ctl=20305:4FB69 Researchers Already Scouring IE 7.0 for Holes As soon as Microsoft released IE 7.0 Beta 2 Preview, researchers went to work looking for security holes, and Tom Ferris found one. http://list.windowsitpro.com/t?ctl=20302:4FB69 ==================== ==== Resources and Events ==== Windows Connections Conference, April 9-12, 2006 Don't miss the essential Windows technology conference. Register early and save! http://list.windowsitpro.com/t?ctl=2030A:4FB69 WHITE PAPER: Evaluate the costs of losing information and learn what real-time information management means and how to accomplish it in your business. http://list.windowsitpro.com/t?ctl=202F6:4FB69 Learn to gather evidence of compliance across multiple systems, and link the data to regulatory and framework control objectives. Live Web Seminar: March 1, 2006; 12:00 EST http://list.windowsitpro.com/t?ctl=202F5:4FB69 Learn about the various applications of SSL certificates and their appropriate deployment, along with details of how to test SSL on your web server. http://list.windowsitpro.com/t?ctl=202FA:4FB69 Industry expert Paul Robichaux discusses how availability is a function of unplanned downtime only, helping you achieve a system available 99.9% of the time. http://list.windowsitpro.com/t?ctl=202FC:4FB69 ==================== ==== Featured White Paper ==== Learn how storage has been redesigned to provide administrators with the tools to manage the storage demands of today and the future. Defer storage purchases, separate backup data from protected data and more! http://list.windowsitpro.com/t?ctl=202F8:4FB69 ==================== ==== Hot Spot ==== Maximizing Network Security Against Spyware and Other Threats Are you solving the real problems of spyware? By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Manage both the threats and vulnerabilities from one console as a comprehensive security solution. http://list.windowsitpro.com/t?ctl=202F9:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: SANS 2005 Information Security Salary Survey by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=20307:4FB69 SANS published its 2005 Information Security Salary & Career Advancement Survey. The results indicate that security administrators earn an average of $75,275 per year in the United States with an annual raise of 2.9 percent. Read more about the survey in this blog article. http://list.windowsitpro.com/t?ctl=20301:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=20306:4FB69 Q: What are the versions of Windows Vista? Find the answer at http://list.windowsitpro.com/t?ctl=20304:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Subscribers have it all! Become a VIP subscriber and get continuous, inside access to ALL of the online resources published in Windows IT Pro magazine, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs that include the entire article database and are delivered twice per year. Don't miss out--sign up now: http://list.windowsitpro.com/t?ctl=202FF:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products at windowsitpro.com Soft Token, Strong Authentication Diversinet announced the release of its next-generation MobiSecure soft token and MobiSecure Authentication Service Center (MASC). MobiSecure provides an automated self-service system (meaning that users can download the tokens themselves over the Internet) that can support strong authentication for online banking, remote online access, and secure e-commerce applications. MobiSecure soft tokens comply with the Open Authentication (OATH) Reference Architecture and interoperate with OATH-compliant hard-token and smart-card solutions. MobiSecure soft tokens are available now on mobile devices supporting Java, Symbian, Windows Mobile, Palm, and RIM; on SanDisk TrustedFlash memory cards; and on PCs running Windows. For more information, go to http://list.windowsitpro.com/t?ctl=2030C:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=20309:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=20300:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Feb 9 01:41:41 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:41:41 -0600 (CST) Subject: [ISN] Effects of Domain Hijacking Can Linger Message-ID: http://www.eweek.com/article2/0,1759,1923546,00.asp By Paul F. Roberts February 8, 2006 Malicious hackers who are able to hijack an organization's Web domain may be able to steal traffic from the legitimate Web site long after the domain has been restored to its owner, according to a recent report. Design flaws in the way Web browsers and proxy servers store data about Web sites allow malicious hackers to continue directing Web surfers to malicious Web pages for days or even months after the initial domain hijacking. The persistent attack could lead to information or identity theft, according to Amit Klein, a Web application security researcher with the Web Application Security Consortium. The problem, which Klein termed "domain contamination" exists because of features in Web proxy servers, which store versions of Web pages, and Web "clients," or browsers, including Microsoft's Internet Explorer, the Mozilla Foundation's Firefox and the Opera browser. Proxy servers and browsers both establish trust relationships with Web servers that are identified as the authoritative host for a Web page in the DNS (domain name system), Klein said. "Once a client believes it is communicating with the legitimate server for some domain, there's an implicit trust that's placed in that server that is not revoked," Klein told eWEEK. For example, Web browsers store information on the Web server in Web cookies and cached Web pages that are stored locally. Once that information is downloaded and stored on the client, it can be very difficult to get rid of them, Klein said. "There's just no way to sterilize the view or reflection of a Web site on the Internet," he said. Domain hijacking is a recurrent problem on the Internet that occasionally gets mainstream attention, such as when aljazeera.net, the Web domain for Arab satellite television network, was hijacked in March, 2003. More recently, unknown hackers carried out a massive DNS poisoning attack on DNS servers worldwide in March, 2005. That attack used a known vulnerability in a Symantec firewall as well as known weaknesses in Windows NT and Windows 2000 machines to change the DNS record for Web sites. The attack caused unknown numbers of Web surfers to be directed to malicious Web sites that installed spyware and other malicious programs, according to the SANS Institute's Internet Storm Center. In those attacks, and others, domain hosting companies and Internet infrastructure providers moved quickly to restore control of the Web domain to its proper owner and reset DNS servers that have been compromised, ending the attack. However, attackers can modify HTTP headers or HTML content on their attack Web site to ensure that it is stored locally for months or even years, Klein said. Internet users who were caught up in the attack will retain that cached copy of the attacker's site in their browser. The cached page may be the first loaded when the victim attempts to visit that Web page. A sophisticated attacker who embedded scripts in the malicious page could continue to steal information from the victim long after the attack. For example, a script could harvest information from cookies used by the Web site, or load the actual Web page inside a frame in the cached page to conduct an attack that captures the interactions of the user on the page, Klein wrote. Also, proxy Web servers that store cached content can, in certain circumstances, revalidate that content, prolonging the life of hijacked Web pages, Klein wrote. The problem with domain contamination is caused by a major design flaw in the way Web domains are managed, Klein told eWEEK. "Web browsers don't have any information about domain ownership or any versioning From the browser's perspective, the google.com now and google.com of five years ago are the same domain with the same privileges," Klein said. "If they assigned a cookie five years ago, unless it expires naturally, there's no way to verify that the same owner is behind it." Individuals who have the poisoned domain information can get rid of it simply by deleting affected browser cookies or clearing out their Web page cache?standard features on almost every Web browser. However, organizations or individuals who have had their Web domain hijacked don't know which of their visitors went to the hijacked site and, thus, have little recourse to rectify the domain poisoning. "The best response is not to get hijacked to begin with," said Johannes Ullrich, CTO at the SANS ISC. "Once it's happened, there's little that you can do about it." Using SSL (Secure Sockets Layer) to access a Web site can prevent DNS hijacking and Web cache poisoning, and changing your Web server responses to requests from proxy servers can keep them from holding onto poisoned cached content, Klein wrote. From isn at c4i.org Thu Feb 9 01:41:51 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:41:51 -0600 (CST) Subject: [ISN] Spanish hacker jailed for two years Message-ID: http://www.theregister.co.uk/2006/02/08/spanish_hacker_jailed/ By John Leyden 8th February 2006 A Spanish hacker who launched a denial of service attack that hobbled the net connections of an estimated three million users has been jailed for two years and fined ?1.4m. Santiago Garrido, 26, (AKA Ronnie and Mike25) launched the attack using a computer worm in retaliation for been banned from the popular "Hispano" IRC chat room for breaking its rules. The resulting surge in malicious traffic disrupted an estimated three million users of Wanadoo, ONO, Lleida Net and other ISPs, or approximately a third of Spain's net users, at the time of the 2003 attack. ? From isn at c4i.org Thu Feb 9 01:42:04 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:42:04 -0600 (CST) Subject: [ISN] Harrison Ford's latest family-in-peril thriller Message-ID: http://www.mercurynews.com/mld/mercurynews/entertainment/movies/13824243.htm By Bruce Newman Mercury News Feb. 08, 2006 If you think your family is dysfunctional, consider the fate of the perpetually imperiled screen tribe of Harrison Ford: wife kidnapped (1988); wife and daughter abducted (1992); wife murdered (1993); wife and daughter taken hostage (1997); wife killed in plane crash (1999). Ford is the big daddy of domestic disaster, a Swiffer mop of calamity. ``Firewall'' is Ford's latest excavation of the family-in-peril thriller, and it is a mostly rote attempt to reboot ``The Desperate Hours'' -- the taut psychological standoff between Humphrey Bogart and Fredric March from 1955 -- for the computer age. Instead of dramatic tension, ``Firewall'' makes do with a lot of frantic typing at computer keyboards. It's like watching Microsoft's Service Pack 2 download for nearly two hours. This time, Ford plays Jack Stanfield, the designer of an impenetrable computer firewall that protects the Seattle bank where he is a trusted and beloved figure. But that all changes when super-hacker Bill Cox (played by Paul Bettany) sends his team of hench-geeks bursting into Jack's home -- laptops drawn -- to take his wife (Virginia Madsen) and two children hostage. Cox has figured out that the back door through which he can slip past the bank's security system is Jack himself. You don't go to a Harrison Ford movie expecting gritty realism, but even by the lowered standards of the modern thriller, what finally causes ``Firewall'' to collapse is a series of increasingly improbable plot twists. The most laughable of these can't be discussed without revealing the movie's climax, but it is accompanied by what is sure to be one of the year's funniest lines (though not intentionally): ``Where are they, Rusty?'' Jack asks the family schnauzer, completely serious. ``Where have they gone?'' This comes shortly after he uses his daughter's iPod to hotwire the bank's servers, moving $100 million to Cox's offshore account, while downloading Sharon Stone's Celebrity Playlist from iTunes. (OK, he doesn't really get the playlist, just the $100 million.) Cox is one of those suave, arrogant, ill-tempered, blond British bad guys, and Bettany plays him as if he had been stamped from a cookie cutter -- he's Jeremy Irons 2.0. Cox is supposed to be ruthless, willing to stop at nothing to get his loot. But when Jack makes a couple of lame attempts to outwit him early in the movie, Cox is strangely indulgent of his prize pawn. And when Jack's family does something that infuriates him, Cox gives them a cold-blooded demonstration of what will happen if they get out of line again by cruelly executing one of his own men. This is so inexplicable and bizarre that it reminded me of the famous scene in ``Blazing Saddles'' when the town's black sheriff takes himself hostage. Trying to convince a mob of hostile white people to drop the guns they have pointed at him, he points his own gun at his head and threatens to blow it off, then pleads for mercy from himself. In ``Blazing Saddles,'' this disarms both the town's nitwits and the audience. In ``Firewall,'' it just seems like the movie is too weak-kneed to kill a hostage, even though that's the only leverage Cox has got. Eventually, Jack goes on the run with his secretary Janet, who monitors a laptop computer to give him satellite updates on the whereabouts of his family. This would be preposterous enough, even if Janet weren't played by Mary Lynn Rajskub, the potato-faced actress who plays Chloe on ``24,'' where she is the loopy girl Friday to another Jack. By the time Jack Stanfield drives Janet's car toward the picture's climactic fight scene, the story has become so convoluted that the two of them have a thudding conversation covering all the important plot twists to make sure everyone is completely caught up. I won't spoil the ending, even though anyone who has followed Ford's career -- and how could you miss it? -- has seen it before. One nice touch: Cox continues to demonstrate what could happen to Jack's family by helpfully killing off his own henchmen. By the time he and Jack meet, the only remaining question is whether he will take himself hostage. -=- `Firewall' * 1/2 Rated PG-13 (some intense sequences of violence) Cast Harrison Ford, Paul Bettany, Virginia Madsen, Robert Patrick, Mary Lynn Rajskub Director Richard Loncraine Writer Joe Forte Running time 1 hour, 45 minutes From isn at c4i.org Thu Feb 9 01:42:17 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Feb 2006 00:42:17 -0600 (CST) Subject: [ISN] Microsoft reports two bugs, third identified Message-ID: http://www.networkworld.com/news/2006/020806-microsoft-bugs.html By Jeremy Kirk IDG News Service 02/08/06 Microsoft is warning of two bugs in its software that could potentially give unauthorized control or access over a person's computer, while a third problem has been highlighted by a security research company. One vulnerability revisits the Windows Metafile (WMF) debacle from December, but impacts fewer users. The bug is in Internet Explorer (IE) 5.01 Service Pack 4 on the Windows 2000 Service Pack 4 OS and IE 5.5 Service Pack 2 on Windows Millennium, Microsoft said. An attacker could gain control if a user opened a malicious e-mail attachment or if a user were persuaded into visiting a Web site that had a specially-crafted WMF image, Microsoft said. A patch has not been issued, but Microsoft said the issue is under investigation, and an out-of-cycle patch could be provided depending on customer needs. Microsoft typically issues patches on the second Tuesday of the month, due this month on Feb. 14. A second vulnerability could allow a person with low-user privileges gain higher-level access, Microsoft said. Proof-of-concept code that has been released attempts to exploit overly permissive access controls on third-party application services, along with the default services of Windows XP Service Pack 1 and Windows Server 2003, the company said. No attacks have been reported. Microsoft said several factors diminish the threat of the problem. Those running Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 - the latest updates of the software - are not affected, and someone who launches an attack would need authenticated access to the affected operating system, it said. Security vendor Secunia detailed a third vulnerability involving Microsoft's HTML Help Workshop, software that can create online help for a software application or Web site content. Secunia said the problem "is caused due to a boundary error within the handling of a '.hhp' file that contains an overly long string in the 'contents file' field. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a malicious '.hhp' file is opened." The bug could allow arbitrary code to be executed on a computer, Secunia said. An exploit has been released, and Secunia advised that untrusted .hhp files not be opened. From isn at c4i.org Fri Feb 10 02:07:44 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:07:44 -0600 (CST) Subject: [ISN] Bank of America cancels numerous debit cards Message-ID: http://news.com.com/Bank+of+America+cancels+numerous+debit+cards/2100-1029_3-6037619.html By Greg Sandoval Staff Writer, CNET News.com February 9, 2006 A security breach involving an undisclosed company has prompted Bank of America to cancel the debit cards of numerous customers, a spokesman for the country's largest bank said Tuesday. Bank of America refused to release the name of the company involved, the exact number of customers affected, or whether the company in question was online or a traditional brick-and-mortar establishment. The case is unusual in that debit cards appeared to be at risk. Credit cards are typically involved in security breaches at financial institutions because they are used more often than debit cards for retail transactions. "These are intricate matters...and may involve information that is not exactly clear and concise," said Michael Chee, the bank's spokesman. "It would be premature to discuss any third parties until an investigation is conducted." Chee said that to this point, there is no evidence that any of its customer accounts have been compromised. The move to cancel debit cards was a precaution, he said. An investigation is under way, Chee said, but added that he was unaware of what law enforcement agency was overseeing it. Bank of America issued letters to many customers notifying them of the breach and that their debit cards were no longer good. The bank is also telling customers to watch out for any unauthorized transactions on their statements. "As a proactive security-minded effort, we may take steps to replace people's cards," Chee said. "We know this can represent a minor inconvenience. The question is, would we rather risk inconveniencing customers and protect their information and accounts or do we just do nothing?" From isn at c4i.org Fri Feb 10 02:07:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:07:59 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-6 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-02 - 2006-02-09 This week : 55 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Several vulnerabilities have been reported in various Sun Java products, which potentially can be exploited by malicious people to compromise a user's system. Please refer to the referenced Secunia advisories for additional details. References: http://secunia.com/SA18760 http://secunia.com/SA18762 -- A vulnerability has been reported in Internet Explorer 5.01 and 5.5, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error. This can be exploited to execute arbitrary code on a user's system by e.g. tricking the user to visit a malicious website that hosts a specially crafted WMF file or via an email message containing a specially crafted attachment. Reference: http://secunia.com/SA18729 -- Several vulnerabilities have been reported in Mozilla Firefox, Mozilla Suite, and Mozilla Thunderbird. For additional information please refer to the following Secunia advisories. References: http://secunia.com/SA18700 http://secunia.com/SA18704 http://secunia.com/SA18703 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18700] Firefox Multiple Vulnerabilities 2. [SA18704] Thunderbird Multiple Vulnerabilities 3. [SA18649] Winamp Three Playlist Parsing Buffer Overflow Vulnerabilities 4. [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities 5. [SA18703] Mozilla Suite XML Injection and Code Execution Vulnerabilities 6. [SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow 7. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 8. [SA18698] Adobe Products Insecure Default File Permissions 9. [SA18699] Sun Java System Access Manager Administrator Access Weakness 10. [SA18691] cPanel Cross-Site Scripting Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18729] Internet Explorer Unspecified WMF Image Handling Vulnerability [SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow [SA18744] Lexmark Printers LexBce Server Arbitrary Code Execution [SA18731] Hosting Controller SQL Injection Vulnerabilities [SA18730] CyberShop Ultimate Mc Cross-Site Scripting Vulnerabilities [SA18716] MailEnable Enterprise Edition Webmail Denial of Service [SA18756] Windows Insecure Service Permissions Privilege Escalation [SA18728] Lexmark X1100 Series Printing Software Privilege Escalation [SA18713] The Bat! RFC-822 Mail Header Spoofing Weakness UNIX/Linux: [SA18737] MyQuiz "myquiz.pl" Shell Command Injection Vulnerability [SA18709] Fedora update for mozilla [SA18708] Fedora update for firefox [SA18706] Red Hat update for firefox [SA18705] Red Hat update for mozilla [SA18774] Fedora update for kernel [SA18766] Linux Kernel ICMP Error Handling Denial of Service [SA18763] Mandriva update for php [SA18748] Mailback Mail Header Injection Vulnerability [SA18746] Gentoo update for gst-plugins-ffmpeg [SA18745] Gentoo update for adodb [SA18742] Debian update for ipsec-tools [SA18739] GStreamer FFmpeg Plug-in libavcodec Buffer Overflow [SA18718] MPlayer ASF File Parsing Integer Overflow Vulnerabilities [SA18717] SUSE Updates for Multiple Packages [SA18707] KDE kpdf Splash Image Handling Buffer Overflow [SA18743] Gentoo update for apache [SA18710] Outblaze throw.main Cross-Site Scripting Vulnerability [SA18733] Heimdal rshd Server Privilege Escalation Vulnerability [SA18719] Trustix Fcron "convert-fcrontab" Two Vulnerabilities [SA18712] OpenBSD Kernfs Kernel Memory Disclosure Vulnerability [SA18772] Openwall crypt_blowfish Salt Generation Weakness [SA18741] hcidump Bluetooth L2CAP Denial of Service Vulnerability [SA18736] Mandriva update for openssh Other: [SA18750] QNX Neutrino RTOS Multiple Privilege Escalation Vulnerabilities [SA18747] Sony Ericsson Cell Phones Bluetooth L2CAP Denial of Service Cross Platform: [SA18762] Java Web Start Sandbox Security Bypass Vulnerability [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities [SA18757] eyeOS "_SESSION" PHP Code Execution Vulnerability [SA18722] Loudblog "path" File Inclusion Vulnerability [SA18703] Mozilla Suite XML Injection and Code Execution Vulnerabilities [SA18761] GuestBookHost SQL Injection Vulnerabilities [SA18759] Unknown Domain Shoutbox Two Vulnerabilities [SA18758] phphg Guestbook Multiple Vulnerabilities [SA18732] PHP Link Directory ADBdb and PHPMailer Vulnerabilities [SA18726] PluggedOut Blog Cross-Site Scripting and SQL Injection [SA18721] Papoo Username Script Insertion Vulnerability [SA18720] AgileBill ADOdb server.php Insecure Test Script Security Issue [SA18715] PHP GEN Unspecified Cross-Site Scripting and SQL Injection [SA18704] Thunderbird Multiple Vulnerabilities [SA18754] MyBB "posts" SQL Injection Vulnerability [SA18735] Gallery Unspecified Album Data Manipulation Vulnerability [SA18725] IBM Tivoli Access Manager for e-business "pkmslogout" Directory Traversal [SA18711] MediaWiki Edit Comment Formatting Denial of Service [SA18738] IBM Lotus Domino LDAP Server Denial of Service Vulnerability [SA18727] phpBB "gen_rand_string()" Predictable RNG Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18729] Internet Explorer Unspecified WMF Image Handling Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18729/ -- [SA18740] Microsoft HTML Help Workshop ".hhp" Parsing Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-06 bratax has discovered a vulnerability in Microsoft HTML Help Workshop, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18740/ -- [SA18744] Lexmark Printers LexBce Server Arbitrary Code Execution Critical: Moderately critical Where: From local network Impact: System access Released: 2006-02-08 Peter Winter-Smith of NGSSoftware has reported a vulnerability in the LexBce Server Service included with various Lexmark printers, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18744/ -- [SA18731] Hosting Controller SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-02-07 Soroush Dalili has discovered two vulnerabilities in Hosting Controller, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18731/ -- [SA18730] CyberShop Ultimate Mc Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-06 B3g0k has reported two vulnerabilities in CyberShop Ultimate Mc, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18730/ -- [SA18716] MailEnable Enterprise Edition Webmail Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-07 A vulnerability has been reported in MailEnable Enterprise Edition, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18716/ -- [SA18756] Windows Insecure Service Permissions Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-08 Sudhakar Govindavajhala and Andrew W. Appel have reported some security issues in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18756/ -- [SA18728] Lexmark X1100 Series Printing Software Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-08 Kevin Finisterre has reported a vulnerability in Lexmark X1100 Series, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18728/ -- [SA18713] The Bat! RFC-822 Mail Header Spoofing Weakness Critical: Not critical Where: From remote Impact: Spoofing Released: 2006-02-08 3APA3A has discovered a weakness in The Bat!, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/18713/ UNIX/Linux:-- [SA18737] MyQuiz "myquiz.pl" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-06 Aliaksandr Hartsuyeu has reported a vulnerability in MyQuiz, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18737/ -- [SA18709] Fedora update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-02-03 Fedora has issued an update for mozilla. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18709/ -- [SA18708] Fedora update for firefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-02-03 Fedora has issued an update for firefox. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18708/ -- [SA18706] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: System access, DoS, Cross Site Scripting Released: 2006-02-03 Red Hat has issued an update for firefox. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18706/ -- [SA18705] Red Hat update for mozilla Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-02-03 Red Hat has issued an update for mozilla. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18705/ -- [SA18774] Fedora update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2006-02-08 Fedora has issued an update for the kernel. This fixes two vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information, and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18774/ -- [SA18766] Linux Kernel ICMP Error Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-08 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18766/ -- [SA18763] Mandriva update for php Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-08 Mandriva has issued an update for php. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18763/ -- [SA18748] Mailback Mail Header Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-07 coderpunk has discovered a vulnerability in Mailback, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18748/ -- [SA18746] Gentoo update for gst-plugins-ffmpeg Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-06 Gentoo has issued an update for gst-plugins-ffmpeg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18746/ -- [SA18745] Gentoo update for adodb Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-07 Gentoo has issued an update for adodb. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18745/ -- [SA18742] Debian update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-06 Debian has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18742/ -- [SA18739] GStreamer FFmpeg Plug-in libavcodec Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-06 A vulnerability has been reported in GStreamer FFmpeg Plug-in, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18739/ -- [SA18718] MPlayer ASF File Parsing Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-07 AFI Security Research has discovered two vulnerabilities in mplayer, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18718/ -- [SA18717] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Privilege escalation, DoS, System access Released: 2006-02-03 SUSE has issued updates for multiple packages. These fix various vulnerabilities and a security issue, which can be exploited by malicious users to gain escalated privileges, bypass certain security restrictions and conduct script insertion attacks, or by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system Full Advisory: http://secunia.com/advisories/18717/ -- [SA18707] KDE kpdf Splash Image Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-03 A vulnerability has been reported in KDE, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18707/ -- [SA18743] Gentoo update for apache Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-02-07 Gentoo has issued an update for apache. This fixes two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18743/ -- [SA18710] Outblaze throw.main Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-03 Simo Ben youssef has reported a vulnerability in Outblaze, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18710/ -- [SA18733] Heimdal rshd Server Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-07 A vulnerability has been reported in Heimdal, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18733/ -- [SA18719] Trustix Fcron "convert-fcrontab" Two Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-03 Two vulnerabilities have been reported in Fcron, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18719/ -- [SA18712] OpenBSD Kernfs Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-02-03 SecurityLab Technologies has reported a vulnerability in OpenBSD, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18712/ -- [SA18772] Openwall crypt_blowfish Salt Generation Weakness Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-08 A weakness has been reported in Openwall crypt_blowfish, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18772/ -- [SA18741] hcidump Bluetooth L2CAP Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-02-08 Pierre Betouin has reported a vulnerability in hcidump, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18741/ -- [SA18736] Mandriva update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-07 Mandriva has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18736/ Other:-- [SA18750] QNX Neutrino RTOS Multiple Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-02-08 Multiple vulnerabilities have been reported in QNX Neutrino RTOS, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/18750/ -- [SA18747] Sony Ericsson Cell Phones Bluetooth L2CAP Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2006-02-08 Pierre Betouin has discovered a vulnerability in various Sony Ericsson cell phones, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18747/ Cross Platform:-- [SA18762] Java Web Start Sandbox Security Bypass Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 A vulnerability has been reported in Java Web Start, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18762/ -- [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 Seven vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18760/ -- [SA18757] eyeOS "_SESSION" PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-08 James Bercegay has reported a vulnerability in eyeOS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18757/ -- [SA18722] Loudblog "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-06 rgod has discovered a vulnerability in Loudblog, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18722/ -- [SA18703] Mozilla Suite XML Injection and Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-02 Two vulnerabilities have been reported in Mozilla Suite, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18703/ -- [SA18761] GuestBookHost SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2006-02-08 Aliaksandr Hartsuyeu has reported two vulnerabilities in GuestBookHost, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18761/ -- [SA18759] Unknown Domain Shoutbox Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-08 Aliaksandr Hartsuyeu has discovered two vulnerabilities in Unknown Domain Shoutbox, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18759/ -- [SA18758] phphg Guestbook Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-08 Aliaksandr Hartsuyeu has discovered some vulnerabilities in phphg Guestbook, which can be exploited by malicious people to conduct script insertion and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18758/ -- [SA18732] PHP Link Directory ADBdb and PHPMailer Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information, DoS, System access Released: 2006-02-06 Mario Oyorzabal Salgado has reported some security issues and vulnerabilities in PHP Link Directory (phpLD2), which can be exploited by malicious people to disclose system information, execute arbitrary SQL code, conduct SQL injection attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18732/ -- [SA18726] PluggedOut Blog Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-06 Hamid Ebadi has discovered a vulnerability in PluggedOut Blog, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18726/ -- [SA18721] Papoo Username Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-03 Thomas Pollet has reported a vulnerability in Papoo, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18721/ -- [SA18720] AgileBill ADOdb server.php Insecure Test Script Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2006-02-06 Secunia Research has discovered a vulnerability in AgileBill, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18720/ -- [SA18715] PHP GEN Unspecified Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-03 Some vulnerabilities have been reported in PHP GEN, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18715/ -- [SA18704] Thunderbird Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2006-02-02 Some vulnerabilities have been reported in Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18704/ -- [SA18754] MyBB "posts" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-02-08 imei addmimistrator has discovered a vulnerability in MyBB, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18754/ -- [SA18735] Gallery Unspecified Album Data Manipulation Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data, System access Released: 2006-02-07 A vulnerability has been reported in Gallery, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18735/ -- [SA18725] IBM Tivoli Access Manager for e-business "pkmslogout" Directory Traversal Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-06 Timothy D. Morgan has reported a vulnerability in IBM Tivoli Access Manager for e-business, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18725/ -- [SA18711] MediaWiki Edit Comment Formatting Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-03 A vulnerability has been reported in MediaWiki, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18711/ -- [SA18738] IBM Lotus Domino LDAP Server Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-07 Evgeny Legerov has discovered a vulnerability in Lotus Domino, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18738/ -- [SA18727] phpBB "gen_rand_string()" Predictable RNG Weakness Critical: Not critical Where: From remote Impact: Manipulation of data, Brute force Released: 2006-02-07 Chinchilla has reported a weakness in phpBB, which potentially can be exploited by malicious people to change other user's passwords. Full Advisory: http://secunia.com/advisories/18727/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 10 02:08:20 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:08:20 -0600 (CST) Subject: [ISN] Australia tests cyber-terrorism defences Message-ID: Forwarded from: William Knowles http://www.smh.com.au/news/breaking/australia-tests-cyberterrorism-defences/2006/02/09/1139379611099.html By Louisa Hearn February 9, 2006 Australia is today putting its technical armoury through its paces during a one-day exercise aimed at repelling a future cyber-terrorism attack. Attorney-General Philip Ruddock said the Cyberstorm exercise was aimed at testing both the people and the processes behind Australia's key infrastructure such as transport and emergency services. "Complex IT systems underpin many areas of our economy and they need to be defended," he said in a statement. Cyberstorm is part of a larger week-long US-led scenario and is also being run simultaneously today in Canada, the UK, and New Zealand. A spokesman at the Attorney-General's office said the Australian test scenario centred on a fictional group that was trying to "hack into the transport network and disrupt it for their own political agenda". Counter-terrorism police, computer emergency response team AusCERT and a number of other departments are all involved in the cyber-attack scenario alongside officials from the defence force, ASIO, transportation and emergency services. Unlike the US where IT defences will actually be tested out, the Australian side of the operation is purely desk-based. The spokesman said Australian participants were required to liaise with one another to play out the scenario as well as other countries involved in the exercise. Mr Ruddock described the exercise as a key part of the Australian Government's counter-terrorism strategy and the only way to effectively test systems against theoretical attacks. "Terrorists are constantly seeking new and innovative ways to attack and disrupt our way of life. By conducting exercises such as these we increase Australia's ability to detect, prevent and respond to cyber attacks," Mr Ruddock said. The exercise will physically test procedures, communication channels and responses in the event of a cyber attack as well as international communication protocols between countries. The Australian part of the exercise began this morning and comes amid a week-long exercise being run by The US Department of Homeland Security. It is being run here by GovCERT.au, the body that sets policy for protecting the National Information Infrastructure. Later in the week, participants in the US scenario will seek to exploit technical vulnerabilities and attempt to unleash chaos onto transport and communications systems. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Feb 10 02:07:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:07:30 -0600 (CST) Subject: [ISN] LayerOne 2006 - Event Update and Announcement Message-ID: Forwarded from: Layer One LayerOne - 2006 April 15-16, 2006 Pasadena Hilton Pasadena, CA http://layerone.info Initial LayerOne speaker line-up Since the opening of our CFP cycle we have been recieving quite a few papers from a wide background of indivduals. Recently we have begun accepting talks for this years event. There are still a few open speaking slots, but new speakers are being added weekly. If you were thinking of submitting a talk for this years event, now would be a good time to get it into us! Currently slated to speak are: Enno Rey - MPLS/VPLS security Strom Carlson - Smart Card Insecurities Datagram - Introduction to Lockpicking Ken Caruso - The Seattle Wireless Project: 6 Years Later Valkyrie - Hacking the Regs! Your Guide to HIPPA, SOX, and GLBA Paul Henry - Anti-Forensics Dr. Kaos - Anonym.OS With our current accepted speaker line-up we are already very confident that a wide variety of material will be presented. We have several other speakers that we are in the final phases of accepting, along with one or two still empty slots. LayerOne Pre-Registration is now open Pre-registration for this years LayerOne event is now open. Tickets are available online for $60.00USD through our website. Tickets will also be available at the door, but the cost will be $80.00USD. There is also the chance we will hit maximum occupancy with our pre-registration, in which case tickets will not be available at the door. So, guarantee your seat today by pre-registering. We also offer group discounts if you are interested in attending with your company, group, LUG, or other user group. Please visit http://layerone.info/prereg.html for more information. We would also like to thank those that have been supporting us in what we do. Big thanks go out to Shmoocon, Toorcon, LA2600, SCALE, and everyone else who has helped us! We look forward to seeing you in Pasadena in April! From isn at c4i.org Fri Feb 10 02:08:36 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:08:36 -0600 (CST) Subject: [ISN] Openness critical for strong security: SATAN author Message-ID: http://www.zdnet.com.au/news/security/soa/Openness_critical_for_strong_security_SATAN_author/0,2000061744,39237689,00.htm By David Braue ZDNet Australia 10 February 2006 Building secure software doesn't have to be complicated; it just takes a commitment to secure design, and an upfront willingness to work within the unique development environment that is open source. That was the message from Wietse Venema, a Dutch programmer with IBM who visited Melbourne this week for SECURECon, a three-day technical conference highlighting a range of current security issues and remediation strategies for developers. Venema, long a figurehead in the open source and Unix worlds, is best known for his creation of Postfix (initially known as Secure Mailer), a widely used e-mail server application that he wrote to improve upon the dominant but flawed SendMail application. Postfix, developed while Venema was on a six-month research stint at IBM, has since become the standard mailer in Mac OS X and numerous versions of Linux. Even as it continues to evolve today -- the latest version of Postfix was released last month -- the program was significant in that it brought open-source software to the attention of IBM head Lou Gerstner, who in 1998 read a New York Time article on the software and pushed IBM into a formal open-source strategy. IBM is now one of the major contributors of code to the open-source movement. Broad distribution and takeup of the software helped Postfix grow from a short-term project into an ongoing effort, and Venema was quick to credit the scores of open-source developers who have continually improved the system's design. "It's not difficult to build a decent mail system, but it's very easy for people with poorly designed countermeasures too destroy it," he said. "Systems that are not built to be secure will always be like Swiss cheese -- full of holes. You can't make systems secure by just patching the holes." Venema enjoyed mainstream notoriety in the late 1990s as United States media launched a fire-and-brimstone attack on the PhD-qualified physicist, who partnered with fellow security expert Dan Farmer to release SATAN (Security Administrator Tool for Analyzing Networks). Designed as a strong automated probe for weaknesses in any system it targeted, histrionic observers believed Venema and Farmer's tool would destroy the information economy by giving hackers powerful tools to bring down major Web sites. Releasing the system was important, Venema decided, because such security problems could only be fixed if they were known about. His own testing of SATAN found that many systems, even those directly connected to secure systems, had vulnerabilities that were open to exploitation. After inadvertently leaving an early version of SATAN running overnight during its development, Venema found the application had followed a "web of interdependencies" between insecure systems that had taken its probing halfway across the Netherlands. "I found that even people who were very careful about their systems, like my colleagues, had either file sharing relationships or logging relationships with other systems that were wide open," he recalls. "Basically, nearly every system had a bad neighbour." Ferreting out these bad neighbours would help everyone concerned, Venema released -- and the eventual release of the open-source SATAN ultimately proved less controversial than expected. Network administrators "discovered all kinds of stuff they didn't know about," he recalls. "They didn't know there were all these Web servers running on peoples' machines, or even on machines they didn't know about. At the time, people just didn't scan their systems like that. It used to be that people could get fired for running SATAN, but now they can get fired for not running it." From isn at c4i.org Fri Feb 10 02:09:35 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:09:35 -0600 (CST) Subject: [ISN] NSPW 2006 Call for Papers Message-ID: Forwarded from: John Mcdermott FOR IMMEDIATE RELEASE ---------- Call for Papers New Security Paradigms Workshop Schloss Dagstuhl, Germany September 18-21, 2006 Submissions due 26 March 2006 http://www.nspw.org NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. Each year, since 1995, we examine proposals for new principles upon which information security can be rebuilt from the ground up. We conduct extensive, highly interactive discussions of these proposals, from which we hope both the audience and the authors emerge with a better understanding of the strengths and weaknesses of what has been discussed. In his seminal book "The Structure of Scientific Revolutions", Thomas Kuhn describes the progress of science as "a series of peaceful interludes punctuated by intellectually violent revolutions." These revolutions, which he called "paradigm shifts", are periods during which "one conceptual world view is replaced by another." A paradigm shift is thus not an incremental contribution to an established branch of science; it is an attempt to replace the fundamental dogma of a branch of science with a different, and completely incompatible, set of core principles. The New Security Paradigms workshop is dedicated to the proposition that what Kuhn called "anomalies" - signs that the prevailing paradigm can no longer explain phenomena observed in the real world - are already visible in the science of information security, and, indeed, that the anomalies are so obvious and so serious that the prevailing information security paradigm is or soon will be in crisis. NSPW aspires to be the philosophical and intellectual breeding ground from which a revolution in the science of information security will emerge. We solicit and accept papers on any topic in information security subject to the following caveats: 1) Papers that present a significant shift in thinking about difficult security issues are welcome. 2) Papers that build on a recent shift are also welcome. 3) Contrarian papers that dispute or call into question accepted practice or policy in security are also welcome. 4) We solicit papers that are not technology-centric, including those that deal with public policy issues and those that deal with the psychology and sociology of security theory and practice. 5) We discourage papers that represent established or completed works as well as those that substantially overlap other submitted or published papers. 6) We discourage papers which extend well-established security models with incremental improvements. 7) We encourage a high level of scholarship on the part of contributors. Authors are expected to be aware of related prior work in their topic area, even if it predates Google. In the course of preparing an NSPW paper, it is far better to read an original source than to cite a text book interpretation of it. Our program committee particularly looks for new paradigms, innovative approaches to older problems, early thinking on new topics, and controversial issues that might not make it into other conferences but deserve to have their try at shaking and breaking the mold. Participation in the workshop is limited to authors of accepted papers and conference organizers. Each paper is typically the focus of 45 to 60 minutes of presentation and discussion. Prospective authors are encouraged to submit ideas that might be considered risky in some other forum, and all participants are charged with providing feedback in a constructive manner. The resulting intensive brainstorming has proved to be an excellent medium for furthering the development of these ideas. The proceedings, which are published after the workshop, have consistently benefited from the inclusion of workshop feedback. We welcome three categories of submission: 1) Research papers. These should be of a length commensurate with the novelty of the paradigm and the amount of novel material that the reviewer must assimilate in order to evaluate it. 2) Position papers. These should be 5 - 10 pages in length and should espouse a well reasoned and carefully documented position on a security related topic that merits challenge and / or discussion. 3) Discussion topic proposals. Discussion topic proposals should include an in-depth description of the topic to be discussed, a convincing argument that the topic will lead to a lively discussion, and supporting materials that can aid in the evaluation of the proposal. The later may include the credentials of the proposed discussants. Discussion topic proposers may want to consider involving conference organizers or previous attendees in their proposals. Submissions must include the following: 1) The submission in PDF format, viewable by Adobe Acrobat reader. 2) A justification for inclusion in NSPW. Specify the category of your submission and describe, in one page or less, why your submission is appropriate for the New Security Paradigms Workshop. A good justification will describe the new paradigm being proposed, explain how it departs from existing theory or practice, and identify those aspects of the status quo it challenges or rejects. The justification is a major factor in determining acceptance. 3) An Attendance Statement specifying how many authors wish to attend the workshop. Accepted papers require the attendance of at least one author for the entire duration of the workshop. Attendance is limited, and we cannot guarantee space for more than one author. No submission may have been published elsewhere nor may a similar submission be under consideration for publication or presentation in any other forum during the NSPW review process. The submission deadline is Monday, 26 March 2006. Notification of acceptance will be Monday, 28 May, 2006. Workshop proceedings will be published by the ACM and put in the ACM digital library. In order to ensure that all papers receive equally strong feedback, all attendees are expected to stay for the entire duration of the workshop. We expect to offer a limited amount of financial aid to those who require it. See http://www.nspw.org for details of the workshop policies and for submission procedures. From isn at c4i.org Fri Feb 10 02:11:11 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Feb 2006 01:11:11 -0600 (CST) Subject: [ISN] Hacker showcase this weekend in San Francisco Message-ID: http://www.linuxdevices.com/news/NS8540785603.html Feb. 09, 2006 An event showcasing cutting-edge applications will take place this weekend in San Francisco. The fifth annual CodeCon event features presentations from developers of interesting, innovative real-world applications, and is set to run from Friday, Feb. 10 through Sunday, Feb. 12. CodeCon was started in 2002 by BitTorrent author Bram Cohen and Len Sassaman, author of the Mixmaster anonymous remailer. The event is sponsored in part by independent book publisher No Starch Press, which has offered Linux-related titles for more than a decade. Organizers say CodeCon offers a "prescient look at the direction of technology." All presenters are project developers, and each presentation includes a functional demo. Presentations include: * Lance James, on Daylight Fraud-Prevention (DFP), an anti-phishing program based on real-time web-based forensics * Daniel S. Wilkerson and Scott McPeak on the Delta interestingness minimizer * Todd Davies, on the Deme group discussion platform * Quinn Weaver, on the Dido perl-based voice menu platform * Robert J. Hansen, on the Djinni unsolvable problem answer approximator * Daniel S. Wilkerson, on the Elsa/Oink/Cqual++ C/C++ program dataflow analyzer * David Barrett, on the iGlance push-to-talk videoconferencing and screen-sharing software * Aaron Harwood, on Localhost P2P software * Nathaniel Smith, on the Monotone version control system * Michael J. Freedman, on the OASIS locality aware server selection infrastructure for content distribution systems * Meredith L. Patterson, on Query by Example, a collection of data mining operations for PostgreSQL * Joe Stewart, on the Truman behavioral malware sandnet * Adam Sourzis, on the Rhizome application stack for rapid semantic-web development * Tom Pinckney, on the SiteAdvisor scam-finding web crawler * Dimitris Vyzovitis and Ilia Mirkin on VidTorrent/Peers, a scalable real-time P2P streaming protocol The fifth-annual CodeCon will be held South of the Slot, at StudioZ [1]. Tickets cost $85 at the door. Additional details can be found here [2]. [1] http://www.studioz.tv/ [2] http://www.codecon.org/ From isn at c4i.org Mon Feb 13 01:47:58 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:47:58 -0600 (CST) Subject: [ISN] Islamist hackers attack Danish sites Message-ID: http://www.theregister.co.uk/2006/02/09/islamic_defacement_protests/ By John Leyden 9th February 2006 Protests over cartoon images of the prophet Mohammed have spilled onto cyberspace with a series of attacks against Danish and other western websites. Islamist ire over the publication of the "satiric pictures" portraying the prophet Mohammed, first published in Denish newspaper Jyllands-Posten, has resulted in 1,000 attacks against web servers, according [1] to defacement archive Zone-H. Danish sites have copped the majority of attacks, but the barrage of assaults has also hit Israeli and other western web servers. Hacker groups from different Muslim nations have united in attacks that promote both moderate and extremist manifestos. Some defacements promote a boycott against Danish products, while others (such as those by the self-styled IIB - Internet Islamic Brigades) threaten suicide bombing attacks on Denmark. The number of politically motivated attacks against Danish servers gives a small measure of the strength of feeling over the issue. Violence during demonstrations over the issue has claimed 10 lives in Afghanistan and elsewhere in the Muslim world. ? [1] http://www.zone-h.org/en/news/read/id=205987 From isn at c4i.org Mon Feb 13 01:48:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:48:26 -0600 (CST) Subject: [ISN] AT&T sues small nonprofit company for hacking fees that trace back to it Message-ID: http://www.sltrib.com/business/ci_3489614 By Bob Mims The Salt Lake Tribune 02/09/2006 AT&T Inc. raked in nearly $44 billion in revenues last year, and paid chairman and CEO Edward E. Whitacre Jr. $8.34 million in salary. Whitacre makes $340,000 more a year than the entire $8 million annual budget of HealthInsight, a Salt Lake City-based, 60-employee, nonprofit organization AT&T is suing in U.S. District Court. At issue: more than $25,500 in telephone charges the telecommunications giant acknowledges an unidentified hacker or hackers piled up, but for which it holds the hacker's victim, HealthInsight, responsible. "We've had some discussions with AT&T, but have been unable to resolve this," HealthInsight President and CEO Marc Bennett said Wednesday. "We don't believe we or any company should be responsible for calls we didn't make." AT&T, through its Logan attorneys Todd Turnblom and John Bailey, contends HealthInsight's security measures were inadequate. Further, the telecom says it warned HealthInsight three times that its system was being used to make unauthorized domestic and foreign calls, but the nonprofit failed to act. HealthInsight - which normally has less than $700 in long-distance fees for its Utah and Nevada operations combined - was billed for the $25,554.52 in unauthorized charges racked up on March 11, 2005. The hacker or hackers are thought to have gained access to AT&T's long-distance services through HealthInsight's toll-free line, voice mail and other systems. AT&T seeks the amount it says remains owed, plus interest, along with court and attorney fees to be determined at trial. Bennett stands by his staff's telecommunications security efforts, arguing that anyone can become the victim of a hacker, regardless of taking standard precautions. "We had what we were told were reasonable security measures in place," he said. HealthInsight, which splits its work among 40 Utah and 20 Nevada employees, advises health care providers on Medicare and Medicaid matters, and helps coordinate national programs aimed at improving care for diabetes, heart disease and stroke patients. From isn at c4i.org Mon Feb 13 01:47:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:47:26 -0600 (CST) Subject: [ISN] Microsoft plans to release seven patches next week Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,108531,00.html By Elizabeth Montalbano FEBRUARY 09, 2006 IDG NEWS SERVICE Microsoft Corp. on Tuesday plans to release seven patches for several of its software products, including at least two critical updates for known vulnerabilities, according to the company's monthly security update. Microsoft plans to release one critical patch for Microsoft Windows Media Player; four patches for Windows, at least one of which is critical; one security update rated as "important" for both Windows and Microsoft Office; and another update rated as important for Office. More information about the security updates can be found on the company's TechNet site [1]. Microsoft releases security updates for its software products on the second Tuesday of every month, a day that has become known as "patch Tuesday" by security experts. While the Windows Media Player update will not require a restart, the Windows patches and at least one of the Office patches will require the OS to be rebooted before they are applied, according to the site. All of the updates will be detectable using Microsoft's Baseline Security Analyzer tool, and the Windows Media Player patch can be detected through Microsoft's Enterprise Scanning Tool, the company said. Also on Tuesday, Microsoft plans to release an updated version of its Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Microsoft will host a webcast to discuss the security updates on Wednesday at 11:00 a.m. Pacific Standard Time. More information about the webcast can be found on the company's site [2]. [1] http://www.microsoft.com/technet/security/bulletin/advance.mspx [2] http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032288940&EventCategory=4&culture=en-US&CountryCode=US From isn at c4i.org Mon Feb 13 01:47:40 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:47:40 -0600 (CST) Subject: [ISN] Software Fix Readied for BlackBerrys Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/09/AR2006020900576.html By Yuki Noguchi Washington Post Staff Writer February 10, 2006 The company that makes BlackBerry devices said it has completed development of software that will allow its wireless e-mail to continue functioning even if a court orders the service shut down in a patent dispute. The announcement from Research in Motion Ltd., the Canadian company that started selling the popular BlackBerry in 1999, comes less than two weeks before a federal district court hearing. The court has already found that RIM violated patents held by NTP Inc. of McLean, and analysts expect the judge to issue an injunction ordering RIM to cease operations in the United States. That would cause most of the 4 million BlackBerry users in the United States to lose service unless the company can implement the substitute software or the two sides can reach a settlement. RIM said the new BlackBerry software will be available for later download on its Web site and must be installed on customers' e-mail servers as well as each handheld device. The software will not change the appearance or function of existing devices, but its underlying system, RIM contends, is different than NTP's and does not violate any patents. Whether that contention holds up remains to be seen, said Alexandria patent attorney Susan Dadio. "From a technology perspective, whether it's truly a workaround is still a question," because it hasn't met NTP or other patent reviewers' scrutiny, she said. "They have not hit a home run." Information-technology officials were reluctant to react to yesterday's announcement because RIM did not release details about the software. Many companies have invested heavily in equipping staff members with BlackBerrys and in synchronizing office e-mail servers with them, so they have a financial incentive to stick with the devices. RIM said it thinks any injunction, if issued, should not affect existing users, who may not have to download the software. The company said its fix can be remotely activated on BlackBerrys already in use. Kevin Anderson, an attorney for NTP, said the company had not reviewed RIM's proposed software solution and could not comment on whether it would continue to violate NTP's patents. A spokeswoman for RIM said the company had not been contacted by customers about implementing a download and declined to estimate when the software would become available. The companies have been locked in litigation for more than four years, and RIM has disputed the validity of NTP's patents but has lost every battle in court. In 2002, the company was ordered by a jury to pay royalties that now total more than $250 million. Last fall, the U.S. district judge said he would not delay an injunction. And most recently, RIM was denied an appeal of its case to the Supreme Court. In a news release yesterday, RIM maintained that an injunction is not warranted and noted that recent reviews at the U.S. Patent and Trademark Office found that NTP's original patents may not be valid -- a finding NTP could still appeal. RIM is hoping the judge will take the reviews into consideration at the Feb. 24 hearing. Meanwhile, the companies both say they are open to settlement and licensing agreements. But yesterday, RIM chairman and chief executive Jim Balsillie said in a statement that "NTP's public offer of a 'reasonable' license . . . is simply untenable." Anderson, NTP's attorney, said, "Their characterization is simply wrong." ? 2006 The Washington Post Company From isn at c4i.org Mon Feb 13 01:48:55 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:48:55 -0600 (CST) Subject: [ISN] Linux Advisory Wath - February 10th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 10th, 2006 Volume 7, Number 6a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for mydns, gnocatan, ipsec-tools, adzapper, mozilla, firefox, audit, unzip, Fedora kernel, GPdf, libextractor, LibAST, gallery, ADOdb, apache, poppler, kdegraphics, xpdf, openoffice, openssh php, and groff. The distributors include Debian, Fedora, Gentoo, Mandriva, and Red Hat. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. The following reported bugs from bugs.engardelinux.org are fixed in this release: #0000048 The WebTool 'named' module does not check for duplicate zones #0000047 Nagios localhost ping test bug #0000045 SSH cannot create /root/.ssh directory as sysadm_r #0000042 Postfix-2.2.7's broken firewall workaround has problems - ... #0000041 Apache cannot talk to the MySQL socket. #0000039 Unable to mount /home at boot in EnGarde 3.0.3 #0000038 Webtool automatically sets SELinux to Enforcing, even if ... #0000037 Support for PgSQL via WebTool #0000036 UPS - fails to work with selinux enabled #0000035 "postfix reload" fails when run by sysadm_r with selinux ... #0000034 tcpdump fails with selinux enabled Several other bugs are fixed in this release as well. New features include: * A new GDSN Package Management Interface in the Guardian Digital WebTool which allows you to easily browse and install packages from the EnGarde Secure Linux package archives. * A new Spanish (Espa=F1ol) translation of the Guardian Digital WebTool, courtesy of Joe Rodiguez Jr. To use this translation go into to the WebTool Configuration module, click on your username (normally 'admin'), and select Espa=F1ol from the drop-down. * New Guardian Digital WebTool modules for DHCP and UPS services. The DHCP (Dynamic Host Configuration Protocol) module allows you to run a DHCP server on your EnGarde Secure Linux machine. The UPS (Uninterruptible Power Supply) module allows you to configure and monitor a UPS connected to your EnGarde Secure Linux machine and to act as a server for other machines connected to the same UPS. * The latest stable versions of MySQL (5.0.18), fetchmail (6.3.2), iptables (1.3.5), mrtg (2.13.1), nmap (4.00), openssh (4.3p1), php (4.4.2), and postfix (2.2.8). * Several new installable packages such as amavisd-new (2.3.3), clamav (0.88), nagios (1.3), nagios-plugins (1.4.2), nrpe (2.0), postgresql (8.1.1), spamassassin, and many, many new Perl modules. We're also happy to announce the availability of the following HOWTOs: * Installing Joomla! on EnGarde Secure Linux HOWTO * Installing PHPMyAdmin on EnGarde Secure Linux HOWTO * Installing PHP Applications on EnGarde Secure Linux HOWTO * Installing SpamAssassin, ClamAV and Amavisd-new on EnGarde HOWTO * Installing Squirrelmail on EnGarde Secure Linux HOWTO All new users downloading EnGarde Secure Linux for the first time or users who use the LiveCD environment should download this release. Users who are currently using EnGarde Secure Linux do not need to download this release -- they can update their machines via the Guardian Digital Secure Network WebTool module. Read Entire Article: http://www.linuxsecurity.com/content/view/121560/65/ ---------------------- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New mydns packages fix denial of service 2nd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121475 * Debian: New gnocatan packages fix denial of service 3rd, February, 2006 A problem has been discovered in gnocatan, the computer version of the settlers of Catan boardgame, that can lead the server an other clients to exit via an assert, and hence does not permit the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121506 * Debian: New ipsec-tools packages fix denial of service 6th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121534 * Debian: New adzapper packages fix denial of service 9th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121573 * Fedora Core 4 Update: mozilla-1.7.12-1.5.2 2nd, February, 2006 Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. Igor Bukanov discovered a bug in the way Mozilla's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Mozilla could crash or execute arbitrary code as the user running Mozilla. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. http://www.linuxsecurity.com/content/view/121496 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: firefox-1.0.7-1.2.fc4 2nd, February, 2006 Mozilla Firefox is an open source Web browser. Igor Bukanov discovered a bug in the way Firefox's JavaScript interpreter dereferences objects. If a user visits a malicious web page, Firefox could crash or execute arbitrary code as the user running Firefox. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to this issue. http://www.linuxsecurity.com/content/view/121497 * Fedora Core 4 Update: audit-1.0.13-1.fc4 3rd, February, 2006 This release backports some bugfixes and enhancements from the current devel branch. http://www.linuxsecurity.com/content/view/121530 * Fedora Core 4 Update: unzip-5.51-13.fc4 6th, February, 2006 This update fixes several vulnerabilities in the unzip utility. http://www.linuxsecurity.com/content/view/121547 * Fedora Core 4 Update: kernel-2.6.15-1.1831_FC4 7th, February, 2006 This update fixes a remotely exploitable denial of service attack in the icmp networking code (CVE-2006-0454). An information leak has also been fixed (CVE-2006-0095), and some debugging patches that had accidentally been left applied in the previous update have been removed, restoring the functionality of the 'quiet' argument.

http://www.linuxsecurity.com/content/view/121561 * Fedora Core 4 Update: audit-1.0.14-1.fc4 8th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121571 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: GStreamer FFmpeg plugin Heap-based buffer overflow 5th, February, 2006 The GStreamer FFmpeg plugin is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/121532 * Gentoo: Paros Default administrator password 6th, February, 2006 Paros's database component is installed without a password, allowing execution of arbitrary system commands. http://www.linuxsecurity.com/content/view/121541 * Gentoo: Xpdf, Poppler, GPdf, libextractor, pdftohtml Heap overflows 6th, February, 2006 Xpdf, Poppler, GPdf, libextractor and pdftohtml are vulnerable to integer overflows that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/121542 * Gentoo: MyDNS Denial of Service 6th, February, 2006 MyDNS contains a vulnerability that may lead to a Denial of Service attack. http://www.linuxsecurity.com/content/view/121543 * Gentoo: LibAST Privilege escalation 6th, February, 2006 A buffer overflow in LibAST may result in execution of arbitrary code with escalated privileges. http://www.linuxsecurity.com/content/view/121544 * Gentoo: Gallery Cross-site scripting vulnerability 6th, February, 2006 Gallery is possibly vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution. http://www.linuxsecurity.com/content/view/121545 * Gentoo: ADOdb PostgresSQL command injection 6th, February, 2006 ADOdb is vulnerable to SQL injections if used in conjunction with a PostgreSQL database. http://www.linuxsecurity.com/content/view/121548 * Gentoo: Apache Multiple vulnerabilities 6th, February, 2006 Apache can be exploited for cross-site scripting attacks and is vulnerable to a Denial of Service attack. http://www.linuxsecurity.com/content/view/121549 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated libast packages fixes buffer overflow vulnerability 2nd, February, 2006 Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X argument. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121491 * Mandriva: Updated poppler packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Poppler uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121492 * Mandriva: Updated kdegraphics packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. Kdegraphics-kpdf uses a copy of the xpdf code and as such has the same issues. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121493 * Mandriva: Updated xpdf packages fixes heap-based buffer overflow vulnerability 2nd, February, 2006 Heap-based buffer overflow in Splash.cc in xpdf allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121494 * Mandriva: Updated OpenOffice.org packages fix issue with disabled hyperlinks 2nd, February, 2006 OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, does not prevent the user from clicking the WWW-browser button in the Hyperlink dialog, which makes it easier for attackers to trick the user into bypassing intended security settings. Updated packages are patched to address this issue. http://www.linuxsecurity.com/content/view/121495 * Mandriva: Updated openssh packages fix vulnerability 6th, February, 2006 A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp'ing a specially crafted filename. http://www.linuxsecurity.com/content/view/121550 * Mandriva: Updated php packages fix vulnerability 7th, February, 2006 A flaw in the PHP gd extension in versions prior to 4.4.1 could allow a remote attacker to bypass safe_mode and open_basedir restrictions via unknown attack vectors. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/121562 * Mandriva: Updated mozilla packages to address DoS vulnerability 7th, February, 2006 Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134) The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. http://www.linuxsecurity.com/content/view/121563 * Mandriva: Updated mozilla-firefox packages to address DoS vulnerability 7th, February, 2006 Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. http://www.linuxsecurity.com/content/view/121564 * Mandriva: Updated groff packages fix temporary file vulnerabilities 8th, February, 2006 The Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package. It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer. http://www.linuxsecurity.com/content/view/121572 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: mozilla security update 2nd, February, 2006 Updated mozilla packages that fix several security bugs are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121482 * RedHat: Critical: firefox security update 2nd, February, 2006 An updated firefox package that fixes several security bugs is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121483 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 13 01:49:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:49:11 -0600 (CST) Subject: [ISN] DHS evaluates global cybersecurity exercise Message-ID: http://www.fcw.com/article92302-02-10-06-Web By Dibya Sarkar Feb. 10, 2006 Homeland Security Department officials offered no results or findings from a recently concluded, globally coordinated cybersecurity exercise, but they will begin examining data with the intent of issuing a report this summer. The full-scale exercise, Cyber Storm, was conducted from Feb. 6-10 and involved 115 public, private and international agencies. It examined the response, coordination, and recovery processes and procedures to a simulated cyberattack against critical infrastructures. The federal government has been involved in previous simulated cybersecurity exercises but not on this scale. The purpose of the exercise was not to see how a simulated attack would affect systems. Industry and government officials said it was necessary to see how well organizations worked together in terms of communicating information and responding appropriately to an attack. George Foresman, undersecretary at DHS' Preparedness Directorate, said Cyber Storm was a way to "create a symphony of preparedness," with the department acting as a musical conductor leading participating agencies that acted as musicians. At a press conference today, Foresman said DHS' role is to coordinate the public and private sectors' responses to an actual attack through a common approach. Several state and industry officials who attended the press conference said they were pleased with the exercise and that it was a major step toward addressing cybersecurity on a national scale. However, officials did not provide any details regarding strengths or weaknesses found. They said they will study the analysis before providing any results. DHS officials said the scripted scenario was conducted in a closed environment through Secret Service headquarters in Washington, D.C., and did not include any attacks against real-world systems. Andy Purdy, acting director of DHS' National Cyber Security Division, said the department has two overarching priorities. One is to build an effective cybersecurity response system. The other is to build a program for infrastructure protection. Results of the exercise could affect the National Response Plan and other plans designed to improve national coordination to a cyberattack and disruption. Cybersecurity experts have said the federal government has been slow to address the issue comprehensively. But government officials and company representatives who participated in Cyber Storm said federal officials are working more closely with private- and public-sector officials on a grass-roots level than ever before. William Pelgrin, director of New York state's Cybersecurity and Critical Infrastructure Coordination Office and head of the Multi-State Information Sharing and Analysis Center (ISAC), said his agency and ISAC have been working with DHS officials on the issue for three years. The two groups have has been pleased with the guidance they've received, he added. However, two weeks ago, the National Association of State Chief Information Officers released a survey indicating that the federal government needs to provide more education, training and money to help state and local officials promptly deal with cybersecurity issues. DHS is willing to be "coach and mentor" to state and local officials, but ultimately it's the responsibility of states and localities to "push the ball down the road," Foresman said. Pelgrin said ISAC and DHS are working on guidelines, including suggestions for education and awareness, that local governments can use to help with their day-to-day cybersecurity activities. Several representatives of companies that participated in Cyber Storm said they will also evaluate how their companies fared in coordination and response to the exercise. In addition to DHS, participating federal agencies included the Justice, Commerce, Energy, Defense, Treasury and State departments; the CIA; the National Security Agency; the National Security Council; and the Homeland Security Council. All 50 states also participated in the exercise. Officials from Canada, Australia, the United Kingdom and New Zealand participated. Several companies, including Computer Associates, Intel, Microsoft, VeriSign, Symantec, McAfee and Citadel, participated as well. From isn at c4i.org Mon Feb 13 01:50:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Feb 2006 00:50:11 -0600 (CST) Subject: [ISN] Turn security rhetoric into action, Oracle warns Message-ID: http://www.zdnet.com.au/news/security/soa/Turn_security_rhetoric_into_action_Oracle_warns/0,2000061744,39237971,00.htm By David Braue ZDNet Australia 13 February 2006 Every software developer likes to believe he or she is committed to application security -- but senior managers need to put their money where their mouths are to turn security rhetoric into action, a senior development manager at Oracle Corporation has told more than 200 delegates at the SECURECon security conference in Melbourne. As senior principal program manager with Oracle, Evelyn Sell's role includes the supervision of part of Oracle's massive fleet of developers. In her experience, a variety of common and preventable factors -- ranging from developer laziness and ignorance of security issues, through to a lack of developer accountability, expectations that coders produce large volumes of code to strict timelines, and overall time-to-market issues -- often cause the security problems that explode into much bigger issues when they're let loose into the field. Particularly in companies producing commercial software, blame can be traced to managers that maintain high expectations of coders but don't provide enough training to ensure adequate application security. "I am blown away by the billions of dollars that is invested in security [fixes] for something that really should be second nature," Sell explained. "It's very important to build in security up front." Once code is complete, fixing the problem can often be much more difficult -- and far more expensive -- than getting it right in the first place. Customers build their own code on top of platforms like Oracle's database and business applications, and even a small security fix can potentially break all sorts of related, interdependent applications. That means security remediation must involve slow movement and extensive testing -- something, Sell admitted, that can be hard given commercial pressure to get products or bug fixes out the door quickly. Sell described Oracle's four-pronged secure development strategy, which is encompassed in a "large, living document" that is constantly upgraded with new knowledge gained from the company's many development teams. Regular analysis of the document reveals common themes that drive future investment. For example, Oracle recently responded to a perceived lack of security coding skills by introducing several mandatory online training modules on secure coding practices; developers that fall short of the 80 percent pass mark are reported to managers for more intensive training. The company also uses a formal product security checklist that is regularly reviewed and used to drive frequent development team meetings. Prescriptive lists of acceptable tools, for applications such as cryptography and random number generation, aim to keep developers from rolling their own or using insecure code from elsewhere. An internal 'tiger team' of security experts constantly pounds Oracle code to identify potential problems before the code ships. This may all sound like a bit much to organise for many managers. However, attention to the other presenters at SECURECon would quickly disabuse complacent managers of the idea that security is optional. Presenters at this year's conference -- the fourth in the Melbourne University-organised event's history, combining two days of presentations with a full day of hands-on 'hackathons' -- discussed both the security of various common technologies, and how to bypass them. Security specialist Chris Spencer highlighted techniques for exploiting buffer overflow problems in Windows, as well as discussing ways to circumvent buffer overflow protections built into Windows XP SP2. Microsoft IT Pro Evangelist shared techniques for hardening Windows Server 2003 SP1, while penetration testing expert C?dric Blancher highlighted the inherent lack of security of most WiFi networks and devices. Other sessions delved into security in Mac OS X, Cisco routers, Unix servers, Apache Web servers, digital rights management (DRM) technologies, and identity based user authentication. Well-known US-based IBM developer Wietse Venema discussed his development of the secure and widely used Postfix e-mail server. Although primarily intended for developers, the content of SECURECon nonetheless resonates for all business managers. Ultimately, they need to understand that code security must trump even commercially imposed deadlines; one major release of Oracle software was held up for more than two weeks while developers resolved a bug they'd identified. That's the kind of delay that gives marketing executives palpitations, but Sell believes that it's ultimately easy to argue the value of good security in terms even managers understand. "All you need to do is show management the fallout line and let them know what [less than optimal security practices] are actually costing them," she said. "This is a small expense compared with the millions of dollars each individual security bug can cost a company. When you talk about the bottom line, all you really need to do is to show management how much less it would cost if they can drop the number of security vulnerabilities shipping in the products." From isn at c4i.org Tue Feb 14 01:38:47 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:38:47 -0600 (CST) Subject: [ISN] How secure is VoIP? Message-ID: http://www.mercurynews.com/mld/mercurynews/13859672.htm By Jessie Seyfer Mercury News Feb. 13, 2006 The allure of Internet phone calling is understandable -- dirt-cheap calls to anywhere in the world, sound quality that's at times superior to the traditional land-line and the ability to take your phone number with you when you travel. But, buyer beware. These calls are just like any other form of digital communication, like e-mail, which can be hacked, spammed and saved on servers. While Internet calling programs from Skype and Vonage to Google and Yahoo are getting more and more popular, security experts warn that they're not as secure as your traditional land-line. ``Lots of people are ignoring the risks about it,'' said Rodney Thayer, a Mountain View security consultant. ``Sometimes there's absolutely no encryption. Someone could listen to your conversation. It's not clear that these services have been hardened so that no inappropriate activity could take place.'' Thayer is one of several experts who will be in San Jose this week for the RSA Conference at the McEnery Convention Center, which highlights just about every aspect of computer security -- data encryption, spam-blocking and anti-fraud methods, for example. Thayer will lead a daylong seminar on Internet phone-calling security. The conference comes on the heels of a national debate over President Bush's authorization of wiretaps without first obtaining a warrant, and a battle between Google and the Department of Justice over privacy. The Mountain View company is fighting a subpoena it received, as did Yahoo, America Online and Microsoft, asking them to provide information to the government about people's search habits. Adding more heat to the issue is an ongoing legal conflict between several Internet phone-calling providers -- as well as privacy advocates -- with the government over whether companies should be required to make it easy for law enforcement to conduct wiretaps over their networks. The providers argue that taking steps to make wiretapping easier will actually make networks more vulnerable to malicious attacks. Federal regulators believe Internet phone systems should follow the same rules as traditional ones, and should offer a standardized level of access to law enforcement. The matter remains before a federal appeals court. Spoken e-mail In thinking about the threats Internet callers may face, experts say it's helpful to think of the calls as spoken e-mails -- after all, they both consist of packets of data zipping across the Internet. Therefore, it's possible for Internet phone calls to be plagued by the same attacks that dog e-mail: Hackers listening to your calls, automated spam messages that call you, and so-called ``phishing'' requests -- phone messages that seek personal financial information from recipients with the intention of raiding their bank accounts. ``I think the next generation of spam is spam voice mail over VoIP,'' said Chris Rouland, chief technology officer at the Atlanta-based Internet Security Systems company, which supplies security for large phone networks and other businesses. VoIP stands for Voice Over Internet Protocol, and is the industry term for Internet phone-calling. At home, people using Internet phone calls should take the same precautions they do for Web and e-mail communications: ``Never accepting calls from people they don't know and don't trust. Never giving out personal information to strangers and people you don't trust,'' said Terrell Karlsten of Yahoo. Skype uses encryption, or hiding data with difficult-to-break codes, and Yahoo uses other methods, to protect conversations. Experts suggest anyone thinking of signing up for Internet calling services ask or make sure they're clear about a specific company's policy toward security and privacy. No spam yet So far, there have not been any major documented incidents of fraud or spamming from using Internet phone-calling. But while growing in popularity, Internet phone calling is still in its infancy. Eleven percent of American households will be using some form of Internet phone service by 2010, according to Forrester Research. Industry analysts at In-Stat reported that the number of people using the technology worldwide grew by 62 percent from 2004 to 2005. Cisco Systems, which makes routing and switching equipment that sends Internet data where it needs to go, believes businesses and Internet service providers should safeguard voice conversations for their staff and customers in the same way they can protect e-mail and instant messaging. ``Secure your phones, secure your routers, secure your VoIP call centers, secure your applications,'' said Jayshree Ullal, senior vice president of Cisco's DataCenter, Switching and Security Technology group. Securing the network Many security options can be installed on the computer network, rather than on people's individual desktop computers, Ullal said. Yet security experts say that if people want to listen to your Internet telephone conversations, they can. In fact, a simple Web search produced a site offering a program to do just that. The program is designed to break into networks and then capture the packets of data containing the conversation, and reconstruct them into an audio file. But the experts also point out that while it's possible for hackers to record conversations, it's unlikely that such attacks will occur randomly. Attacks are more likely to occur on office networks than home networks and are likely to involve conversations that will give hackers information they can sell. For businesses dealing with financial or legal transactions, additional protection is a must, said Kelli Long, of CallTower, a Utah company that sets up phone networks for businesses. ``From a consumer's perspective, if I'm out browsing the Internet and if I'm sending e-mails back and forth, I should expect basically the same amount of security for my voice calls, and at this point, probably even less,'' Long said. Saving conversations So what happens to Internet voice conversations once they're finished? Like any data, an Internet phone call can be saved. And there generally aren't any guidelines about who has a right to save what information. Yahoo's Instant Messaging service does not save conversations, nor does Skype's, according to representatives. ``Privacy is very important to our users,'' Yahoo's Karlsten said. ``We also have preventative measures we've implemented . . . detecting sending patterns and habits associated with spammers.'' Google would not release information about the security of its Google Talk application. But the terms of service for the program state: ``Google may access or disclose your personal information, including the content of your communications, if Google is required to do so in order to comply with any valid legal process or governmental request.'' Rouland admitted that rules around Internet phone calls are just starting to be developed, but the security concerns shouldn't scare people off from Internet phone-calling entirely. ``VoIP is a great application and we expect it to revolutionize the telephone systems today,'' he said. But right now, ``We're in a little bit of the Wild West.'' From isn at c4i.org Tue Feb 14 01:39:00 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:00 -0600 (CST) Subject: [ISN] NCsoft site deluged with stolen identities Message-ID: http://joongangdaily.joins.com/200602/13/200602132130583039900090609061.html By Seo Ji-eun, Lee Weon-ho February 14, 2006 Hackers have used the private information of hundreds of people to register on the Web site of "Lineage," one of Korea's most popular online games. Complaints to the game developer, NCsoft Corp., have been rapidly piling up. The company said yesterday that it had received up to 600 reports so far of people being registered without their knowledge as members of the role-playing games "Lineage" and "Lineage 2." The two games have a combined subscriber base of 2 million members. The Ministry of Information and Communication also said that a large number of people have posted notes on Internet communities and portal sites, saying that their names and resident registration numbers were used to sign up with the game site without their permission. "This is the first time that such a huge number of illegal name usage cases have been discovered," said an NCsoft spokesman. "The majority of the registrations took place between last November and January this year." He added that it seems highly likely that the major portal sites or online communities were hacked, but the company is now conducting an investigation. In Korea, gamers can only register one account per person. Observers speculate that hackers used stolen identities to play multiple games, thus earning more virtual items that can be sold for cash. Regarding this case, online industry experts estimate that the total number of netizens whose information was pilfered and used without their consent on the game site could reach the hundreds of thousands, considering the number of official reports already. In order to check if one's private information has been used, one can visit:http://cs.lineage.co.kr/account/new-Account/agreeOverFourteen.asp and type in one's name and resident registration number. The firm's customer center is accepting reports via telephone at 1566-6600. The police will take action as soon as the investigation reveals the cause and method of the information leakage. From isn at c4i.org Tue Feb 14 01:39:13 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:13 -0600 (CST) Subject: [ISN] U.S. charges Calif. man in computer botnet case Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=180200468 By Reuters FEBRUARY 13, 2006 SAN FRANCISCO (Reuters) - A California man was indicted on Friday on federal charges of creating a robot-like network of hijacked computers that helped him and two others bring in $100,000 for installing unwanted ad software. The indictment from a federal grand jury in Seattle also accuses Christopher Maxwell, 20, and two unidentified conspirators of crippling Seattle's Northwest Hospital with a "botnet" attack in January 2005. Authorities say the hospital attack caused $150,000 in damages, shut down the intensive care unit and disabled doctors' pagers. "Some people consider botnets a mere annoyance or inconvenience for consumers but they are highly destructive," U.S. Attorney John McKay said in a statement. "In this case, the impact of the botnet could have been deadly." The two-count indictment charges Maxwell with conspiracy to intentionally cause damage to a protected computer and commit computer fraud. A "bot" like the one Maxwell is accused of operating is a program that surreptitiously installs itself on a computer so it can be controlled by a hacker. A botnet is a network of such robot, or "zombie," computers, that can harness their collective power to do considerable damage or send out huge amounts of junk e-mail. The creator of a botnet typically uses a computer or computers to search the Internet for vulnerable machines. After installing malicious code, a bot program connects to the network where it will receive commands from the operator of the network. Authorities charge that Maxwell used a botnet to secretly install unwanted Internet adware, which makes advertising displays pop up on a user's computer, and then earn commissions from a number of companies. If convicted Maxwell, faces a maximum 10 years in prison and a $250,000 fine. As part of his network, authorities said Maxwell hijacked high-powered server networks at California State University, Northridge, the University of Michigan and the University of California, Los Angeles. Copyright 2006 Reuters. From isn at c4i.org Tue Feb 14 01:38:29 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:38:29 -0600 (CST) Subject: [ISN] Hacker Threatens to Take Down Olympics Computers Message-ID: http://www.foxnews.com/story/0,2933,184695,00.html Associated Press February 13, 2006 TURIN, Italy - A would-be hacker was being investigated by police Monday after threatening to attack the internal computer network of the Turin Olympics organizing committee. The man - a technical consultant for the TOROC committee - illicitly gained access to off-limits sections of the network, police officer Fabiola Silvestri said. "This consultant - who is now a former consultant - said in a very strong way that he could do certain things to the network," TOROC spokesman Giuseppe Gattino said. "Nothing has happened and all the passwords have been disabled." Officials declined to reveal the consultant's identity, and Gattino said he didn't know the reasons for his threatening behavior. No charges were immediately filed against the man. In a separate case, police found that a Turin antiques dealer had acquired five Internet domains that had similar names to Olympic Web sites. If accessed, the domains redirected users to the dealer's Web site, which also carried Olympic logos and other copyrighted material, Silvestri said. Once he had been told that what he was doing was illegal, the dealer deleted the material and redirected users from his domains to Olympic Web sites, she said. From isn at c4i.org Tue Feb 14 01:39:39 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:39 -0600 (CST) Subject: [ISN] Teen hacker fined for server attack Message-ID: http://www.theage.com.au/news/national/teen-hacker-fined-for-server-attack/2006/02/13/1139679536471.html By Steve Butcher February 14, 2006 HE WAS the only Australian member of a small international computer hacking team - a Melbourne teenager nicknamed Susboy - and he craved kudos. But 19-year-old Stephen Sussich's need to impress his six secret colleagues in Team Simplicity ended when four carloads of police arrived at his family home in Essendon. The ramifications of the dawn raid, which horrified his unsuspecting parents and woke the neighbours, killed Sussich's curiosity for computer hacking. The fallout continued yesterday in Melbourne Magistrates Court when Sussich was convicted and fined $2000 and ordered to pay $3000 compensation to the firm whose server he attacked. Judy McGillivray, prosecuting, told the court that routine maintenance last August of Brisbane-based company Webcentral revealed scanning tools linked to a person with the username mssql. Through another company, Webcentral had server links to 46,000 credit card holders. Ms McGillivray said investigations found mssql had illegally put a "rootkit" - an "intruder's toolkit" - on the server, which can hide its presence, stop access and close windows behind it. When the Australian Federal Police High-Tech Crime Centre in Canberra examined the server, numerous references to Susboy were found. Ms McGillivray said there was no evidence Sussich accessed any credit card details or was financially motivated. Sussich, of Jacka Street, Essendon, pleaded guilty to two charges of unauthorised modification of data to cause impairment. Defence lawyer Peter Randles said Sussich was a "normal, decent young guy" with great computer skills and a talent for breaching security systems. But Mr Randles said curiosity had got the better of Sussich. The police raid last September had "killed his illegal curiosity" and he urged magistrate Lisa Hannan not to convict him. Ms Hannan said while Sussich had shown remorse, his offences undermined community confidence in e-commerce. From isn at c4i.org Tue Feb 14 01:39:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:39:51 -0600 (CST) Subject: [ISN] Company sues unknown computer hackers Message-ID: http://www.wvrecord.com/news/newsview.asp?c=174679 By Chris Dickerson Charleston Bureau February 13, 2006 CHARLESTON - A North Carolina company with a Charleston office is suing unnamed hackers who they say broke into their computer system. WeSave Inc. filed the lawsuit Jan. 24 in Kanawha Circuit Court. WeSave, which has an office at 208 Capitol Street, operates discount and loyalty programs for public employees. The suit says that on Jan. 19, hackers believed to be West Virginians using a certain Internet protocol address accessed the computer systems of Freedom Voice Systems of Encinitas, Calif. That company operates under contract with WeSave to receive facsimile transmissions on its behalf and to forward that information to WeSave. "Hackers accessed this system and deleted certain information belong to WeSave with the intent to alter, tamper with, delete, damage and destroy information knowingly and willfully without the authorization of WeSave in violation of the West Virginia Computer Crime and Abuse Act," the company, represented by attorney David Allen Barnette, says in the suit. The company also claims the hackers disrupted and degraded the computer services and denied WeSave computer transmissions in violation of West Virginia Computer Crime and Abuse Act. WeSave says it is entitled to recovery for each hacking violation, including compensatory and punitive damages and other relief, including injunctive relief. WeSave seeks a judgment in amount to be proven at trial, plus pre- and post-judgment interest, punitive damages and other relief, including injunctive relief. The company requests a jury trial. The case has been assigned to Circuit Judge Charlie King. Kanawha Circuit Court case number: 06-C-117 ?2005 The Record, Inc. From isn at c4i.org Tue Feb 14 01:40:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Feb 2006 00:40:03 -0600 (CST) Subject: [ISN] Case Western Reserve shooter blames hacker Message-ID: http://www.starbeacon.com/?MC=NEWS&NID=1&AID=10152 By M.R. KROPKO Associated Press Writer 2/13/2006 CLEVELAND - A former graduate student convicted of killing one man and wounding two others inside the business school at Case Western Reserve University remains convinced he should not be held responsible. In a one-hour interview last week with The Associated Press inside the Cuyahoga County Jail, Biswanath Halder expressed no remorse and accepted no blame for his violent, 7 1/2-hour siege that terrified students and faculty on May 9, 2003. He blamed the university for a hacker who had wrecked his Web site meant to help business entrepreneurs from India. "I didn't take a life," Halder said in a quiet, calm tone, From isn at c4i.org Wed Feb 15 03:12:46 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:12:46 -0600 (CST) Subject: [ISN] Brazilian police bust hacker gang Message-ID: http://www.theage.com.au/news/breaking/brazilian-police-bust-hacker-gang/2006/02/15/1139890794432.html February 15, 2006 Brazilian federal police arrested 41 hackers today accused of using the internet to divert millions of dollars out of other people's bank accounts. Some 200 federal police were deployed in the operation to serve 65 arrest warrants against a gang of hackers mostly operating in Campina Grande, some 1,800km north-east of Rio. Arrests also were made in six other states. Police said over the past three months the gang invaded some 200 accounts in six banks, stealing 10 million reals ($A6.38 million) using a so-called Trojan horse virus sent via email. The program entered computers and, working in the background, copied account numbers and passwords without the users' knowledge. Police said the leader of the gang was a 19-year-old and five of those arrested so far were minors. Police were still looking for 24 other alleged gang members. While only a small percentage of Brazil's 185 million people can afford computers. Those who do have them are among the most active in the world in using online banking services and the internet. Copyright ? 2006. The Age Company Ltd From isn at c4i.org Wed Feb 15 03:13:07 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:13:07 -0600 (CST) Subject: [ISN] Chinese Internet censors face 'hacktivists' in U.S. Message-ID: http://www.post-gazette.com/pg/06045/654754.stm By Geoffrey A. Fowler The Wall Street Journal February 14, 2006 Surfing the Web last fall, a Chinese high-school student who calls himself Zivn noticed something missing. It was Wikipedia, an online encyclopedia that accepts contributions or edits from users, and that he himself had contributed to. The Chinese government, in October, had added Wikipedia to a list of Web sites and phrases it blocks from Internet users' access. For Zivn, trying to surf this and many other Web sites, including the BBC's Chinese-language news service, brought just an error message. But the 17-year-old had had a taste of that wealth of information and wanted more. "There were so many lies among the facts, and I could not find where the truth is," he writes in an instant-message interview. Then some friends told him where to find Freegate, a tiny software program that thwarts the Chinese government's vast system to limit what its citizens see. Freegate -- by connecting computers inside of China to servers in the U.S. -- allows Zivn and others to keep reading and writing to Wikipedia and countless other sites. Behind Freegate is a North Carolina-based Chinese hacker named Bill Xia. He calls it his red pill, a reference to the drug in the "Matrix" movies that vaulted unconscious captives of a totalitarian regime into the real world. Mr. Xia likes to refer to the villainous Agent Smith from the Matrix films, noting that the digital bad guy in sunglasses "guards the Matrix like China's Public Security Bureau guards the Internet." It isn't all science fiction. China is aggressively moving to control the Internet. Even as the 50 million Internet connections within the country grow faster, contact with the rest of the Web is growing muddier. Roughly a dozen Chinese government agencies employ thousands of Web censors, Internet cafe police and computers that constantly screen traffic for forbidden content and sources -- a barrier often called the Great Firewall of China. Type, say, "media censorship by China" into emails, chats or Web logs, and the messages never arrive. Even with this extensive censorship, Chinese are getting vast amounts of information electronically that they never would have found a decade ago. The Internet was one reason the authorities, after a week's silence, ultimately had to acknowledge a disastrous toxic spill in a river late last year. But the government recently has redoubled its efforts to narrow the Net's reach on sensitive matters. It has required all bloggers, or writers of Web logs, to register. At the end of last year, 15 Internet writers were in jail in China, according to the Committee to Protect Journalists, a New York-based group. And China has gotten some U.S. Internet companies to limit the search results they provide or the discussions they host on their Chinese services. A tiny firm Mr. Xia set up to provide and maintain Freegate had to lobby computer-security companies such as Symantec Corp. not to treat it as a virus. In response to China's crackdown and restrictions in many Middle Eastern countries, a small army has been mustered to defeat them. "Hacktivists," they call themselves. Bennett Haselton, a security consultant and former Microsoft Corp. programmer, has developed a system called the Circumventor. It connects volunteers around the world with Web users in China and the Middle East so they can use their hosts' personal computers to read forbidden sites. Susan Stevens, a Las Vegas graphic designer, belongs to an "adopt a blog" program. She has adopted a Chinese blogger by using her own server in the U.S. to broadcast his very personal musings on religion to the world. She has never left the U.S., but "this is where technology excels," she says. "We don't have to have anything in common. We barely have to speak the same language." In Boston, computer scientist Roger Dingledine tends to Tor, a modified version of a U.S. Naval Research Laboratory project, which disguises the identities of Chinese Web surfers by sending messages through several layers of hosts to obscure their path. Freegate has advantages over some of its peers. As the product of ethnically Chinese programmers, it uses the language and fits the culture. It is a simple and small program, whose file size of just 137 kilobytes helps make it easy to store in an email program and pass along on a portable memory drive. Mr. Xia says that about 100,000 users a day currently use Freegate or two other censorship-defeating systems he helped create. It is impossible to confirm that claim, but Freegate and similar programs from others, called UltraReach and Garden Networks, are becoming a part of the surfing habits of China's Internet elite in universities, cafes and newsrooms. Freegate has a key booster in Falun Gong, the spiritual group China banned in 1999 as subversive. It is a practice of meditations and breathing exercises based on moralistic teachings by its founder, Li Hongzhi. Chinese expatriates -- marrying U.S. free-speech politics with protests over persecution of Falun Gong practitioners in China -- have focused their energy on breaking China's censorship systems. They have nurtured the work of Mr. Xia, himself a Falun Gong follower, and several other programmers. Freegate also gets a financial boost from the U.S. government. Voice of America and Radio Free Asia, part of the federal government's Broadacasting Board of Governors, pay Mr. Xia and others to send out emails featuring links to their stories. Kenneth Berman, manager of the anticensorship office of the board's International Broadcasting Bureau, declines to say how much it compensates Mr. Xia. But he says the bureau pays about $5 million a year to companies to help combat Internet censorship abroad, especially in China and Iran. "Our policy is to allow individuals to get anything they want, when they want," Mr. Berman says. "Bill and his techniques help us do that." Human Rights in China, a New York nonprofit group, also helps fund Mr. Xia's enterprise, which runs on a budget of about $1 million a year. The resources behind Freegate and other hactivists could increase if Congress revives a bill to create an Office of Global Internet Freedom. U.S. Internet companies have drawn strong criticism in Congress for compliance with Chinese Web restriction, and hearings on their activities are set for Wednesday. Microsoft, Google Inc. and Yahoo Inc. all say that they abide by local laws. Microsoft's general counsel said this month that the software giant shuts down personal blogs only if it receives a "legally binding notice from a government." [...] From isn at c4i.org Wed Feb 15 03:13:34 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:13:34 -0600 (CST) Subject: [ISN] Hacker fights US extradition Message-ID: http://www.heraldsun.news.com.au/common/story_page/0,5478,18154675%255E1702,00.html From correspondents in London 15 Feb 06 A BRITISH computer enthusiast accused by the US government of the world's "biggest military hack of all time" has begun a court fight against extradition to the US. Gary Mckinnon was arrested last June following charges by US prosecutors that he illegally accessed 97 government computers including Pentagon, US army, navy and NASA systems. Prosecutors said he hacked into sensitive networks over a one-year period from February 2002 and caused $US700,000 ($950,828.58) worth of damage, after crippling US defence systems in the wake of the September 11, 2001 attacks. If found guilty, Mr Mckinnon could face up to $US1.75 million ($2.38 million) in fines and 60 years in jail. Mr Mckinnon's lawyers said he might be prosecuted under military law if he were sent to the United States and could be subjected to "special administrative measures" such as solitary confinement and other tactics to persuade him to plead guilty. He could even face the prospect of being sent to Guantanamo Bay with no chance of parole, they said. Bow Street Magistrates' Court in London is expected to hear from Clive Stafford-Smith, a human rights lawyer who acts on behalf of detainees in Guantanamo Bay. Mr Mckinnon - whose hacking name was Solo - admits gaining access to US government computers but denies he caused any damage. His supporters said the US government should be grateful to him for highlighting its security shortcomings. US prosecutors said there is no evidence Mr Mckinnon downloaded classified information or forwarded files to foreign governments. At the time of the indictment, Paul McNulty, US Attorney for the Eastern District of Virginia, said: "Mr McKinnon is charged with the biggest military computer hack of all time." Mr Mckinnon, from Wood Green in north London, was released on bail in July 2005 and banned from using the Internet. The 40-year-old appeared relaxed in court where he was supported by more than a dozen friends and supporters. Governments have become increasingly nervous over hackers in recent years and there have been several high profile prosecutions. One of the allegations relates to Mr McKinnon deleting files from computers at a US naval station during a critical time following the September 11 attacks, rendering the base's network of computers inoperable. From isn at c4i.org Wed Feb 15 03:14:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:14:29 -0600 (CST) Subject: [ISN] The man behind Cisco's security Message-ID: http://news.com.com/The+man+behind+Ciscos+security/2008-1082_3-6038999.html By Joris Evers Staff Writer, CNET News.com February 14, 2006 Cisco Systems drew the ire of the hacking community last summer when it decided to sue a security researcher. The lawsuit was retaliation for disclosing research into the security of software that runs Cisco routers and switches. The networking giant was already a target for cyberattacks, but that move probably put even more heat on its security team. For example, shortly after Cisco sued, and settled, with the researcher, its Web site security was breached. The company alerted customers and advised them to change their passwords. John Stewart is Cisco's chief security officer and heads up the company's IT security team, among other security-related groups. With his staff, Stewart secures a network used by about 40,000 people with more than 60,000 PCs and countless other network connected devices, including 50,000 voice over Internet Protocol, or VoIP, phones. On the day before the annual RSA Conference security confab in San Jose, Calif., Stewart talked to CNET News.com about his responsibilities. Q: There is a big bull's-eye on Cisco as an organization. What do you do to defend yourself against being attacked by hackers? Is there a simple solution? Stewart: I don't think there is a simple solution. Probably the best way to describe it is that we never stop trying to think like our attackers. The best way to think about a defense is to think about the offense. The means by which we approach it go from everything from technology to how we educate and train people toward being aware of the risks and ideally to get security as a piece of every network element and into every person's mind. A lot of people tend to talk about security as the latest security patch or the latest vulnerability that's out there. Do you see security in that way? Stewart: No, those are a great deal about a known class of threats and usually there is a technology answer to your problem. We have a tendency to think about whole classes of problems. Patching is an availability problem just as much as it's a security problem. A virus is just as much a user awareness issue as it is a technology threat. In focusing on trying to handle classes of problems like that, we want to take people issues first, define it and then get a technology answer toward mitigating classes of problems. What would you say are some of the key issues you face in terms of security at Cisco and in defending the Cisco network? Stewart: The types of threats that we all face now are motivated by true financial gain. Often times what we had was an annoyance, or a disruptive kind of threat, something that was not really trying to damage or steal, but we have moved away from that now. This is about mitigating theft and mitigating true damage. That's most different then what we faced in the last few years. If you can describe some of the attacks that you face, what types of attacks are those and do you see many? Stewart: We face distributed denial of service attacks against our Web site, sometimes right towards the end of our quarter. That's a level of business knowledge that an attacking team has. In an attempt to disrupt electronic commerce, we will get an attack near the end of our quarter. That's a different style then we've seen in the past. We certainly face a lot of the more common ones, or the more frequently talked about ones, be it spam, be it the viruses and worms, but we have mitigated to a great degree the risks associated with those. How do you measure if you have been successful in your job as a security professional at Cisco? Stewart: That nobody knows we're there and they are feeling safe. Microsoft is releasing a new operating system later this year, Windows Vista. Microsoft likes to tout all the security enhancements in Vista, do you care about things like that? Do you look at that and think: 'This is going to help me in terms of my security exposure?' Stewart: Not at an operating system by operating system level. Any new technology is one that will have positives in its ability to protect itself and it will have new threats. That's not a Microsoft problem, it is every operating system developed. When you're protecting your own network, what kind of products do you like to use, what sort of technologies do you use? Stewart: We use behavioral technology. The first and best defense we use on computers at Cisco is the Cisco Security Agent. And by behavioral, what it is really doing is saying an operating system is running this way normally, but everything else is questionable. It might be OK, but you have to pose a question to find out whether it really is or isn't. Single handedly the most important technology we have deployed for protecting our computers in the past couple of years. We still use antivirus, we still use anti-spyware, those are key elements. We use all three of Symantec, Trend and McAfee. You mentioned you use Cisco products also to protect your own network. What do you do if you have a problem with a Cisco product and does that ever occur? Stewart: It absolutely occurs. But being a part of engineering, as my team is, and we're part of IT as well, we get to work with engineering very closely. If there is ever a unique need on a product or there is a whole product we have not even invented yet that would be best suited to protect an enterprise, being so collaborative with my engineering team means that we can see the problem from both sides. They can use us as the practicing arm of what they are developing. I am a customer and I'd like to say that I am in a class of good tough customers. Would you say that in terms of security at Cisco you are also accountable for security and totally responsible? Stewart: I think everybody at Cisco is accountable for security at Cisco. What I am uniquely accountable for, as is my team, is education and awareness and the use of technology to help best protect our company. What I'd rather never say is that a security team is responsible for security at a company, namely my security team is responsible for security at Cisco. That means that 99 percent of the company somehow isn't. That's the inverse of what I am looking for. I'd rather be helpful to the business, towards it understanding that we're all responsible. Do your users seem to understand that as well, or do they say: 'John is responsible for everything, I can go connect my laptop to a rogue wireless access point, he's going to take care of it anyway. I can go download spyware or Kazaa onto my PC, John is going to take care of it, it is not really my deal?' Stewart: With this many people, there will always be cases where a person did not realize that they could not do something. From John Chambers as our CEO on down, we all realize that security is part of our responsibility. Is there any technology you won't use because of security reasons? I know of companies that won't use wireless networking, let mobile devices such as Palm Treo smart phones onto their networks, or let somebody connect an iPod to their work computer because of possible security issues. Stewart: We put security software on the Treos and allow them to be deployed. Most people want the Treos not only for contact information, they also want to use other application like e-mail. We say they are allowed to use it with e-mail, if they install security software. It is part of making security part of the generic process. We know that you want to do something productive, here is how you do it safely. ?2006 CNET Networks, Inc From isn at c4i.org Wed Feb 15 03:14:45 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:14:45 -0600 (CST) Subject: [ISN] Gates says security boils down to four focus areas Message-ID: http://www.networkworld.com/news/2006/021406-gates-keynote-rsa-security.html By John Fontana Network World 02/14/06 Bill Gates Tuesday opened the annual RSA Security Conference with an overview on the state of security that was long on vision and broad with its details. Gates, Microsoft's chief software architect, said the industry must meet a set of four high-priority initiatives in order to improve security in an ever increasing digitized world that is working more and more over the Internet. Gates started off light saying he was glad to be keynoting at RSA because his other invitation "was to go quail hunting with Dick Cheney. I'm feeling really safe right now," he said. Gates then launched into the importance of security going forward and categorized a set of priorities under four headings: trust ecosystem, engineering for security, simplicity, and fundamentally secure platforms. "It is a very big challenge to make sure that security is not the thing holding us back," Gates said. "The Internet is such a critical infrastructure for productivity, for reliability, for privacy that the dream we have can only be realized if we not only build secure approaches but make them easy to administer and make it so the users understand exactly what to expect. That means a lot of invention and a lot of improvement from where we are today." Gates gave very little in the way of new initiatives or ideas at Microsoft for meeting his four broad goals, instead tailoring his remarks around announced features in the upcoming Windows Vista client operating system including smart card support, identity technology called InfoCard, and improvements in the Internet Explorer browser. The only real announcement was that Microsoft's Certificate Lifecycle Manager was now in beta. The announcement came as an aside during a demo showing how a user who lost his smart card, laptop and phone could quickly get replacements. Gates used the demo to highlight his trust ecosystem, one of his four priority areas for improving security. "We have chains of trust," Gates said. "What we need to do is track those trust relationships, to grab permissions, to revoke those trust relationships, to develop reputation over time." He said today people live without a trust ecosystem. "It can't be something whether it is one unique piece of software or one unique organization, it has to be totally federated so all the trust statements can be understood and reasoned against. With that we get reputation, for code, for users, across all the different activities they do." He said one key of the ecosystem would be about people and the need to manage certificates, including issuance and revocation. Gates said over the next 3 to 4 years corporate users should start to see a shift away from passwords to two-factor authentication in the form of smart cards. And he said high-value certificates would help users reliably identify Web site owners. In terms of engineering for security, Gates used as an example Microsoft's use of tools and new design practices for developing secure code. "Code has to operate as expected," he said. In terms of simplicity, Gates said Microsoft has to get dramatically better. "The number of screens you have to get involved in, the number of places you have to go to find out what went on are still too high," he said. Gates pointed out some of the things that Microsoft is doing to get better, such as: the inclusion of the OneCare security service in Vista, improvements to the Security Center in the operating system, the use of group policy controls by IT, and the use of InfoCard, a system now supported in IE 7.0 that lets users control the dissemination of their own identity information. "Security and management are not really two separate things," Gates said. Under his goal for fundamentally secure platforms, Gates pointed out Vista, which he said would take Microsoft to new heights in terms of security. He highlighted user protection controls that limit administrative rights and protect malicious code from running amok, along with Windows Defender for blocking spyware. Beta 2 of Defender also was released today. Gates wrapped up by saying the industry needs to focus on all four of these security areas. "The opponent in this case - is not standing still," he said. From isn at c4i.org Wed Feb 15 03:13:51 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:13:51 -0600 (CST) Subject: [ISN] Romanian hacker breaks in to UA journalism computers Message-ID: http://www.azstarnet.com/metro/115789 By Djamila Grossman Arizona Daily Star Tucson, Arizona 02.14.2006 Hackers broke into the computer system of the University of Arizona journalism department, and students were unable to use the computers Monday. All of the department's Apple Macintosh computers were affected and have been logged off the server and the Internet until the problem is solved, said Jacqueline Sharkey, head of the department. No information has been lost so far, she said. It was unclear Monday how long it would take to fix the security leak, she said. "It's a very serious issue, and we took action immediately," Sharkey said. Department officials uncovered the problem during the weekend when they ran a security check on the computers. Many of the computers have had issues in the past weeks that led to temporary shutdowns, but Sharkey said everyone thought it was a hardware problem. The computers are protected by a password, and Sharkey said she suspects that the hackers got through by trying "again and again and again." The security check showed that in other unrelated cases, hackers from Korea and Indonesia had tried to gain access to the system but were unsuccessful, she said. "No type of computer is invulnerable," she said. "Attempts are really common, but they usually fail. In this particular case, the person was able to get in." The department works together with the UA's Center for Computing and Information Technology, which determined that the hacker was in Romania, Sharkey said. Computers used by students to produce the Daily Wildcat newspaper were not affected. All journalism classes will continue on schedule. From isn at c4i.org Wed Feb 15 03:14:07 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Feb 2006 02:14:07 -0600 (CST) Subject: [ISN] Microsoft issues seven security patches Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108700,00.html By Shelley Solheim FEBRUARY 14, 2006 IDG NEWS SERVICE Microsoft Corp. today released seven software patches, including fixes for security flaws in Internet Explorer (IE) and Windows Media Player that were given a critical severity rating by the company. But security researchers said that the latest monthly batch of patches from Microsoft isn't particularly ominous. "These are seven of the most boring patches I've ever seen," said Russ Cooper, a senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven [patches] tonight." "There's definitely no super-serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research at nCircle Network Security Inc., a security software vendor in San Francisco. One of the critical patches provides a fix for a vulnerability in the way that IE handles Windows Metafile (WMF) images. However, the flaw only affects IE 5.01 Service Pack 4 running on Windows 2000 systems that have the SP4 version of the operating system installed, Microsoft said in a security bulletin. The vulnerability could enable an attacker to construct a WMF image that would support the remote execution of code on systems if users viewed a malicious Web site, e-mail or e-mail attachment, according to Microsoft. If successful, an attacker could take control of an affected system. Because the new vulnerability affects such a narrow scope of users, it isn't as severe as the WMF flaw that Microsoft patched early last month, ahead of the company's regular monthly patch release in January, said Michael Sutton, director of VeriSign Inc.'s iDefense Labs unit in Reston, Va. "We're not aware of any public exploit code for it at this time," Sutton said. The other critical vulnerability affects the way that Windows Media Player processes bitmap (.bmp) files, Microsoft said. An attacker could exploit that flaw by creating a malicious .bmp file that could be used to execute code remotely or take control of systems if users visited a malicious Web site or viewed a specially crafted e-mail message. Microsoft deemed the Media Player flaw to be critical for users of Windows XP SP1 and SP2 as well as Windows Server 2003, Windows 2000 SP4 and other earlier versions of the operating system. The Media Player flaw could pose more of a ripe target for attackers than the WMF one does, Sutton cautioned. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that," he said. "It's not difficult to create a Web page that uses Windows Media Player to display an image instead of the default application." The remaining five patches affect products such as PowerPoint and the Windows Web Client and were all rated as "important" fixes by Microsoft. From isn at c4i.org Thu Feb 16 05:40:53 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:40:53 -0600 (CST) Subject: [ISN] Security titans weigh in on buyout environment Message-ID: http://news.com.com/Security+titans+weigh+in+on+buyout+environment/2100-7350_3-6040297.html By Dawn Kawamoto Staff Writer, CNET News.com February 15, 2006 SAN JOSE, Calif.--Psst buddy, got a security company to sell? Security companies that are privately held and in the business of protecting information from espionage and offering up secure access are attractive among potential buyers, a panel of security titans and bankers said here Thursday during the RSA Conference 2006. The panel, speaking to a standing-room-only crowd, addressed the current mergers and acquisition environment for security companies, as well as what it takes for them to gain interest in potential buyout candidates. The current valuation for privately held security companies, based on projecting out future revenues, is a mean of slightly more than 6.5 times those revenues. But valuations for publicly traded security companies are substantially lower, said Rob Owens, vice president of equity research for Pacific Crest Securities and panel moderator. "Most of the innovation comes from smaller companies," said Parveen Jain, executive vice president of corporate development and strategy for McAfee, in explaining the difference between valuing a private security company and a public one. Another issue for buyers is public companies tend to be more mature, offering less potential revenue growth, said Michael Cristinziano, vice president of strategic development for Citrix, which acquired SSL VPN start-up Net6 for $50 million two years ago. He added that the ability of a potential buyout target to add to his company's earnings within a 12-month period is a key consideration on whether to do a deal. Symantec, which has been on a tear with acquisitions big and small, wants its potential lifelong partners to have frank discussions with the security giant on its financial outlook and performance. James Socas, senior vice president of Symantec's corporate development, recalled a time when a private company provided financial information that showed declining revenues over a three-year period, yet had a forecast of more than doubling its revenues in the following year. McAfee, meanwhile, hones in on the candidate's operating team, assessing whether they can deliver on the technology and financial numbers they have projected, and be flexible if changes are needed to their business plan. In providing a broad view of areas in which they are interested in making acquisitions, Jain said McAfee finds areas that need addressing include industrial spying, or the tampering and theft of information. Symantec is anticipating more companies will find it incumbent to take on the role of managing their own security, similar to what consumers have done. Citrix is focusing on deals that will provide its customers with the "best access experience," Cristinziano said. Technology to solve the leakage of sensitive information is an area that a number of large potential buyers are interested in, said panelist Neel Kashkari, an investment banker with Goldman Sachs. Kashkari noted Microsoft's entry into the antivirus market has had a negative effect on start-ups in a similar market that are seeking funding or a buyout. "It's created an overhang with valuations," he noted. A number of security companies are turning to a buyout, rather than going public, as a means to pay back initial investors, the panelists noted, pointing to NetScreen Technologies' 2002 IPO as the last "meaningful" public offering of a security company. The regulatory environment, including Sarbanes-Oxley, has made executives of private companies more hesitant to go public, rather than selling their operations, the panelists said. Another issue is that single product security companies are finding Wall Street is less receptive in the post-bubble environment. And then there are the attractive valuations for privately held security companies, in the current climate. "Mergers and acquisitions are white hot right now," Socas said. "We've seen a lot of good companies on the private side." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Feb 16 05:41:11 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:41:11 -0600 (CST) Subject: [ISN] Morgan Stanley offers $15M fine for e-mail violations Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,108687,00.html By Reuters FEBRUARY 14, 2006 NEW YORK -- U.S. investment bank Morgan Stanley has offered to pay $15 million to resolve an investigation by U.S. regulators into its failure to retain e-mail messages, according to a regulatory filing. The Wall Street firm said it had reached "an agreement in principle" with the U.S. Securities and Exchange Commission's Division of Enforcement to resolve an investigation into its preservation of e-mails. The fine would be one of the largest penalties ever imposed on a Wall Street firm for failing to preserve records. U.S. market regulators had threatened to fine Morgan Stanley for failing to keep e-mails in several recent cases brought against the brokerage. Morgan Stanley said the proposal has yet to be presented to the SEC, and no assurance can be given that it will be accepted. The firm said part of the fine would go to regulators. Morgan Stanley also said it was discussing resolution of related charges with the National Association of Securities Dealers, although no agreement has been reached. The investigation has been ongoing, with Morgan Stanley last April saying that SEC staff had recommended actions against the firm for failing to comply with a 2002 order relating to retention of e-mails. E-mail played a central role in a $1.58 billion judgment against Morgan Stanley and in favor of Ronald Perelman, the billionaire investor who said he was defrauded by the Wall Street company over the sale of a business and focused on the firm's inability to produce documents. The judge in that case, frustrated by Morgan Stanley's inability to produce e-mail documents demanded by Perelman's lawyers -- the firm said backup tapes had been overwritten -- took the unusual step of switching the burden of proof so that Morgan Stanley had to prove its innocence. The firm told the SEC that it was working to rectify its problems and pleaded for leniency, saying the transgressions happened when former CEO Philip Purcell, who stepped down last June after a shareholder campaign for his ouster, was running the firm. From isn at c4i.org Thu Feb 16 05:41:45 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:41:45 -0600 (CST) Subject: [ISN] TCP/IP Changes in Windows Vista and Longhorn Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Bindview http://list.windowsitpro.com/t?ctl=20EAA:4FB69 Thawte http://list.windowsitpro.com/t?ctl=20EAD:4FB69 ==================== 1. In Focus: TCP/IP Changes in Windows Vista and Longhorn 2. Security News and Features - Recent Security Vulnerabilities - Intel Invests in European Linux Solution Provider Collax - Sophos to Sell ActiveState - Three Products Achieve ICSA Labs Desktop Anti-Spyware Certification 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Monitor Windows Event Logs for Compliance ==================== ==== Sponsor: Bindview ==== Get the tips you need to prepare and comply with PCI-Data Security standards, including defining the 12 major requirements, and how those requirements affect IT. http://list.windowsitpro.com/t?ctl=20EAA:4FB69 ==================== ==== 1. In Focus: TCP/IP Changes in Windows Vista and Longhorn ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net The upcoming Windows Vista and Longhorn server releases will both use a redesigned TCP/IP stack. The new stack will bring several new features, including routing compartments, a better host model, better support for IP version 6 (IPv6), a new packet-filtering API, and some other changes that don't necessarily affect security (you can read about these changes at the URL at the end of this editorial). The routing compartments feature is really interesting. It lets each user logon session have its own routing table and will prevent Internet traffic from being routed across a VPN into an intranet. The new host model will help defend against attacks on multihomed systems. So for example, a packet that reaches a network interface must have a destination address that matches the interface's address or the packet will be dropped. The new packet-filtering API, now known as Windows Filtering Platform (WFP), will help developers more easily filter or change packets before they're processed further along in the OS. This means that tools such as firewalls and antivirus and antispyware products can better control which data enters the system. You can learn more about WFP at the following URL: http://list.windowsitpro.com/t?ctl=20EB4:4FB69 Windows XP and Windows Server 2003 both support IPv6; however functionality is somewhat limited because they don't support Internet Key Exchange (IKE) and data encryption. The new TCP/IP stack will fix this problem by introducing a fully functional IPv6 protocol layer, which will be enabled by default. However, using IPv6 won't be without problems. Microsoft said that an IPv6-enabled system will first request an AAAA record (which is a record for IPv6 addresses). If the query fails, the system will request an A record (a record for IPv4). Some DNS servers won't answer the A record request if the AAAA request fails. If you want to get a head start on building IPv6 functionality, make sure your DNS server will handle the AAAA, A sequence of requests. Another issue with IPv6 is Network Address Translation (NAT), which might also break connectivity. To get around that problem, Microsoft uses Teredo (also known as Shipworm), which is a method of encapsulating IPv6 inside IPv4 UDP packets. Microsoft first released Teredo support in its Advanced Networking Pack for Windows XP in XP Service Pack 1 (SP1) and later shipped Teredo as part of XP SP2 and Windows 2003 SP1. Teredo will be a standard part of Windows Vista and Longhorn server. You can read more about the IPv6 enhancements at the first URL below and learn more about other new features of the TCP/IP stack at the second URL below. http://list.windowsitpro.com/t?ctl=20EAB:4FB69 http://list.windowsitpro.com/t?ctl=20EAC:4FB69 ==================== ==== Sponsor: Thawte ==== The Starter PKI Program Do you need to secure multiple domains or host names? In this free white paper you'll learn how the Starter PKI Program will benefit your company with timesaving convenience. Plus--you'll get the chance to actually test the program! http://list.windowsitpro.com/t?ctl=20EAD:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=20EAF:4FB69 Intel Invests in European Linux Solution Provider Collax Collax announced that Intel Capital has invested in the company, bringing its total Series A funding to $8.4 million. Collax Business Server's management interface offers simplified management functions for security features including firewalls, proxies, VPNs, antivirus, antispam, antiphishing, PKI, and Web content filtering. http://list.windowsitpro.com/t?ctl=20EB9:4FB69 Sophos to Sell ActiveState Security solutions provider Sophos will sell its ActiveState unit to Canadian venture capital firm Pender Financial Group for $2.25 million. Pender Financial intends to acquire ActiveState through a newly incorporated company, which will allow ActiveState to become independent. http://list.windowsitpro.com/t?ctl=20EBA:4FB69 Three Products Achieve ICSA Labs Desktop Anti-Spyware Certification Three products have earned ICSA Labs Desktop Anti-Spyware Certification. ICSA Labs antispyware testing criteria determine whether products can defend systems against spyware, keyloggers, password stealers, dialers, rootkits, and adware. Find out which products earned certification in this article on our Web site. http://list.windowsitpro.com/t?ctl=20EB7:4FB69 ==================== ==== Resources and Events ==== Let industry expert Brian Moran teach you the tips and tricks he's learned in 15 years of experience fine-tuning SQL Server systems. This is a web seminar you won't want to miss! Live event: Tuesday, March 21, 2006, 12:00 EST. http://list.windowsitpro.com/t?ctl=20EA5:4FB69 Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=20EAE:4FB69 Use clustering technology to protect your company against network outages, power loss and natural disasters. Live Event: Wednesday, February 28, 2006, 12:00 EST http://list.windowsitpro.com/t?ctl=20EA6:4FB69 Gain control of your messaging data with step-by-step instructions for complying with the law, ensuring your systems are working properly and ultimately making your job easier. http://list.windowsitpro.com/t?ctl=20EA9:4FB69 Align compliance with business efficiency, and learn how fax-document management plays a role in your strategy. http://list.windowsitpro.com/t?ctl=20EA7:4FB69 ==================== ==== Featured White Paper ==== Learn about recovery to virtual computer environments, hardware migration strategies, hardware repurposing for optimal resource utilization, meeting recovery time objectives, increasing disaster tolerance, and more. http://list.windowsitpro.com/t?ctl=20EA8:4FB69 ==================== ==== Hot Spot ==== ThreatSentry--IIS Host IPS & Application Firewall Malicious or unauthorized traffic plaguing your Web servers? ThreatSentry combines a state-of-the-art Application Firewall and advanced behavioral intrusion prevention components to block any activity falling outside of trusted parameters. Get enterprise-grade, multi-layered protection for Microsoft IIS at a small business price! Download free trial today. http://list.windowsitpro.com/t?ctl=20EB5:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Wipe Data from Your Old Media by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=20EBC:4FB69 I've covered this issue several times in different ways. Now there's more help: the National Institute of Standards and Technology (NIST) issued a new guide, "Guidelines for Media Sanitization." Find out more in the blog article. http://list.windowsitpro.com/t?ctl=20EB8:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=20EBB:4FB69 Q: How can I clear the cache from Microsoft Internet Explorer (IE)? Find the answer at http://list.windowsitpro.com/t?ctl=20EB6:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Subscribers have it all! Become a VIP subscriber and get continuous, inside access to ALL of the online resources published in Windows IT Pro magazine, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs that include the entire article database and are delivered twice per year. Don't miss out--sign up now: http://list.windowsitpro.com/t?ctl=20EB2:4FB69 Save 44% off the Windows IT Security Newsletter For a limited time, order the Windows IT Security Newsletter and SAVE up to $30 off the regular price. You'll discover endless fundamentals about building and maintaining a secure enterprise, how-to coverage of free security tools, and expert advice on the best way to implement various security components. You'll also get unlimited access to the full online security article database (more than 1900 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=20EB1:4FB69 ==================== ==== 5. New and Improved ==== by Renee Munshi, products at windowsitpro.com Monitor Windows Event Logs for Compliance TNT Software offers ELM Event Log Monitor (EVM), which provides monitoring, alerting, reporting, and archiving for Windows event logs. TNT says it leveraged specific functionalities of its ELM Enterprise Manager to produce a tool to meet companies' compliance and security challenges. EVM collects Windows events from hundreds of systems and presents the results at a centralized console, triggers real-time alerts, stores the event data in a central database, and generates audit reports. EVM monitors high-level account changes and logon/logoff activity for compliance and security purposes. You can use preconfigured or customized monitoring settings. For more information, go to http://list.windowsitpro.com/t?ctl=20EBE:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=20EBD:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=20EB3:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Feb 16 05:42:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:42:03 -0600 (CST) Subject: [ISN] Security vetting of IT staff on the way, says Unisys Message-ID: http://computerworld.co.nz/news.nsf/news/1421BB672FBCD19ACC257111000FC761 By Stephen Bell Wellington 16 February, 2006 The phrase "security clearance" will become more common in general business as well as sensitive government agencies, says Unisys security consultant Terry Shubkin. "The weakest link in the security chain is still people," she told a Computer Society meeting last week. Increasingly, companies will insist that ICT support staff and client-facing staff must be security cleared, ensuring that they have no suspicious incidents in their past and are likely to abide by the company's security standards. Increasing concern with security, she says, will provide one more disincentive in the already delicate decision whether to outsource ICT work overseas. If the staff working on software are too far from vetting and control by head office, vulnerabilities could intentionally or inadvertently be introduced to its ICT systems. Identity management, "still in its very early days for most New Zealand companies," will get more attention in the near future, Shubkin says. The means by which an employee identifies him/herself to the company network will become increasingly advanced, and will more often include biometrics of some kind, she says. Increased sophistication will also come into identity management's logical partner, authorisation. Shubkin also refers to the growing fear of weaknesses in mobile equipment, which emphasises security as a whole-of-company business-oriented policy, reaching to the highest directors. It's difficult to countermand the chief executive who demands a BlackBerry or similar PDA which will access the company's network and also be connected to unknown other equipment, she concedes, but everyone must observe security disciplines. Some more inert devices, such as flash-memory chips with a USB connection may be just as dangerous, Shubkin says. There have been cases of them being infected with viruses and spyware which copied all open files on the system and then "phoned home" as soon as the chip was plugged into an internet connected machine. Plans for business continuity in the face of a natural disaster are another worry. At least half the audience indicated they had given some thought to the ICT consequences of a bird - flu pandemic. Plans typically include people working from home or elsewhere off-site and the security risks of this mode of operation must be scrupulously evaluated, she says. Increasing skill in the population and more advanced development tools are allowing viruses and other exploits to be developed more easily and quickly. The number of exploits for Unix-type operating systems, including Linux, is increasing and, some sources suggest, now exceeds exploits for Windows. Exploits no longer attack the operating system only; some target the network infrastructure, Shubkin says. Formal tools are evolving to help companies evaluate their security "maturity", with diagrams and dashboards able to identify how mature the organisation is in this respect and where specific failings are. Copyright ? 2005, IDG Communications New Zealand Limited From isn at c4i.org Thu Feb 16 05:42:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:42:24 -0600 (CST) Subject: [ISN] Security Breach Reported in N.H. Computers Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/15/AR2006021502764.html The Associated Press February 15, 2006 CONCORD, N.H. -- New Hampshire's state computer system was breached, possibly by a hacker seeking residents' credit card numbers, Gov. John Lynch said Wednesday. The breach involved online and in-person transactions in various locations, including motor vehicle offices and state liquor stores. "We felt it was important to alert the public that there is at least the possibility that some credit card information may have been accessed," Lynch said. No reports of illegal activity have been reported, but officials asked people who used credit cards with the state in the last six months to report suspicious purchases. State information technology experts became aware of the breach Wednesday when they discovered illegal software in the system. The software, which may have been installed for six months, allows a hacker to watch transactions in real time, officials said. From isn at c4i.org Thu Feb 16 05:42:43 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Feb 2006 04:42:43 -0600 (CST) Subject: [ISN] Homeland Security Spells Out Coming Online Threats Message-ID: Forwarded from: William Knowles http://www.informationweek.com/news/showArticle.jhtml?articleID=180202429 By Gregg Keizer TechWeb News Feb 15, 2006 The top Internet threats for 2006 will include more attacks through instant messages and cell phones, as well as a boost in identity hacks against online brokerage accounts, the Department of Homeland Security and the National Cyber Security Alliance predicted Wednesday. By joining forces, the Department of Homeland Security (DHS) and National Cyber Security Alliance (NCSA) hope to give consumers time to put additional protection in place on their PCs. "Arming consumers with a list of emerging threats is just the first step to educating [them] about the ever-evolving online security environment," said Ron Teixeira, NCSA executive director, in a statement. "It is critical that we also empower users with the how-to practices to protect themselves against these risks." Calling instant messaging networks "extremely vulnerable" and noting that cell phone malware is on the rise, the federal agency and the non-profit also predicted more "spear phishing, [1]" or targeted phishing attacks. Other threats to expect, said the DHS and NCSA, include an increase in brokerage account break-ins. "Since the nature of online brokerage accounts makes it easy to transfer funds from various accounts outside the firm, online brokerage accounts are attractive targets for hackers and thieves," a warning posted online [2] read. NCSA, whose members include America Online, eBay, Microsoft, and Symantec, operates a site dubbed StaySafeOnline.org [3] which offers consumer information on safe computing practices. Among its recommendations, the group said consumers should have a firewall in place, install and keep up-to-date anti-virus and anti-spyware software, and regularly update their computers' operating systems. [1] http://www.techweb.com/encyclopedia/defineterm.jhtml?term=phishing [2] http://www.staysafeonline.org/basics/2006threatlist.html [3] http://www.staysafeonline.org/index.html *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Fri Feb 17 03:16:01 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:01 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-7 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-09 - 2006-02-16 This week : 110 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released 7 security bulletins as part of their monthly patch release cycle. All users are advised to visit Windows Update and apply available patches. For additional details about the issues corrected, please refer to the referenced Secunia advisories below. References: http://secunia.com/SA18865 http://secunia.com/SA18859 http://secunia.com/SA18853 http://secunia.com/SA18852 http://secunia.com/SA18835 http://secunia.com/SA18729 -- Secunia Research has discovered multiple vulnerabilities in Lotus Notes, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system. Additionally, Secunia Research also reported multiple vulnerabilities in Lotus Domino and iNotes Client, which can be exploited by malicious people to cause a DoS (Denial of Service) or conduct script insertion attacks. Please refer to the referenced Secunia advisories below for details. References: http://secunia.com/SA16340 http://secunia.com/SA16280 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA16280] IBM Lotus Notes Multiple Vulnerabilities 2. [SA18760] Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities 3. [SA16340] IBM Lotus Domino Multiple Vulnerabilities 4. [SA18700] Firefox Multiple Vulnerabilities 5. [SA18649] Winamp Three Playlist Parsing Buffer Overflow Vulnerabilities 6. [SA18835] Windows Media Player Bitmap File Processing Vulnerability 7. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 8. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 9. [SA18787] Internet Explorer Drag-and-Drop Vulnerability 10. [SA18789] HP Systems Insight Manager JBoss and Directory Traversal ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18912] Avaya Products WMF Image Parsing Vulnerability [SA18852] Windows Media Player Plug-in EMBED Element Buffer Overflow [SA18835] Windows Media Player Bitmap File Processing Vulnerability [SA18872] eStara SoftPhone SIP Packet Handling Denial of Service [SA18828] SSH Tectia Server SFTP Service Unspecified Vulnerability [SA18789] HP Systems Insight Manager JBoss and Directory Traversal [SA18859] Microsoft Windows / Office Korean Input Method Editor Vulnerability [SA18865] Microsoft PowerPoint Temporary Internet Files Information Disclosure [SA18787] Internet Explorer Drag-and-Drop Vulnerability [SA18888] MailSite LDAP Service Denial of Service Vulnerability [SA18853] Microsoft Windows IGMP Denial of Service Vulnerability [SA18857] Microsoft Windows Web Client Service Vulnerability [SA18813] iE Integrator Configuration Information Disclosure Weakness UNIX/Linux: [SA18884] Gentoo update for sun-jdk/sun-jre-bin [SA18796] Metamail Mail Boundary Handling Buffer Overflow [SA18911] Avaya Products Ethereal Vulnerabilities [SA18887] Debian update for otrs [SA18882] Debian update for pdfkit.framework [SA18875] Debian update for gpdf [SA18871] Red Hat update for imagemagick [SA18870] Dovecot "imap/pop3-login" Denial of Service Vulnerability [SA18864] Red Hat update for xpdf [SA18863] Red Hat update for libpng [SA18862] Red Hat update for kdegraphics [SA18861] Ubuntu update for kernel [SA18860] Ubuntu update for xpdf/poppler/kdegraphics [SA18851] Gentoo update for imagemagick [SA18839] Fedora update for poppler [SA18838] Fedora update for xpdf [SA18837] Fedora update for kdegraphics [SA18834] Debian update for xpdf [SA18832] Red Hat update for gnutls [SA18830] Mandriva update for gnutls [SA18826] Gentoo update for kdegraphics/kpdf [SA18825] Gentoo update for xpdf/poppler [SA18821] XMB Forums today.php Cookie Data SQL Injection [SA18815] Fedora update for gnutls [SA18799] VHCS Security Issue and Multiple Vulnerabilities [SA18794] GnuTLS libtasn1 DER Decoding Denial of Service Vulnerabilities [SA18788] SUSE update for kernel [SA18785] NeoMail neomail-prefs.pl Missing Session ID Validation [SA18784] Trustix update for kernel [SA18889] Debian update for nfs-user-server [SA18818] Isode M-Vault Server LDAP Vulnerability [SA18845] GnuPG "gpgv" Signature Verification Security Issue [SA18841] Power Daemon WHATIDO syslog Format String Vulnerability [SA18827] Debian update for kronolith [SA18916] Debian update for libast [SA18891] Sun Solaris "in.rexecd" Privilege Escalation Vulnerability [SA18829] Debian update for scponly [SA18812] Debian update for noweb [SA18811] SUSE ld Insecure RPATH Privilege Escalation [SA18809] noweb Insecure Temporary File Creation Vulnerabilities [SA18806] Ubuntu update for heimdal [SA18867] Honeyd IP Reassembly Remote Detection Weakness [SA18824] Kadu Image Send Request Denial of Service [SA18797] CGIWrap Error Message System Information Disclosure [SA18907] Mac OS X Kernel Local Denial of Service Vulnerability [SA18850] SUSE update for openssh [SA18798] OpenBSD update for openssh [SA18795] AIX Kernel Unspecified Local Denial of Service Vulnerability Other: [SA18836] Avaya CSU/VSU ISAKMP IKE Message Processing Vulnerabilities [SA18833] D-Link Wireless Access Point Denial of Service Vulnerability [SA18904] Cisco Products TACACS+ Authentication Bypass [SA18844] FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities Cross Platform: [SA18883] Plume CMS prepend.php File Inclusion Vulnerability [SA18879] dotProject File Inclusion and Information Disclosure Vulnerabilities [SA18878] Magic News Lite File Inclusion and Profile Update Vulnerabilities [SA18847] Flyspray Installation Script "adodbpath" File Inclusion Vulnerability [SA18808] LinPHA "lang" Local File Inclusion Vulnerability [SA18807] HiveMail Multiple Vulnerabilities [SA18803] DocMGR process.php File Inclusion Vulnerability [SA18800] Runcms File Upload and File Inclusion Vulnerabilities [SA18905] HTML::BBCode Script Insertion Vulnerability [SA18885] webSPELL "search.php" SQL Injection Vulnerability [SA18881] PHP Classifieds "member_login.php" SQL Injection [SA18880] SAP Business Connector Arbitrary File Access and Spoofing [SA18877] Magic Downloads Settings Update Authentication Bypass [SA18876] Teca Diary Personal Edition SQL Injection Vulnerability [SA18874] @Mail Webmail Image Tag Script Insertion Vulnerability [SA18873] Clever Copy Private Message "Subject" Script Insertion Vulnerability [SA18869] Lighttpd Case-Insensitive Filename Source Code Disclosure [SA18868] Squishdot Mail Header Injection Vulnerability [SA18858] PyBlosxom Arbitrary File Disclosure Vulnerability [SA18856] CALimba rb_auth.php SQL Injection Vulnerability [SA18855] Magic Calendar Lite SQL Injection Vulnerability [SA18854] Time Tracking Software Multiple Vulnerabilities [SA18849] G?stebuch Homepage URL Script Insertion Vulnerability [SA18843] WRQ Reflection Secure IT SFTP Format String Vulnerability [SA18840] Invision Power Board Army System Mod SQL Injection [SA18831] RunCMS pmlite.php SQL Injection Vulnerability [SA18823] SmE GB Host Username SQL Injection Vulnerability [SA18822] PHP/MYSQL Timesheet SQL Injection Vulnerabilities [SA18819] WebGUI User Account Creation Vulnerability [SA18817] Hitachi Business Logic Cross-Site Scripting and SQL Injection [SA18816] e107 Unspecified BBCode Script Insertion Vulnerabilities [SA18810] Ansilove File Disclosure and File Upload Vulnerabilities [SA18805] DB_eSession "deleteSession()" Function SQL Injection [SA18802] ImageVue Multiple Vulnerabilities [SA18801] Zen Cart Unspecified SQL Injection Vulnerabilities [SA18793] phphd Multiple Vulnerabilities [SA18791] PHPStatus Multiple Vulnerabilities [SA18790] Clever Copy HTTP Headers Script Insertion Vulnerabilities [SA18786] SmE GB Host / Blog Host "url" BBcode Script Insertion [SA18897] MyBB managegroup.php SQL Injection and Cross-Site Scripting [SA18820] PHP-Nuke "pagetitle" Cross-Site Scripting Vulnerability [SA18814] QwikiWiki "search.php" Cross-Site Scripting Vulnerability [SA18804] Siteframe "q" Cross-Site Scripting Vulnerability [SA18792] PHP Event Calendar User Information Manipulation [SA18890] PostgreSQL Privilege Escalation and Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18912] Avaya Products WMF Image Parsing Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-16 Avaya has acknowledged a vulnerability in various products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18912/ -- [SA18852] Windows Media Player Plug-in EMBED Element Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-14 A vulnerability has been reported in Windows Media Player plug-in, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18852/ -- [SA18835] Windows Media Player Bitmap File Processing Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-14 eEye Digital Security has reported a vulnerability in Windows Media Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18835/ -- [SA18872] eStara SoftPhone SIP Packet Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-15 ZwelL has discovered some vulnerabilities in eStara SoftPhone, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18872/ -- [SA18828] SSH Tectia Server SFTP Service Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-13 A vulnerability has been reported in SSH Tectia Server, which potentially can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18828/ -- [SA18789] HP Systems Insight Manager JBoss and Directory Traversal Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information Released: 2006-02-10 HP has acknowledged a weakness and a vulnerability in HP Systems Insight Manager, which can be exploited by malicious people to disclose system information and potentially to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18789/ -- [SA18859] Microsoft Windows / Office Korean Input Method Editor Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2006-02-14 Ryan Lee has reported a vulnerability in various Microsoft products, which can be exploited by malicious people to gain escalated privileges or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18859/ -- [SA18865] Microsoft PowerPoint Temporary Internet Files Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-14 A vulnerability has been reported in Microsoft PowerPoint 2000, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/18865/ -- [SA18787] Internet Explorer Drag-and-Drop Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-14 Matthew Murphy has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18787/ -- [SA18888] MailSite LDAP Service Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-15 Evgeny Legerov has reported a vulnerability in MailSite, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18888/ -- [SA18853] Microsoft Windows IGMP Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-14 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18853/ -- [SA18857] Microsoft Windows Web Client Service Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-14 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18857/ -- [SA18813] iE Integrator Configuration Information Disclosure Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-02-14 D Scholefield has reported a weakness in iE Integrator, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/18813/ UNIX/Linux:-- [SA18884] Gentoo update for sun-jdk/sun-jre-bin Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-15 Gentoo has issued updates for sun-jdk and sun-jre-bin. These fix some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18884/ -- [SA18796] Metamail Mail Boundary Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Ulf Harnhammar has reported a vulnerability in Metamail, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18796/ -- [SA18911] Avaya Products Ethereal Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-16 Avaya has acknowledged some vulnerabilities in ethereal included in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18911/ -- [SA18887] Debian update for otrs Critical: Moderately critical Where: From remote Impact: Manipulation of data, Cross Site Scripting Released: 2006-02-15 Debian has issued an update for otrs. This fixes some vulnerabilities, which can be exploited by malicious people to conduct SQL injection, script insertion, and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18887/ -- [SA18882] Debian update for pdfkit.framework Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-15 Debian has issued an update for pdfkit.framework. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18882/ -- [SA18875] Debian update for gpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-15 Debian has issued an update for gpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18875/ -- [SA18871] Red Hat update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-15 Red Hat has issued an update for imagemagick. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18871/ -- [SA18870] Dovecot "imap/pop3-login" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-15 A vulnerability have been reported in Dovecot, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18870/ -- [SA18864] Red Hat update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Red Hat has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18864/ -- [SA18863] Red Hat update for libpng Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Red Hat has issued an update for libpng. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) against applications using libpng or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18863/ -- [SA18862] Red Hat update for kdegraphics Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2006-02-14 Red Hat has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18862/ -- [SA18861] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-15 Ubuntu has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18861/ -- [SA18860] Ubuntu update for xpdf/poppler/kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-15 Ubuntu has issued updates for xpdf, poppler, and kdegraphics. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18860/ -- [SA18851] Gentoo update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-14 Gentoo has issued an update for imagemagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18851/ -- [SA18839] Fedora update for poppler Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Fedora has issued an update for poppler. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18839/ -- [SA18838] Fedora update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Fedora has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18838/ -- [SA18837] Fedora update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Fedora has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18837/ -- [SA18834] Debian update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-14 Debian has issued an update for xpdf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18834/ -- [SA18832] Red Hat update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-13 Red Hat has issued an update for gnutls. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18832/ -- [SA18830] Mandriva update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-14 Mandriva has issued an update for gnutls. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18830/ -- [SA18826] Gentoo update for kdegraphics/kpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Gentoo has issued updates for kdegraphics and kpdf. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18826/ -- [SA18825] Gentoo update for xpdf/poppler Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2006-02-13 Gentoo has issued updates for xpdf and poppler. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18825/ -- [SA18821] XMB Forums today.php Cookie Data SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 James Bercegay has reported a vulnerability in XMB Forums, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18821/ -- [SA18815] Fedora update for gnutls Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-13 Fedora has issued an update for gnutls. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18815/ -- [SA18799] VHCS Security Issue and Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Privilege escalation Released: 2006-02-13 Rom?n Medina-Heigl Hern?ndez has reported some vulnerabilities in VHCS, which can be exploited by malicious people to conduct script insertion attacks, and by malicious users to bypass certain security restrictions and gain escalated privileges. Full Advisory: http://secunia.com/advisories/18799/ -- [SA18794] GnuTLS libtasn1 DER Decoding Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-10 Evgeny Legerov has reported some vulnerabilities in GnuTLS libtasn1, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18794/ -- [SA18788] SUSE update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-02-10 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by local users to gain knowledge of potentially sensitive information, bypass certain security restrictions, and cause a DoS (Denial of Service), or by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/18788/ -- [SA18785] NeoMail neomail-prefs.pl Missing Session ID Validation Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-14 Secunia Research has discovered a vulnerability in NeoMail, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18785/ -- [SA18784] Trustix update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2006-02-10 Trustix has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18784/ -- [SA18889] Debian update for nfs-user-server Critical: Moderately critical Where: From local network Impact: System access Released: 2006-02-15 Debian has issued an update for nfs-user-server. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18889/ -- [SA18818] Isode M-Vault Server LDAP Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-02-14 Evgeny Legerov has reported a vulnerability in Isode M-Vault Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18818/ -- [SA18845] GnuPG "gpgv" Signature Verification Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-15 A security issue has been reported in GnuPG, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18845/ -- [SA18841] Power Daemon WHATIDO syslog Format String Vulnerability Critical: Less critical Where: From remote Impact: DoS, System access Released: 2006-02-13 Gotfault Security has discovered a vulnerability in Power Daemon (powerd), which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18841/ -- [SA18827] Debian update for kronolith Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-14 Debian has issued an update for kronolith. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18827/ -- [SA18916] Debian update for libast Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-16 Debian has issued an update for libast. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18916/ -- [SA18891] Sun Solaris "in.rexecd" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-15 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18891/ -- [SA18829] Debian update for scponly Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Debian has issued an update for scponly. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18829/ -- [SA18812] Debian update for noweb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Debian has issued an update for noweb. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18812/ -- [SA18811] SUSE ld Insecure RPATH Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 A vulnerability has been reported in SUSE Linux, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18811/ -- [SA18809] noweb Insecure Temporary File Creation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Javier Fern?ndez-Sanguino Pe?a has reported multiple vulnerabilities in noweb, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18809/ -- [SA18806] Ubuntu update for heimdal Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 Ubuntu has issued an update for heimdal. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18806/ -- [SA18867] Honeyd IP Reassembly Remote Detection Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-02-15 A weakness has been reported in Honeyd, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/18867/ -- [SA18824] Kadu Image Send Request Denial of Service Critical: Not critical Where: From remote Impact: DoS Released: 2006-02-15 Piotr Bania has reported a vulnerability in Kadu, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18824/ -- [SA18797] CGIWrap Error Message System Information Disclosure Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-02-15 A weakness has been reported in CGIWrap, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/18797/ -- [SA18907] Mac OS X Kernel Local Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-02-16 A vulnerability has been reported in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18907/ -- [SA18850] SUSE update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-14 SUSE has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18850/ -- [SA18798] OpenBSD update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-02-13 OpenBSD has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18798/ -- [SA18795] AIX Kernel Unspecified Local Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-02-14 A vulnerability has been reported in AIX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18795/ Other:-- [SA18836] Avaya CSU/VSU ISAKMP IKE Message Processing Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-13 Avaya has acknowledged some vulnerabilities in Avaya CSU/VSU, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18836/ -- [SA18833] D-Link Wireless Access Point Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-14 Aaron Portnoy and Keefe Johnson has reported a vulnerability in D-Link Wireless Access Point, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18833/ -- [SA18904] Cisco Products TACACS+ Authentication Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-16 A security issue has been reported in various Cisco products, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18904/ -- [SA18844] FortiGate URL Filter and Virus Scanning Bypass Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-02-13 Mathieu Dessus has reported two vulnerabilities in FortiGate, which can be exploited by malicious people and users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18844/ Cross Platform:-- [SA18883] Plume CMS prepend.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-15 unitedbr has discovered a vulnerability in Plume CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18883/ -- [SA18879] dotProject File Inclusion and Information Disclosure Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, System access Released: 2006-02-15 Robin Verton has discovered some vulnerabilities in dotProject, which can be exploited by malicious people to disclose certain system information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18879/ -- [SA18878] Magic News Lite File Inclusion and Profile Update Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2006-02-15 Aliaksandr Hartsuyeu has discovered some vulnerabilities in Magic News Lite, which can be exploited by malicious people to bypass certain security restrictions and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18878/ -- [SA18847] Flyspray Installation Script "adodbpath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-02-14 rgod has reported a vulnerability in Flyspray, which can be exploited by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18847/ -- [SA18808] LinPHA "lang" Local File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-02-13 rgod has discovered a vulnerability in Linpha, which can be exploited by malicious people to disclose sensitive information and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18808/ -- [SA18807] HiveMail Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2006-02-13 James Bercegay has reported multiple vulnerabilities in HiveMail, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18807/ -- [SA18803] DocMGR process.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-02-13 rgod has reported a vulnerability in DocMGR, which can be exploited by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18803/ -- [SA18800] Runcms File Upload and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-10 rgod has reported some vulnerabilities in Runcms, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18800/ -- [SA18905] HTML::BBCode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-16 Aliaksandr Hartsuyeu has reported a vulnerability in HTML::BBCode, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18905/ -- [SA18885] webSPELL "search.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-15 x128 has discovered a vulnerability in webSPELL, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18885/ -- [SA18881] PHP Classifieds "member_login.php" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-15 Audun Larsen has reported a vulnerability in PHP Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18881/ -- [SA18880] SAP Business Connector Arbitrary File Access and Spoofing Critical: Moderately critical Where: From remote Impact: Spoofing, Manipulation of data Released: 2006-02-15 Leandro Meiners has reported two vulnerabilities in SAP Business Connect (BC), which can be exploited by malicious people to conduct spoofing attacks or by malicious users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18880/ -- [SA18877] Magic Downloads Settings Update Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-15 Aliaksandr Hartsuyeu has reported a vulnerability in Magic Downloads, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18877/ -- [SA18876] Teca Diary Personal Edition SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-16 Aliaksandr Hartsuyeu has reported a vulnerability in Teca Diary Personal Edition, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18876/ -- [SA18874] @Mail Webmail Image Tag Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-16 Thomas Pollet has discovered a vulnerability in @Mail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18874/ -- [SA18873] Clever Copy Private Message "Subject" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-16 Thomas Pollet has discovered a vulnerability in Clever Copy, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18873/ -- [SA18869] Lighttpd Case-Insensitive Filename Source Code Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-15 A vulnerability has been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18869/ -- [SA18868] Squishdot Mail Header Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-15 A vulnerability has been reported in Squishdot, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18868/ -- [SA18858] PyBlosxom Arbitrary File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-14 A vulnerability has been reported in PyBlosxom, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18858/ -- [SA18856] CALimba rb_auth.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 Aliaksandr Hartsuyeu has reported a vulnerability in CALimba, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18856/ -- [SA18855] Magic Calendar Lite SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 Aliaksandr Hartsuyeu has reported a vulnerability in Magic Calendar Lite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18855/ -- [SA18854] Time Tracking Software Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-14 Aliaksandr Hartsuyeu has reported some vulnerabilities in Time Tracking Software, which can be exploited by malicious people to bypass certain security restrictions, and to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/18854/ -- [SA18849] G?stebuch Homepage URL Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-14 Micha Borrmann has reported a vulnerability in G?stebuch (gastbuch), which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18849/ -- [SA18843] WRQ Reflection Secure IT SFTP Format String Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-14 A vulnerability has been reported in Reflection Secure IT, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18843/ -- [SA18840] Invision Power Board Army System Mod SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 fRoGGz and Alex has reported a vulnerability in Invision Power Board Army System Mod, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18840/ -- [SA18831] RunCMS pmlite.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-14 Hamid Ebadi has discovered a vulnerability in RunCMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18831/ -- [SA18823] SmE GB Host Username SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Released: 2006-02-13 Aliaksandr Hartsuyeu has reported a vulnerability in SmE GB Host, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18823/ -- [SA18822] PHP/MYSQL Timesheet SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 Aliaksandr Hartsuyeu has reported some vulnerabilities in PHP/MYSQL Timesheet, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18822/ -- [SA18819] WebGUI User Account Creation Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-02-13 A vulnerability has been reported in WebGUI, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18819/ -- [SA18817] Hitachi Business Logic Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-13 Two vulnerabilities have been reported in Hitachi Business Logic, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18817/ -- [SA18816] e107 Unspecified BBCode Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-13 Some vulnerabilities have been reported in e107, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18816/ -- [SA18810] Ansilove File Disclosure and File Upload Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2006-02-13 Some vulnerabilities have been reported in Ansilove, which can be exploited by malicious users to disclose certain sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18810/ -- [SA18805] DB_eSession "deleteSession()" Function SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 James Bercegay has reported a vulnerability in DB_eSession, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18805/ -- [SA18802] ImageVue Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2006-02-14 zjieb has reported some vulnerabilities in ImageVue, which can be exploited by malicious people to gain knowledge of certain system information, conduct cross-site scripting attacks, and potentially by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18802/ -- [SA18801] Zen Cart Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-13 A vulnerability has been reported in Zen Cart, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18801/ -- [SA18793] phphd Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-10 Aliaksandr Hartsuyeu has reported some vulnerabilities in phphd, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18793/ -- [SA18791] PHPStatus Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-10 Aliaksandr Hartsuyeu has reported some vulnerabilities in PHPStatus, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18791/ -- [SA18790] Clever Copy HTTP Headers Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-10 Aliaksandr Hartsuyeu has reported two vulnerabilities in Clever Copy, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18790/ -- [SA18786] SmE GB Host / Blog Host "url" BBcode Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-10 Aliaksandr Hartsuyeu has reported a vulnerability in SmE GB Host and SmE Blog Host, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18786/ -- [SA18897] MyBB managegroup.php SQL Injection and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-02-16 imei addmimistrator has discovered vulnerabilities in MyBB, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18897/ -- [SA18820] PHP-Nuke "pagetitle" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-13 Janek Vind "waraxe" has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18820/ -- [SA18814] QwikiWiki "search.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-14 Citynova has discovered a vulnerability in QwikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18814/ -- [SA18804] Siteframe "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-13 Kiki has reported a vulnerability in Siteframe, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18804/ -- [SA18792] PHP Event Calendar User Information Manipulation Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-02-10 Aliaksandr Hartsuyeu has discovered a vulnerability in PHP Event Calendar, which can be exploited by malicious users to manipulate certain information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18792/ -- [SA18890] PostgreSQL Privilege Escalation and Denial of Service Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-15 Two vulnerabilities have been reported in PostgreSQL, which can be exploited by malicious users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/18890/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Feb 17 03:16:15 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:15 -0600 (CST) Subject: [ISN] Homeland Security official suggests outlawing rootkits Message-ID: http://news.com.com/Homeland+Security+official+suggests+outlawing+rootkits/2100-7348_3-6040726.html By Joris Evers Staff Writer, CNET News.com February 16, 2006 SAN JOSE, Calif. -- Perhaps the best way to deal with rootkits is to outlaw them. At least when it comes to such mishaps as the Sony BMG Music Entertainment fiasco, that's what an official from the Department of Homeland Security suggested Thursday. "The recent Sony experience shows us that we need to be thinking about how we ensure that consumers are not surprised by what their software programs do," Jonathan Frenkel, director of law enforcement policy at the U.S Department of Homeland Security said in a speech here at the RSA Conference 2006. A lesson has been learned from the Sony debacle, which left unwitting consumers with software on their PCs that could be used by cyberattackers to hide their malicious code. "Companies now know that they should not surreptitiously install a rootkit on computers," Frenkel said. But perhaps more importantly, how could the mishap have been avoided in the first place? "Legislation or regulation may not be a solution in all cases, but it may be warranted in appropriate circumstances," Frenkel said. Last November, Sony was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology offered a hiding place for malicious software and attackers, which were quick to exploit it. After the rootkit technology was uncovered on Sony's CDs, the company faced heavy criticism and lawsuits. It recalled the discs, stopped production and has agreed to offer compensation for buyers of the CDs that contain the rootkit. Since the Sony case, other companies have been accused of shipping products with rootkit-type behavior. Symantec last month released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. According to F-Secure, a Finnish antivirus vendor, the German DVD release of "Mr. & Mrs. Smith," contains a digital rights management protection tool that uses rootkit-like cloaking technology. The movie is distributed by 20th Century Fox. From isn at c4i.org Fri Feb 17 03:15:41 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:15:41 -0600 (CST) Subject: [ISN] 'Spam man' wins gold Message-ID: http://www.theage.com.au/news/breaking/olympic-champ-made-big-bucks-in-popup-ads/2006/02/16/1140037817825.html By Stephen Hutcheon and Jacquelin Magnay February 16, 2006 According to the International Olympic Committee's website, Australia's gold medallist Dale Begg-Smith, runs an internet pop-up advertising company that he describes as the third largest of its type. But that's about as much detail as you'll get out of the Lamborghini-driving Canadian-turned-Australian moguls skier who is reluctant to talk about his dealings which remain shrouded in secrecy. Speaking on Monday at a pre-race press conference, the 21-year-old said he had wound down his multimillion-dollar internet business to concentrate on his Olympic ambitions. He refused to reveal the name of his business, nor details of its operations or size. He did say it had "two or three" employees and that it wasn't really an issue with skiing because it had been wound down. "I haven't spent much time on it, I've let it taper off during the ski season," Begg-Smith said when pressed about his work. "There's not much to say. We design technology and stuff like that, some advertising stuff, too." But the companies that he and brother Jason Begg-Smith are involved with are some of the most annoying aspects of the web. Two main companies - called AdsCPM and CPM Media - make money by skimming a small percentage each time an ad scores a hit or is directed to a client's site. Begg-Smith said the figures being bandied about his business - one report had him earning $40 million - were untrue. At his post-race press conference overnight, Begg-Smith became irritated when more questions were asked about his business. According to Canadian press reports he said: "I don't know why we're talking about the company. I just won Olympic gold." Begg-Smith reiterated that his business was set up to help fund his skiing career and that he was now concentrating on his sport. According to the Canadian Press news agency, Begg-Smith said "his business had never dealt with any specific kind of advertising, only the technology to track how often the ads were being seen. It was up to his customers to decide what kind of ads they wanted to use, he said." Web searches reveal that AdsCPM Network has been a supplier of pop-under and -up advertising to websites. Although they are a source of annoyance to web surfers, pop ads are used by many mainstream websites and are perfectly above board. But there is a dark side to the pop ad business. Hidden programs that launch these ads are sometimes secreted - by third parties - in many website with "honeypot" offerings, such as pornography, free games, downloads and gambling. Unsuspecting web surfers visiting these sites can unwittingly become infected with so-called adware which spawns annoying advertisement and which can be used to secretly track a user's web surfing habits. Numerous computer security companies have warnings about AdsCPM and CPM Media which are held responsible for the Xzoomy.com search engine directory page and a site called FreeScratchandWin.com. According to the Spyware Guide website, FreeScratchandWin.com opens pop ads "every few minutes", hijacks users' home- and search-page settings and can spy on users' web usage. Another CPM website, 2nd-thought.com, initiates a so-called browser hijacker program that resets the user's home page and often redirect searches to porn sites. From isn at c4i.org Fri Feb 17 03:16:35 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:35 -0600 (CST) Subject: [ISN] Utility hack led to security overhaul Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,108735,00.html By Michael Crawford FEBRUARY 16, 2006 COMPUTERWORLD AUSTRALIA Apprehending a notorious hacker rarely involves a car chase or a team of dedicated private investigators, but in the case of Vitek Boden, life imitated a Hollywood script. Boden had waged a three-month war against the SCADA (Supervisory Control and Data Acquisition) system of Maroochy Water Services in Australia beginning in January 2000, which saw millions of gallons of sewage spill into waterways, hotel grounds and canals around the Sunshine Coast suburb. He was caught only after a team of private investigators hired by Maroochy Water Services alerted police to his location. After a brief police pursuit from the Sunshine Coast towards Brisbane, Boden was run off the road. In his car was the specialized proprietary SCADA equipment he had used to attack the system, and a laptop; however, it was a piece of $18 cable that ultimately led to his downfall. Grounds for charges were slim, but the handmade cable showed he had the technical capability to hack the Scada system. The laptop found in his car contained enough messages to prove he sent commands to disrupt various pump stations and that, combined with proprietary radio equipment and specialized cable, was enough to find him guilty of what has been dubbed the first case of critical infrastructure hacking in Australia. Speaking at the Association of Public Safety Communications Officials (APCO) conference on Queensland's Gold Coast yesterday, Mark Tripcony, operations coordinator at Maroochy Water Service, said initially they thought the disruptions to their pumping station were due to a neighboring SCADA system or poorly implemented software until late one night it became clear that some 140 sewage pumping stations were at the mercy of a hacker. "We eventually annihilated all the little things we thought might be causing faults, which were excessive station alarms, pumps running continually or being turned off, software configuration settings changing. "But one night around 11 p.m., a systems engineer was changing configurations in pumping stations and immediately realized they were being changed back. ... This happened for about half an hour and we then realized we were being hacked and had to catch the culprit," Tripcony said, adding that at one stage Vitek had turned off every single alarm in their system and sent sewage running through the drains in a neighboring suburb. "We worked out he had to be within a 25-mile radius, but one night we had not seen any evidence of hacking until he came on about 6.30 a.m. We had private investigators put cars along all the bridges and overpasses from the Sunshine Coast to Brisbane, because we knew the description of his car and knew he would be driving past. The investigators waited until they saw him on the highway and contacted police to intercept the car. "When police went to intercept him, he did a runner; the police then ran him off the road and found a car full of proprietary gear. No one had seen him hack our systems, but from his laptop we were able to find the last recorded event and messages sent which exactly matched our SCADA radio monitoring systems." Vitek was arrested, charged and found guilty on 30 charges of computer hacking, theft and causing environmental damage and jailed for just over two years. Maroochy Water Services had earlier had to "let it slip" to the authorities they believed they were the victims of a hacking attack, because the Environmental Protection Authority was trying to prosecute them. Since the attack, Maroochy Water Service has spent upwards of $55,309 changing every physical lock for pumping stations; it has also implemented strict access key controls and adopted further auditing procedures. From isn at c4i.org Fri Feb 17 03:16:48 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:16:48 -0600 (CST) Subject: [ISN] FBI chief wants stronger partnerships Message-ID: http://www.fcw.com/article92354-02-16-06-Web By Michael Arnone Feb. 16, 2006 SAN JOSE, CALIF. -- In the movie "High Noon," Gary Cooper must outshoot a gang of villains without the help of the townspeople he must save. Thankfully, the FBI doesn't have the same problem with fighting cybercriminals, the bureau's director said yesterday. "We are not facing these outlaws on our own," said Robert Mueller, FBI director, at the RSA Conference 2006 here. "No person, no agency, no company, indeed no country can prevent crime on its own." The FBI already has many partnerships with the private sector, notably its InfraGuard program, Mueller said. The bureau is looking for the private sector to form stronger partnerships with law enforcement and better educate the public about cybersecurity risk mitigation, he said. Success in fighting digital outlaws depends on strong, open collaborations among federal, state and local law enforcement, the private sector and academia, Mueller said. Cyberspace is the like the Wild West, an "open, largely unprotected frontier with seemingly limitless opportunity," Mueller said. At the same time, "IT has become a force multiplier for criminals," he said. Another challenge is that the clear division of responsibility and jurisdiction among federal, state and local law enforcement is "rendered obsolete by the fluid and far-reaching nature of cyberthreats," Mueller said. The FBI understands that companies often don't report cyberattacks because they want to protect their privacy and competitive advantage and avoid bad press, Mueller said. But "maintaining a code of silence will not benefit you or your company in the long run," he said. The FBI won't release proprietary or confidential information when companies reveal they have been attacked, Mueller said. "We don't want you to feel victimized a second time by our investigations," he said. The FBI is refining and expanding its investigation and prosecution of cybercrimes. It is also identifying more of the pre-eminent cybercriminals and their ways of operating, Mueller said. Meanwhile, companies must make every effort to secure their own systems as much as possible, Mueller said. The FBI created a cybersecurity division at its headquarters in 2002 to address cyberthreats in a coordinated and cohesive manner, Mueller said. The bureau has established cybercrime squads at its headquarters and all 56 field offices. The agency has 93 computer crime task forces nationwide, and special teams that can go anywhere in the country on short notice, Mueller said. From isn at c4i.org Fri Feb 17 03:17:01 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:17:01 -0600 (CST) Subject: [ISN] World's first Mac OS X virus spotted Message-ID: http://news.xinhuanet.com/english/2006-02/17/content_4192009.htm 2006-02-17 www.chinaview.cn BEIJING, Feb.17 (Xinhuanet) -- A mischievous computer worm has been found to hit Apple's OS X operating system, believed to be the first such virus ever to target the Mac platform. Called OSX/Leap-A, the worm is spread via instant messaging programs, according to a posting on the Web site of antivirus software company Sophos. The virus is said to spread using Apple's iChat IM service, forwarding itself as a file called "latestpics.tgz" to an infected user's buddy contacts, according to the Sophos Web site. Clicking on the file allows the malware to install and disguise itself as a harmless-seeming Jpeg icon. "This first Macintosh OS X threat is an example of the continuing spread of malicious code on to other platforms," said Vincent Weafer, senior director at Symantec Security Response, in a statement. The worm will not automatically infect Mac computers, but will ask users to accept the file, Weafer said. Symantec has rated the worm a low-risk security threat. From isn at c4i.org Fri Feb 17 03:17:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Feb 2006 02:17:14 -0600 (CST) Subject: [ISN] Proof: Employees don't care about security Message-ID: http://software.silicon.com/security/0,39024655,39156503,00.htm By Will Sturgeon 16 February 2006 An experiment carried out within London's square mile has revealed that employees in some of the City's best known financial services companies don't care about basic security policy. CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine's Day promotion. However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers. The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies - but that didn't deter many individuals who showed little regard for the security of their PC and their company. Rob Chapman, CEO of the Training Camp, who carried out the stunt to promote a course in security for non-IT professionals, said: "Fortunately these CDs contained nothing harmful. No personal or corporate data was transmitted due to the actions of these individuals but the fact remains that this could have been someone wanting to cause havoc in the City." Chapman claimed the "potential outcome could have been disastrous". Effectively the employees, by carrying the CD into the company and putting it straight into their PC, had by-passed much of their company's security. Chapman said: "Employees have to recognise they are the first and easiest route into a company's network." Just last year Japanese bank Sumitomo Mitsui in the City fell victim to a spyware infection which almost ended with the theft of ?220m. That case should have highlighted the threat posed by applications entering the enterprise through unofficial channels and yet it appears few companies have taken note. From isn at c4i.org Mon Feb 20 02:06:49 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:06:49 -0600 (CST) Subject: [ISN] Linux Advisory Watch - February 17th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 17th, 2006 Volume 7, Number 8a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for adzapper, elog, noweb, cponly, kronolith, xpdf, pdfkit, OTRS, gpdf, nfs-users-server, libcast, heimdal, poppler, kdegraphics, gnutls, cpuspeed, pam, postgresql, selinux-policy-targeted, ImageMagick, BomberClone, ghostscript, libpng, kdegraphics, and openssh. The distributors include Debian, Fedora, Gentoo, Mandriva, and SuSE. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. AUDIENCE This document is intended to be of use to those wishing to participate in the exchange of signatures on their OpenPGP keys. It is assumed that the reader has a basic understanding of pgp, what it's used for and how to use it. Those more experienced with pgp may wish to skip the sections they are familiar with, but it is suggested that even the basic information be reviewed. OBSERVATIONS ON GENERATING AND MAINTAINING KEYS When one first generates a key, it is important that it be done on a secure machine in a secure environment. One attack against pgp that is rarely mentioned allows Mallory to steal or even replace a pgp key before it is distributed. Mallory would need to compromise Bob's computer prior to Bob's creation of a key. Mallory could then eavesdrop on Bob as he types the pgp passphrase for the first time, and steal the passphrase along with the secret key. In this case Bob's key is compromised before it even exists. If at any time Mallory is able to break into Bob's computer, she can steal his private key and wait for him to type in his pgp passphrase. Mallory may use a virus or trojan to accomplish this. A screwdriver or bootable CD can compromise the private key. A spy camera or key-logger can compromise the passphrase. This would allow Mallory to read any message ever encrypted to Bob and sign any message or key with Bob's signature. Aside from keeping his personal computer secure, Bob should save a copy of his private key in a secure, off-line, off-site location. This off-line and off-site backup keeps Bob's private key secure against loss from such things as disk crash or his computer being stolen by either common or government thieves. Depending on who is out to get him, he may consider it more secure to burn his private key onto a CD and store it in a bank safe, or print it onto paper and hide it inside a painting. As always, the most appropriate meaning of 'secure' is left to the needs and perceptions of the reader. Note that it is often unnecessary to make a backup copy of a public key for two reasons: 1) if it is publicly available and can be retrieved from a keyserver and 2) the "gpgsplit" command has a "secret-to-public" option that can recover a public key from a private key. Note that gpgsplit may not recover accurate expiration dates and preferences if they were updated after the key was created. One should never sign a key (or use pgp at all) on an untrusted computer or in an untrusted environment. Gather the information needed to sign a key and sign it when you get home. If your home computer and environment are not trusted, you have bigger problems to worry about. Read Entire Article: http://www.linuxsecurity.com/content/view/121645/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New adzapper packages fix denial of service 9th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121573 * Debian: New elog packages fix arbitrary code execution 10th, February, 2006 Several security problems have been found in elog, an electonic logbook to manage notes. The Common Vulnerabilities and Exposures Project identifies the following problems... http://www.linuxsecurity.com/content/view/121583 * Debian: New noweb packages fix insecure temporary file creation 13th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121606 * Debian: New scponly packages fix potential root vulnerability 13th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121607 * Debian: New kronolith packages fix cross-site scripting 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121617 * Debian: New xpdf packages fix denial of service 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121618 * Debian: New pdfkit.framework packages fix denial of service 15th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121634 * Debian: New OTRS packages fix several vulnerabilities 15th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121635 * Debian: New gpdf packages fix denial of service 15th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121636 * Debian: New nfs-user-server packages fix arbitrary code execution 15th, February, 2006 Marcus Meissner discovered that attackers can trigger a buffer overflow in the path handling code by creating or abusing existing symlinks, which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121643 * Debian: New libast packages fix arbitrary code execution 15th, February, 2006 Johnny Mast discovered a buffer overflow in libast, the library of assorted spiffy things, that can lead to the execution of arbitary code. This library is used by eterm which is installed setgid uid which leads to a vulnerability to alter the utmp file. http://www.linuxsecurity.com/content/view/121644 * Debian: New heimdal packages fix several vulnerabilities 16th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121646 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: poppler-0.4.5-1.1 10th, February, 2006 Heap-based buffer overflow in Splash.cc in poppler, allows attackers to cause a denial of service and possibly execute arbitrary code via crafted splash images that produce certain values that exceed the width or height of the associated bitmap. http://www.linuxsecurity.com/content/view/121591 * Fedora Core 4 Update: xpdf-3.01-0.FC4.8 10th, February, 2006 xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code. Users impacted by these issues, should update to this new package release. http://www.linuxsecurity.com/content/view/121592 * Fedora Core 4 Update: kdegraphics-3.5.1-0.2.fc4 10th, February, 2006 kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code. Users impacted by these issues, should update to this new package release. http://www.linuxsecurity.com/content/view/121593 * Fedora Core 4 Update: gnutls-1.0.25-2.FC4 10th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121596 * Fedora Core 4 Update: cpuspeed-1.2.1-1.24_FC4 12th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121597 * Fedora Core 4 Update: pam_krb5-2.1.15-2 14th, February, 2006 This update fixes several bugs which have been found since FC4 was released. http://www.linuxsecurity.com/content/view/121627 * Fedora Core 4 Update: postgresql-8.0.7-1.FC4.1 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121629 * Fedora Core 4 Update: selinux-policy-targeted-1.27.1-2.22 14th, February, 2006 Zebra was still broken. Hopefully fixed by this update. http://www.linuxsecurity.com/content/view/121630 * Fedora Core 4 Update: selinux-policy-strict-1.27.1-2.22 14th, February, 2006 Zebra was still broken. Hopefully fixed by this update. http://www.linuxsecurity.com/content/view/121631 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Xpdf, Poppler Heap overflow 12th, February, 2006 Xpdf and Poppler are vulnerable to a heap overflow that may be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/121598 * Gentoo: KPdf Heap based overflow 12th, February, 2006 KPdf includes vulnerable Xpdf code to handle PDF files, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121599 * Gentoo: ImageMagick Format string vulnerability 13th, February, 2006 A vulnerability in ImageMagick allows attackers to crash the application and potentially execute arbitrary code. http://www.linuxsecurity.com/content/view/121614 * Gentoo: KPdf Heap based overflow 13th, February, 2006 KPdf includes vulnerable Xpdf code to handle PDF files, making it vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121615 * Gentoo: Sun JDK/JRE Applet privilege escalation 14th, February, 2006 Sun's Java Development Kit (JDK) and Java Runtime Environment (JRE) do not adequately constrain applets from privilege escalation and arbitrary code execution. http://www.linuxsecurity.com/content/view/121633 * Gentoo: libtasn1, GNU TLS Security flaw in DER decoding 16th, February, 2006 A flaw in the parsing of Distinguished Encoding Rules (DER) has been discovered in libtasn1, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121654 * Gentoo: BomberClone Remote execution of arbitrary code 16th, February, 2006 BomberClone is vulnerable to a buffer overflow which may lead to remote execution of arbitrary code. http://www.linuxsecurity.com/content/view/121655 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated ghostscript packages fix various bugs 10th, February, 2006 A number of bugs have been corrected with this latest ghostscript package including a fix when rendering imaged when converting PostScript to PDF with ps2pdf, a crash when generating PDF files with the pdfwrite device, several segfaults, a fix for vertical japanese text, and a number of other fixes. http://www.linuxsecurity.com/content/view/121595 * Mandriva: Updated gnutls packages fix libtasn1 out-of-bounds access vulnerabilities 14th, February, 2006 Evgeny Legerov discovered cases of possible out-of-bounds access in the DER decoding schemes of libtasn1, when provided with invalid input. This library is bundled with gnutls. The provided packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/121616 * Mandriva: Updated postgresql packages fix various bugs 14th, February, 2006 Various bugs in the PostgreSQL 8.0.x branch have been corrected with the latest 8.0.7 maintenance release which is being provided for Mandriva Linux 2006 users. http://www.linuxsecurity.com/content/view/121632 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Important: gnutls security update 10th, February, 2006 Updated gnutls packages that fix a security issue are now available for Red Hat Enterprise Linux 4. http://www.linuxsecurity.com/content/view/121594 * RedHat: Important: xpdf security update 13th, February, 2006 An updated xpdf package that fixes a buffer overflow security issue is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121608 * RedHat: Moderate: libpng security update 13th, February, 2006 Updated libpng packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121609 * RedHat: Important: kdegraphics security update 13th, February, 2006 Updated kdegraphics packages that resolve a security issue in kpdf are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121610 * RedHat: Moderate: ImageMagick security update 14th, February, 2006 Updated ImageMagick packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121628 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: kernel remote denial of service 9th, February, 2006 The Linux kernel on SUSE Linux 10.0 has been updated to fix following security problems... http://www.linuxsecurity.com/content/view/121580 * SuSE: binutils, kdelibs3, kdegraphics3, koffice, dia, lyx 10th, February, 2006 A SUSE specific patch to the GNU linker 'ld' removes redundant RPATH and RUNPATH components when linking binaries. Due to a bug in this routine ld occasionally left empty RPATH components. When running a binary with empty RPATH components the dynamic linker tries to load shared libraries from the current directory. http://www.linuxsecurity.com/content/view/121590 * SuSE: openssh (SUSE-SA:2006:008) 14th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121619 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Feb 20 02:07:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:07:11 -0600 (CST) Subject: [ISN] Skype's online phone calls may give wiretappers fits Message-ID: http://seattletimes.nwsource.com/html/businesstechnology/2002810535_skypewiretap17.html By Peter Svensson The Associated Press February 17, 2006 NEW YORK - Even as the U.S. government is embroiled in a debate over the legality of wiretapping, the fastest-growing technology for Internet calls appears to have the potential to make eavesdropping a thing of the past. Skype, the Internet calling service now owned by eBay, provides free voice calls and instant messaging between users. Unlike other Internet voice services, Skype calls are encrypted - encoded using complex mathematical operations. That apparently makes them impossible to snoop on, though the company leaves the issue somewhat open to question. Skype is certainly not the first application for encrypted communications on the Internet. Secure e-mail and instant-messaging programs have been available for years at little or no cost. But to a large extent, Internet users haven't felt a need for privacy that outweighed the effort needed to use encryption. In particular, many consider e-mail programs such as Pretty Good Privacy too cumbersome. And because such applications have had limited popularity, their mere use can draw attention. With Skype, however, criminals, terrorists and other people who really want to keep their communications private are indistinguishable from those who just want to call their mothers. "Skype became popular not because it was secure, but because it was easy to use," said Bruce Schneier, chief technology officer at Counterpane Internet Security. Luxembourg-based Skype was founded by the Swedish and Estonian entrepreneurs who created the Kazaa file-sharing network, target of several court actions by the music industry. Skype's software for personal computers is free. Members pay nothing to talk to each other over PCs, but pay fees to connect to people who are using telephones. Skype software is being built into cellphone-like portable devices that will work within range of wireless Internet "hot spots." While still somewhat marginal in the United States, Skype had 75 million registered users worldwide at the end of 2005. Typically, 3 million to 4 million users are online at the same time. Skype calls whip around the Internet encrypted with "keys," essentially very long numbers. Skype keys are 256 bits long - twice as long as the 128-bit keys used to send credit-card numbers over the Internet. The security is much more than doubled. In theory, Skype's 256-bit keys would take trillions of times longer to crack than 128-bit keys, which are themselves regarded as practically impossible to break by current means. "It is a pretty secure form of communication, which if you're talking to your mistress you really appreciate, but if al-Qaida is talking over Skype, you have probably a different view," said Monty Bannerman, chief executive of Verso Technologies. Bannerman's company makes equipment for Internet service providers, including software that can identify and block Skype calls. Security experts are not completely convinced Skype is as secure as it seems, because the company hasn't made its technology open to review. In the cryptographic world, opening software blueprints to outsiders who can point out errors is considered the safest way to go. Because of the complex math involved, a properly designed cryptographic system can be unbreakable even if its method is known to outsiders. But according to Schneier, if Skype's encryption is weaker than believed, it still would stymie the kind of broad eavesdropping the National Security Agency is reputed to be performing, in which it scans thousands or millions of calls at a time for certain phrases. Even a weakly encrypted call would force an eavesdropper to spend hours of computer time cracking it. Kurt Sauer, Skype's chief security officer, said there are no "back doors" that could let a government bypass the encryption on a call. At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided. The Justice Department did not respond to questions about its views on Skype encryption. Verso's Bannerman notes Skype calls are decrypted if they enter the traditional telephone network to communicate with regular phones, so a conversation could be intercepted there. Skype does not reveal how many of its calls run on the phone network. "There are other ways of getting at the conversation than brute-force decryption of the hacking," Bannerman said. Schneier thinks eavesdropping on the content of calls is not as important to the NSA as tracking the calls, which is still possible with Skype. For instance, if one account was associated with a terrorist, it would be possible to identify his conversation partners. "What you and I are saying is much less important than the fact that you and I are talking," Schneier says. "Against traffic analysis, encryption is irrelevant." Steve Bannerman, vice president of marketing at Narus, (he is unrelated to Verso's Bannerman), said his company's systems enable wiretapping of voice calls routed over the Internet, but not those from Skype. Telecommunications carriers use Narus technology. The most it can do is identify what type of Skype traffic - voice call, text chat or video conference - is being used, and record the scrambled data for law-enforcement officials. From there, he said, "Who knows what those guys can do?" Copyright ? 2006 The Seattle Times Company From isn at c4i.org Mon Feb 20 02:07:25 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:07:25 -0600 (CST) Subject: [ISN] UNI employees told to initiate fraud alerts Message-ID: http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20060217/SPORTS0207/60217017/1001 By LISA LIVERMORE REGISTER AMES BUREAU February 17, 2006 About 6,000 employees at the University of Northern Iowa were advised in a letter to protect themselves from identity theft by contacting credit reporting agencies and initiating fraud alerts after a security breach was detected last week on a laptop computer at the university, officials said Friday. The laptop, assigned to the UNI's Office of Business Operations, contained Internal Revenue Service W-2 forms for student employees, faculty and staff. UNI officials said a virus was detected on the laptop, which was being used to review how the forms would look like when they were being printed. Tom Schellhardt, vice president for administration and finance said officials found no evidence to suggest personal information was accessed. Even so, everyone with data on the computer was sent the advisory letter along with a recommendation to monitor their personal financial information to ensure their accounts have not been tampered with. Steve Moon, director of network services at UNI, said the person who used the laptop computer did so to review the print jobs for the W2 forms. "There had been problems with printing, and the person wanted to review what the print stream was trying to do," he said. Even so, he said it's risky to put sensitive information on a laptop. "Certainly it's more at risk just to be stolen," he said. "It would be much easier to pick up a laptop and stick it in your backpack than a desktop would be." A. Frank Thompson, a UNI professor of finance, said he didn't think W2 forms should be on the computer at all, because the information must be made into a hard copy anyway for tax purposes. Also, "it simply opens up the possibility of that information being inappropriately accessed," he said. From isn at c4i.org Mon Feb 20 02:08:47 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:08:47 -0600 (CST) Subject: [ISN] Firm Offers $10K Reward For Critical Windows Bug Message-ID: http://www.informationweek.com/showArticle.jhtml?articleID=180204079 By Gregg Keizer TechWeb News Feb 17, 2006 A security company known for paying bounties on bugs will launch a new program next week that will pay researchers $10,000 for finding Windows vulnerabilities that Microsoft classifies as "Critical." The new reward is an addition to iDefense's controversial Vulnerability Contributor Program (VCP), which launched in 2005. "We want to get people excited [about VCP]," said Adam Greene, the assistant director of iDefense Labs. "And we want to encourage researchers to focus on things important to our clients." Windows vulnerabilities was an obvious pick, added Greene, because "so many of our clients use [Windows]." The $10,000 research reward comes with a few strings. The offer ends March 31, said Greene, and it must be submitted exclusively to iDefense. If Microsoft eventually classifies it as a "Critical" fix -- the Redmond, Wash.-based developer uses a four-step rating system to rank patches, with Critical at the top of the chart -- iDefense will pay out the $10,000, which is above and beyond its usual VCP payouts. Although iDefense doesn't publish it usual reward rate structure, it paid out nearly $40,000 in its first three months. Each quarter, iDefense will change the rules of the $10,000 bonus. "We haven't settled on next quarter's," admitted Greene. "But rather than a specific vendor, we're talking about targeting a certain class of vulnerability or class of product. Maybe Web browsers or e-mail." "It's important to change it up a bit to keep people interested," he added. A few other companies trade cash for vulnerabilities. TippingPoint, part of 3Com, has a similar program, dubbed Zero Day Initiative, while Mozilla pays $500 for bugs in its open-source software. But the practice is criticized by some security research rivals. "It blurs the lines between gray and white and black hats," said Mike Puterbaugh, vice president of marketing for eEye Digital Security. "It creates a market for vulnerabilities, and almost legitimizes the black market." Not surprisingly, iDefense's Greene disagreed. "We don't deal with any groups [of researchers] known to have anything to do with illegal activity. Interestingly enough, a lot of these people aren't that interested in the money, but are people who don't want to deal with the vendors, which have ignored them in the past." And paying for bugs may get some dangerous vulnerabilities "off the street," so to speak, Greene said. "You always have to assume that a given vulnerability is in the hands of more than one person," he said, noting that a handful of the bugs iDefense paid for in 2005 were used to actively exploit software after the Reston, Va.-based company received a heads-up from a bounty hunter. iDefense uses the bounties to provide advance notice to clients on developing threats. "In one case last year, a vulnerability [in the VCP program] gave our customers 60 days of advance warning before it was made public," said Greene. eEye Digital Security, well known for discovering vulnerabilities in Microsoft and Apple software, gets to the same result -- early warning for customers -- but relies instead on its own internal research team. "We take a lot of pride in our primary research," said eEye's Puterbaugh, who claimed that internal research led to protections against the recent Windows Media Player vulnerability for customers as far back as June 2004. "iDefense may have the best intentions, but paying for vulnerabilities is definitely a slippery slope," Puterbaugh concluded. Copyright ? 2005 CMP Media LLC From isn at c4i.org Mon Feb 20 02:09:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Feb 2006 01:09:11 -0600 (CST) Subject: [ISN] Call for Papers - Bellua Cyber Security Asia 2006 Message-ID: Forwarded from: Anthony Zboralski Bellua Cyber Security Asia 2006 Call for Papers - http://www.bellua.net For the second consecutive year, the Bellua Cyber Security Asia 2006 Conference will bring together in Indonesia internationally recognized experts in the security community as well as leading members of the local Indonesian technology and security industry. BCS Asia 2006 will bring together researchers and practitioners from Asia, Europe and the Americas to discuss present and future information security issues through an intensive series of workshopps, presentations, demonstrations and technical sessions. Do not submit product or vendor pitches please. Important Dates: 28-29 August 2006: The Workshops 30-31 August 2006: The Conference The meeting will take place in Jakarta, Indonesia, at the Jakarta Convention Center (see travel and visa information below.) Please send your proposal to cfp2006 at bellua.com as soon as possible and no later than 31 March 2006. This year, proposals will be evaluated in the order received; submit early to maximise your chances of being selected. The program committee invites proposals for paper presentations, demonstrations and poster contributions on any topic relevant to cyber security and hacking including but not limited to: Business Track ISO27001 Information Security Management Systems (ISMS) Business Processes & Security Compliance Management Handling Security failure & incidents Banking Security Telecommunication Security Internet Fraud Security Awareness Social engineering Privacy, anonymity, ethics Cyber Law and Enforcement Technical Track 0 day Hacking & Security Penetration Testing Telecom Security/Phreaking (SS7, GSM, 3G, GPRS, EDGE...) Secure Programming Reverse Engineering Exploit development Forensics Wireless Security & Hacking (WiFi, Bluetooth, vsat...) Web Application Security Database Security Cryptography Spyware/Malware/Worm/Virus Physical Security Your submission should include: Name, title, address, email and phone number Draft of the proposed presentation (in PDF, PowerPoint or Keynote format), proof of concept for tools and exploits, etc. Short biography, qualification, occupation, achievement and affiliations (limit 150 words). Summary or abstract for your presentation (limit 150 words) Time (40-60 minutes). Include time for discussion and questions Technical requirements (video, internet, wireless, audio, etc.) Each non-resident speaker will receive accommodation for 3 nights at the Jakarta Hilton International. For each non-resident speaker, Bellua will cover travel expenses up to USD1000. N.B. If an official sponsor employs you or you only propose a poster contribution, you will not receive any compensation for travel, hotel accommodations or an honorarium from Bellua. Poster sessions are an integral part of Bellua Cyber Security events. Far from being a second option, posters provide an excellent way to present research work in a clear, concise format. A well-thought out poster can be better than an oral presentation in describing complex research work. Posters contributors will receive one complimentary conference pass. Call for Workshops Please send your proposal to cfp2006 at bellua.com as soon as possible and no later than 31 March 2006. This is also a call for workshops. One of the objectives of this meeting is to allow researchers to gain a background in areas that they may know little about. Towards that end a number of Workshops are planned. Some participants in the workshop will be very excited in learning about technical matters such as hacking, exploit writing, penetration testing, social engineering, BCP, DRC or other important attack and defense techniques. Others might enjoy a seminar on a philosophical topic. Workshop presenters are expected not to present just only their own material, but to give a broader overview and encourage discussion and debate. The workshops will be held from 28th to 29th August. Workshops that do not achieve the minimum enrollment will not be offered. The size of workshop will vary from 8 to a maximum of 25 people. Please send the workshop proposal along with the following to cfp2006 at bellua.com as soon as possible and no later than 31 March 2006. Address, affiliation, email and phone number Draft timetable for the proposed workshop with title Summary or abstract of the workshop, limit 250 words. Biography (150 words) Curriculum vitae - Resume Technical requirements Please send your proposal to cfp2006 at bellua.com as soon as possible and no later than 23 December 2004. Program Committee Anthony Zboralski, Bellua Asia Pacific Dhillon Andrew Kannabhiran, HackInTheBox Fetri Miftach, Bellua Asia Pacific John Grygorcewicz, Bispro Consulting John Howie, Microsoft Security Community Emmanuel Gadaix, Telecom Security Task Force Philippe Langlois, Telecom Security Task Force Ralph Logan, The Logan Group, The Honey Net Project David Maynor, ISS X-Force Thomas Wana, Void Jim Geovedi, Bellua Asia Pacific Andi, Void Skyper, Phrack Magazine Mark Dowd Matt Conover, Symantec Andrew R. Reiter Josha Broson, AngryPacket Security Nicolas Fischbach, Colt Telecom Fyodor Yarochkin Visa Information The Department of Justice and Human Rights has officially determined that as of 1 February 2004: The Free Visa Facility (length of stay max. 30 days) will be issued to citizens of the following countries: Brunei, Malaysia, Philippines, Singapore, Thailand, Vietnam, Hong Kong, Macao, Morocco, Chile, Peru. The Visa-on-Arrival Facility (length of stay max. 30 days) will be issued to citizens of the following countries: Australia, Argentina, Brazil, Canada, Denmark, Finland, France, Germany, Hungary, Italy, Japan, New Zealand, Norway, Poland, South Africa, South Korea, Switzerland, Taiwan, United Kingdom, United Arab Emirates, United States. Citizens of countries not stated above are required to apply for a visa at the Indonesian Embassy/Consulate in their country of domicile. For questions regarding event registration, please call +62 570 5800 (Astri). For general event questions, please email bcs2006 at bellua.com. PT Bellua Asia Pacific - Bellua Cyber Security Conferences & Workshops -- Anthony C. Zboralski PT Bellua Asia Pacific - http://www.bellua.com Bumi Daya Plaza 21st Floor, jl. Iman Bonjol No.61 Jakarta 10310 Indonesia. Phone: +62213918330 HP:+62 818 699 084 65b1d8c7 - 6c0b b76a 51ef bfa6 c03b 97c8 af75 420c 65b1 d8c7 From isn at c4i.org Tue Feb 21 01:13:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:13:30 -0600 (CST) Subject: [ISN] Online Stores Are Caught In Jihad Web Message-ID: http://news.tbo.com/news/metro/MGB47AQ4WJE.html By HOWARD ALTMAN haltman @ tampatrib.com Feb 20, 2006 When Stacey Turmel placed an order online with Davida, an English motorcycle accessory company, she was looking for protective gear with style and comfort. But after plunking down $255 for a two-tone Deluxe Jet helmet, she found herself dragged into the shadowy world of global jihad. Turmel, a St. Petersburg lawyer, has learned that she was among several Davida customers whose personal and credit information was placed on a public Web site - 3asfh.net. The site, hosted temporarily by a Tampa-based Web-hosting company, has been used to exchange information on hacking by people waging war in the name of Islam. "It was scary to find out that jihadis had my personal information," Turmel said. Her loss was modest. After checking records in the spring of 2002, she found several small charges she did not make - none more than $40, but other victims discovered attempts to charge more than $1,000. Investigators and Internet security experts say much more is at stake. Computer hackers - from wayward teens to organized crime syndicates to groups associated with al-Qaida - steal hundreds of billions of dollars every year. Hack attacks such as the one against Turmel are a key weapon of global jihad, experts say. One example is the 2002 explosion that killed more than 200 people at a nightclub in Bali, Indonesia. Computer security experts say Imam Samudra, the man behind the attack, financed it through credit card fraud. Turmel's experience tells the "central story" of jihadi hackers, said Alan Paller, director of research at the SANS Institute, a cybersecurity firm based near Washington that works with the National Security Agency, financial institutions and governments around the world. In a book Samudra wrote in jail, he "exhorts followers to 'learn to hack,'" Paller said. The book continues, "Not just because it makes more money in three to six hours than a policeman makes in six months, because it is how we can bring America and its cronies to its knees." Fragile Web Like Turmel and other customers, Davida's owner, David Fiddaman, was unaware of the jihadi activity. Sellers and buyers need to be more vigilant, say those charged with securing the Internet. Realizing the scope of the problem, the U.S. government is scrambling to catch up. The 2003 Information Operations Roadmap, a recently declassified, 74-page Department of Defense report, outlines methods for government agencies and military units - including Special Operations Command in Tampa - to attack enemy computer networks and deal with hacking attempts on U.S. systems. The Slammer worm, an intrusive computer program introduced in 2003 by unknown hackers, is an example of the Internet's vulnerability, according to a 2004 World Bank report. The report says, "Within 15 minutes after the Slammer was introduced, 27 million people in South Korea were left without cell phone or Internet access, five of the Internet's 13 root servers crashed, 300,000 cables in Portugal went dark, Continental Airlines had to cancel flights because it had no Internet access, the world's largest telecommunications provider was shut off, and 911 service in Seattle" was disrupted. The convenience of the Internet makes consumers prime targets, experts say. "Because of the porous nature of security in commerce and finance, and the prevalence of anonymity, it is very easy to siphon and steal funds," said Tom Kellerman, former senior risk management specialist for the World Bank and author of the 2004 report. Kellerman rattles off statistics driving home his point: $400 billion in losses around the world last year from cybercrime, nine out of 10 businesses affected, identity theft hitting 19.3 million people in the United States. A good chunk of that theft - though no one knows how much - is by jihadi hackers, said Kellerman, who is chief knowledge officer and co-founder of the cybersecurity firm Cybrith LLC. Cybercrime is safer and easier than selling drugs, dealing in black market diamonds or robbing banks, he said. "In the underground and in chat rooms, these people are sharing information," Kellerman said. "The Internet is the wild, wild West. There is a community that shares tricks of the trade very freely." The Internet is "almost like a giant arms bazaar," said Kellerman, where users can download weapons to hack into financial institutions. "In this unregulated and wide-open space, they are facilitating the financing of terrorist acts," he said. The government and business communities are aware of the problems, but their solutions are lacking, Kellerman said. "A lot of people don't realize that until we build better castles and control cyberspace in a better fashion, we are not going to defeat terrorists' financing," he said. "The lack of security contributes to cybercrime, which contributes to terrorism. There is a direct link." Emotional Toll Kellerman's dour assessment is bad news for potential hacking victims. So, too, is a January report from the Javelin Strategy and Research firm, which concludes that although federal laws and credit card companies have done a good job of protecting consumers for out-of-pocket losses, it takes about 40 hours to clear up credit problems after they are discovered. "I don't think there is any question that we all lose when there is fraudulent use of this information," said Gerri Detwiler, president of the Sarasota-based Ultimate Credit Solutions Inc. "The new Harrison Ford movie, 'Firewall,' about a guy whose identity is stolen by thieves, will only add to the concern." Cybercrime is the FBI's third priority, behind counterterrorism and counterintelligence. "The network of cyberhackers is extensive, and we are working with our partners, international, state and local, every day," said FBI spokeswoman Cathy Milhoan, who could not comment specifically about problems faced by Turmel and other victims of 3asfh. Echoing advice from credit experts, Turmel urged consumer caution. "Look at your balances," she said. "Check those statements on a monthly basis. If there is anything you don't recognize, you need to follow up on it right away." From isn at c4i.org Tue Feb 21 01:14:10 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Feb 2006 00:14:10 -0600 (CST) Subject: [ISN] Invasion of the Computer Snatchers Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html By Brian Krebs February 19, 2006 In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves. Now, with the smoke of his day's first Marlboro curling across the living room of his parents' brick rambler, the hacker known online as "0x80" (pronounced X-eighty) plops his wiry frame into a tan, weathered couch, sets his new laptop on the coffee table and punches in a series of commands. At his behest, the commandeered PCs will begin downloading and installing software that will bombard their users with advertisements for pornographic Web sites. After the installation, 0x80 orders the machines to search the Internet for other potential victims. The young hacker, who has agreed to be interviewed only if he isn't identified by name or home town, takes a deep drag of his smoke and leans back against the couch to exhale. He smiles. This is his day job, and his work is finished in less than two minutes. In two weeks, he will receive a $300 check from one of the online marketing companies that pays him for his services. "Most days, I just sit at home and chat online while I make money," 0x80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout. Hacked, remote-controlled home computers, known as robots or "bots," and large groups of robot networks like the one 0x80 runs -- called "botnets" -- are the souped-up cyber engines driving nearly all criminal commerce on the Internet. Botnets are used to relay millions of pieces of junk e-mail, or spam, touting everything from cheap Viagra to get-rich-quick business schemes. And the botmasters who control these computer networks are at the heart of ominous and increasingly common online shakedowns known as "denial of service attacks." In such an attack, Web gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses refuse to pay, the criminals order the thousands of computers that make up their botnets to flood the Web sites with meaningless traffic, crippling the businesses and costing them thousands or hundreds of thousands of dollars in lost revenue. 0x80 says that he doesn't use his botnet to shake down businesses. Instead, he and a growing number of botmasters make money by seeding their botnets with spyware, also known as adware. Once installed on a PC, the adware serves up pop-up advertisements and mines data about the user's online browsing habits. The computer worm that powers the botnet also gathers far more sensitive data from the victim's machine, including passwords, e-mail addresses, Social Security numbers and credit card data. The spyware and adware problem is pervasive and growing: A recent survey by the National Cyber Security Alliance and America Online found that four of five computers connected to the Web have some type of spyware or adware installed on them, with or without the owner's knowledge. The distribution of online advertisements via spyware and adware has become a $2 billion industry, according to security software maker Webroot Software Inc. And as the industry has boomed, so have the botnets. Just a few months ago, FBI agents arrested a 20-year-old from Southern California for installing adware on a botnet of more than 400,000 hacked computers. Jeanson James Ancheta's victims included computers at the Naval Air Warfare Center and machines at the Defense Information Systems Agency, according to government documents. He pleaded guilty to the charges last month. Like Ancheta, 0x80 installs adware and spyware surreptitiously, though the law requires the computer owner's consent. The young hacker doesn't have much sympathy for his victims. "All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine," 0x80 says. "I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place." Tall and lanky, with hair that falls down to his eyebrows, 0x80 almost never looks you in the eye when he talks, his accent a slurry of heavy Southern drawl and Midwestern nasality. He lives with his folks in a small town in Middle America. The nearest businesses are a used-car lot, a gas station/convenience store and a strip club, where 0x80 says he recently dropped $800 for an hour alone in a VIP room with several dancers. He tells his parents that he works from home for a Web design firm. His bedroom resembles a miniature mission control center, with computers, television and computer monitors, and what must be several miles' worth of tangled wires plugged into an array of surge-protected power strips. At the moment, 0x80 controls more than 13,000 computers in more than 20 countries. This morning he installs spyware on just a few hundred of the 2,000 PCs that he has commandeered in the last few hours. He will stagger the remaining installations throughout this day and into the next, using a program he wrote that automates the process. If he installs too many bundles of spyware at once, the online marketing companies, "get suspicious, they cut me off, and I don't get paid," he mumbles, squinting at the screen while the nub of his cigarette sprinkles ashes all over his laptop and the coffee table. "I've learned not to get greedy." A small dog with matted fur enters the living room and winds through 0x80's feet. 0x80 gives the dog a gentle shove with his foot, without even looking up from his laptop. He furiously stabs at the keyboard with his two forefingers, punching out a short command that produces a mesmerizing blur of black-on-white text that scrolls up the computer screen at several pages per second. 0x80 makes it halfway through a cigarette before the text flying across the screen finally stops. The command he typed -- "pstore" -- is short for "password store." On the screen in front of him is a listing of every user name and password that the owner of each infected computer has stored in the Microsoft Internet Explorer Web browser on his or her computer. A quick scroll through the first few dozen pages of the file reveals credentials his victims have used to log in to online accounts at PayPal, eBay, Bank of America and Citibank, to name just a few. Many of the Web sites for which user names and passwords are stored are harmless, such as sports or hobby sites. Others are potentially far more revealing, such as hard-core sex and fetish Web sites. 0x80 has also found credentials for thousands of e-mail accounts, including dozens at ".mil" and ".gov" (U.S. military and government) addresses. "See all that info?" 0x80 asks. "I don't use it, and I don't sell it like a lot of guys I know do. That's too risky." His goal is to make money, not to end up in jail. One of his victims, a computer-loving 29-year-old pastor named Michael White, could tell 0x80 plenty about jail. White runs the Agape Church and Christian Center in Memphis but admits he wasn't always a man of God. Ten years ago, he was a freshman at the University of Memphis, where he was on the track team and the dean's list. Then he fell in love with liquor, he says, and flunked out of school. He landed in jail twice over the next 18 months, both times for driving a car that didn't belong to him. Next came the accident that changed his life. One night, while White was driving a friend's Mitsubishi Eclipse, a police cruiser pulled up behind him, lights flashing. White says he was intoxicated, and driving without a license or insurance. He panicked, floored the car and lost control, flipping the Eclipse over and over until the fuel tank ignited. White woke up in a hospital bed with third-degree burns over 30 percent of his body. The searing heat from the explosion had melted his ears into little nubs, and doctors had amputated the pinky finger on his scarred left hand. Fifteen plastic surgeries and more than two years of physical therapy later, White had healed enough to face the charges against him, which included aggravated assault for endangering the lives of other motorists. He pleaded guilty in 1999 and served almost two years at a prison in Tennessee. During his time in prison, he says, "I realized the Lord had called me to ministry." Since White's release in 2001, God has played a huge part in his life. And so have computers. He typically spends 50 to 60 hours a week surfing the Web, instant-messaging and e-mailing. He even met his wife online. Shortly after starting his ministry, he entered an online chat room dedicated to Christian ministries and struck up a conversation with a woman using the screen name "Warrior Princess." They hit it off immediately and married 15 months later. Taneshia gave birth to their first child, MaKalya, last month. But the same technology that led White to his wife betrayed him last summer. His desktop computer, which he had paid $350 for in 2004, was suddenly inundated with pop-up ads for adult Web sites. A mysterious toolbar with the symbol "XXX" had shown up in the topmost portion of every Internet Explorer Web browser window he opened. A friend spent a few days trying to remove the pornographic software, but each time he did, the software reinstalled itself after the computer was reconnected to the Internet. White initially suspected that one of the kids he tutors after school had used his PC to visit some questionable Web sites. He wasn't aware that his computer had been hijacked by 0x80 until he was contacted by the reporter writing this story. 0x80's bot program was able to infiltrate the pastor's computer because the PC lacked dozens of software patches that Microsoft has issued to fix security flaws in its Windows operating system. White says he was counting on a $50 firewall and antivirus software suite he purchased from Trend Micro to keep hackers and viruses from attacking his PC, but he confesses he's not sure whether the software was equipped with the latest updates that would allow it to detect the most recent viruses. "I'll be honest, as someone who loves technology, I've not done a great job with this computer," White says. He eventually opted to buy a new PC rather than spend the time and money to repair the infected one. "It just made more sense for me to get a new $300 Dell that came with a free monitor that was better than the one I had," he says. The whole episode, he says, has taught him a valuable lesson: It's easier to take the precautions needed to keep a computer from being hacked than it is to clean it up after the damage has been done. "Overall, you've got to realize that, just like if you don't secure your home, you run the risk of getting burglarized; if you're crazy enough to leave the door on your computer open these days, like I did, someone's gonna walk right in and make themselves at home." 0x80 began learning how to program at age 14, before his family even owned a computer. Like many hackers of his generation, he got his start by meeting techies on networks run by America Online. "This buddy of mine who lived two houses down from me had a computer before I did. He was always on AOL, but he also always had trouble figuring out how to do stuff, so I'd just go on all the time and figure it out for him." 0x80 says he got into writing viruses by accident after logging onto an AOL chat room named "Lesbians Only." "Someone sent me a virus that made it so that every time I typed anything on the keyboard it would pop a message up on the screen that said, 'I'M [expletive] GAY!'" 0x80 recalls. He tried to stop the computer from flashing the message, but nothing worked. "I finally found [information] on it using my friend's PC and figured out how to write a batch script to stop the virus." After that, 0x80 became obsessed with computer viruses and dedicated nearly all his time to tinkering with them. On his 16th birthday, his folks gave him his own computer to do schoolwork. It wasn't long before 0x80 was skipping school to spend time in online channels known as Internet Relay Chat, a vast sea of text-based communications networks that predates instant-messaging software. There are tens of thousands of IRC channels all over the world catering to almost every imaginable audience or interest, including quite a few frequented exclusively by hackers, virus writers and loose-knit criminal groups. IRC channels have traditionally been among the most popular means of controlling botnets. About two years ago, 0x80 entered an IRC channel where several hackers were bragging about how much they were making using botnets to install spyware. Up to that point, 0x80 had used his botnet mainly for "packeting," conducting petty denial-of-service attacks to knock his buddies or enemies offline. Within a few weeks of visiting that channel, 0x80 was modifying the computer worm code he needed to transform his botnet into a money machine. He and his hacker friends are part of a generation raised on the Internet, where everything from software to digital music to a reliable income can be had at little cost or effort. Some of them routinely go out of their way to avoid paying for anything. During a recent conference call with half a dozen of 0x80's buddies using an 800-number conferencing system they had hacked, one guy suggests ordering food for delivery. Nah, one of his friends says, "let's social it." The hackers take turns explaining how they "social" free food from pizza joints by counterfeiting coupons or impersonating customer service managers. "Dude, the best part is when you walk in, you hand them the coupon or whatever, they give you your [pizza], and you walk out," one of them enthuses. "Then, it's like, yes, I am . . . the coolest man alive." "Dude, that's so true," echoes a 16-year-old hacker. "Free pizza tastes so much better than pay pizza any day." 0x80 expresses some ambivalence about this lifestyle and occasionally ponders what he should do next. He's toyed with the notion of going to a community college to get a degree in computer science, but the idea of getting an honest job with a legitimate tech company doesn't hold much appeal. "I'd probably have to take a pretty bad pay cut no matter where I worked," he says. Asked whether he worries about getting caught, 0x80 stuffs his hands into his jeans pockets, shrugs his shoulders and looks down at his shoes. "To tell the truth, man, I'm sorta surprised they haven't caught me yet." He claims he doesn't care but then confesses that he dedicates quite a bit of time to covering his tracks. "I do stay up very late each night trying to make sure nobody is going to kick in my front door . . . If I do [get caught], I'm not all that worried. I've got enough money. I can always get a good lawyer." Adware and spyware distribution companies promise instant riches to people who agree to help install their programs. These installers are known in the business as "affiliates." Many adware distribution sites recruit affiliates with photos of stacked $100 bills. GammaCash.com, for instance, the company that makes the XXX toolbar that Michael White discovered on his computer, features an animated image of a pair of hands cupped to hold an expensive watch. Wait a few seconds, and the watch disappears, only to be replaced by a Cadillac sport utility vehicle, which quickly morphs into a yacht. The companies include in their "terms and conditions" disclaimers that they do not permit the installation of their products without the consent of the person who owns the computer. Most claim they will terminate without pay any affiliates who violate that rule. But 0x80 and one of his friends -- who goes by the screen name Majy -- say they've easily disguised their installation methods. Their biggest complaint about the whole enterprise: being routinely shortchanged by the adware distribution companies, which often "shave," or undercount, the number of programs installed by their affiliates. "It sucks, too, because the companies will shaft you, and there isn't a lot you can do about it," says Majy, 19, who claims to have had as many as 30,000 computers in his botnet. There are, in fact, legal ways to induce PC owners to download spyware and adware. Most computer users acquire spyware and adware simply by browsing certain Web sites, or agreeing to install games or software programs that come bundled with spyware and adware. Before its Web site went dark not long ago, TopConverting.com bundled its adware and spyware with products most likely to appeal to children and teenagers: simple games, online game insignias or "avatars," and "emoticons," custom-made smiley faces for use in instant-message software. The company also marketed short digital videos that catered to the humor of teenage boys: "Beavis and Butt-Head" cartoons, a short clip called "Boob Boxing" and another titled "Bath Fart." Computer users may or may not understand what they are consenting to when they click "OK" to the lengthy, legalistic disclosures that accompany these games or videos. But those notices are legal contracts that essentially absolve the adware companies from any liability associated with the use or misuse of their programs. 0x80 and Majy don't leave computer owners any chance to decline the adware. Once they invade a computer and add it to their botnet, they use automated keystroke codes to order the enslaved machine to click "OK" on installation agreements. 0x80 says he even created a program that allows him to remotely wipe computers in his botnet clean of old adware, making room for him to install new adware -- and get paid again. And getting paid is the whole point. Majy says TopConverting, which did not respond to requests for comment for this article, paid him an average of $2,400 every two weeks for installing its programs. He got 20 cents per install for computers in the United States and five cents per install for PCs in 16 other countries, including France, Germany and the United Kingdom. A nickel per install doesn't sound like much, unless you control a botnet of tens of thousands of computers. Majy also receives income from Gamma-Cash, which bills itself on its Web site as "an industry leader in online adult affiliate programs." The company pays affiliates to drive traffic to adult Web sites, mainly through pop-up advertisements for porn sites served to users through its XXX toolbar, which hijacks the victim's Web browser and sets its home page to one of several subscription porn sites. Majy says Gamma-Cash, which did not respond to requests for comment, sends him a $400 check each month from a bank in Canada. 0x80 also installs adware for Gamma-Cash. And he works for a company called Loudcash, which was recently purchased by one of the largest and most important players in the adware business: 180solutions. Half of the glass-and-steel structure that houses 180solutions' sprawling headquarters in Bellevue, Wash., rests underground; the other half juts out at acute angles. The rooftop sports an AstroTurfed volleyball court, a gas grill and a commanding view of the Seattle skyline. Some of the company's 200-plus employees zip around the long hallways on Segways or foot-powered scooters. Throughout the building are polka-dotted posters that read, "Who Do You Want to Be?" The signs are meant to challenge employees to continuously reevaluate their roles, but they also reflect the seven-year-old company's effort to prove to the world that it has executed a 180-degree shift away from its past business practices. 180solutions got its start in the adware industry with a product called Epipo, which paid people roughly six cents per hour to view specially targeted advertisements sent to their computers. The product became popular among college students, who quickly figured out ways to automate browsing the Web so that they could get paid for viewing ads while they were away from their computers. According to allegations in a lawsuit filed by the Washington state attorney general's office, 180 responded by changing the payment terms so that it was virtually impossible for people to collect the promised money. The company nearly went bankrupt when it settled the suit in 2002. By that time, 180 had changed its marketing strategy. Instead of paying people to install its adware, the company lured them with free games, which came bundled with ad-serving software called "n-Case." The software tracked users' surfing and buying habits, and was extremely difficult to remove. Consumer advocates had little difficulty showing that n-Case was being installed without user consent. Faced with increasing criticism for the fraudulent installs, 180 rebranded the software as 180 Search Assistant. The new software's chief distinguishing feature was that it was easier to remove than n-Case. In 2004, venture capitalists invested $40 million in 180solutions, fueling rapid growth. That year, 180 says, it raked in more than $50 million delivering online ads for some of America's best-known corporations, including JP Morgan Chase, Cingular, T-Mobile, Monster.com and Expedia.com. (Among the hundreds of companies that have placed ads through 180solutions is Kaplan University Online, which is owned by The Washington Post Co.) By 180's own count, its adware is installed on 20 million computers. The people who use those computers receive pop-up ads based on what they are searching for online. If the user searches for the term "travel," 180's software will look through its database of clients in the travel business and present an ad from the company that bid the most on that search term. The next time that user searches using the same term, 180 will serve the ad of the next-highest bidder for that word, and so on. 180 then gets paid from 1.5 to 2.5 cents for each ad it delivers to the user. The more computers with 180's adware, the more revenue each ad generates. Consumer groups gathered mountains of evidence that 180 Search Assistant was being installed on thousands of computers without user consent. Once again, 180 tried to quiet its critics. Toward the end of last year, the company announced it was phasing out 180 Search Assistant in favor of the Seekmo Search Assistant. Company spokesman Sean Sundwall says Seekmo will be more fraud resistant than 180 Search Assistant, and that it will not be distributed or bundled with other software programs without 180's permission. The company says this will give it far more control over how Seekmo is installed and by whom. But Ben Edelman, who has spent years chronicling the offenses of the adware industry while working toward a PhD in economics at Harvard University, says Seekmo is functionally the same program as 180 Search Assistant. Edelman says 180's penchant for renaming its software each time abuses are highlighted is part of the reason the anti-spyware community directs so much vitriol at the company. "The idea that 180solutions got where they are today through bad business practices and that they continue to make money from that user base is hardly unique to them," Edelman says. "What really makes people so mad is that 180 is far less apologetic than the other players" in the industry. The Center for Democracy & Technology, the leader of a group called the Anti-Spyware Coalition, spent two years working with 180 to resolve dozens of consumer complaints about surreptitious installs. Ari Schwartz, the center's deputy director, says each time the subject arose, the company claimed it was blindsided by the accusations and that it needed more time to correct its distributors' behavior. Weeks after 180solutions said it was discontinuing its 180 Search Assistant software, a computer worm began spreading rapidly across AOL's instant message network, downloading and installing viruses and a host of other programs -- including 180 Search Assistant -- on victims' computers. While 180 denied it had anything to do with the worm, for the CDT, that was the last straw: On January 23, the nonprofit filed a detailed complaint with the Federal Trade Commission urging the agency to sue 180solutions for violating consumer protection laws. In a statement, 180solutions denied that it was ignoring the problem, arguing that it had made "great progress in the fight against spyware" and insisting that it shared the CDT's vision of "protecting the rights and privacy of consumers on the Internet . . . We have made voluntary improvements to address every reasonable concern that the CDT has made us aware of." Company executives acknowledge they didn't begin addressing the fraud problems wrought by what 180 co-founder Dan Todd calls "a few bad actors" until mid-2004. Dressed in worn-out jeans and an untucked dress shirt, 34-year-old Todd puts one foot up on the coffee table in his glass office and tries to explain how things spiraled so far out of control. "At some point between dealing with legitimate distributors and these botnet guys who try real hard to look like good guys, we realized that something had gone terribly wrong and that our plan of outsourcing our relationship to the consumer had backfired," Todd says. Last year, he says, 180 executives purchased some of their biggest distributors, including Loudcash, as part of a plan to rein in "rogue distributors" and help clean up the company's adware distribution practices. 180 says it no longer allows its adware to be bundled with adult Web site content or peer-to-peer (P2P) online file-sharing services that many people accuse of promoting music and movie piracy. "Our goal," he says, "is to minimize the financial incentive for people to install our software illegally, with the goal of making sure that our money never gets paid to bad actors." To demonstrate its commitment, 180 filed lawsuits last year against seven distributors, accusing them of using botnets to earn more than $60,000 installing the company's adware without computer owners' consent. When the defendants -- all of whom live outside of the United States -- refused to make the trip here to face the allegations against them, 180 referred the matter to the FBI, says company attorney Ken McGraw. The company also worked with the FBI and Dutch authorities last year on an investigation that shut down a botnet of more than 1 million computers in the Netherlands. The FBI acknowledged that 180 was instrumental in helping to track down the botmasters. 180, in fact, became the target of a denial-of-service attack by the botmasters, who were furious that the company was refusing to pay them for surreptitious adware installs. The attack briefly crippled 180's Web site, making the company a victim of the botnet phenomenon. Yet 180's insistence that it is cracking down on botmasters has yet to win over the anti-spyware activists, who have spent years unraveling the labyrinthine economic ties among advertisers, adware vendors and their affiliates. The anti-spyware hawks don't believe 180solutions has changed the way it operates or that the company is buying up major players in the adware industry in order to clean up its act. "That's sort of like a drunk saying he's buying up a liquor store to solve his drinking habit," says Eric Howes, an executive at Sunbelt Software, an anti-spyware firm. At a recent anti-spyware conference, Todd was openly mocked for claiming that 180 previously had no way of knowing how many of its distributors were installing its software illegally. Someone at the conference suggested that 180 use its technology to periodically present users with pop-ups asking them whether they had authorized the adware to be installed in the first place. Now the company says it is doing just that. If the answer is no, the user can remove the software with a click of a button. 0x80 hasn't paid much attention to the public condemnation of 180's business practices. And he says he doubts any of the measures the company is taking will discourage botmasters from installing adware. "It doesn't really matter what [180] does to try and stop them," the hacker says. "There's just too much money to be made there. People will just find another company to work with." Sam Norris answers the door of his handsome stucco-and-Spanish-tile home near San Diego dressed in jeans, a polo shirt and squeaky-clean blue and white suede sneakers. He smiles broadly. "You picked a great week to come out," he says. "I'm tracking quite a few botnets today." Norris, 31, is president of an Internet service company called ChangeIP.com that finds itself at the center of the battle against botnets. He estimates that he is spending up to 20 hours a week preventing botmasters like 0x80 and Majy from using his network to control their botnets. Botmasters typically control their herds of infected PCs by having each report to a central server and await instructions, which may be to attack a Web site, send spam or download spyware programs. But many of the IRC networks that have been used for this purpose are beginning to crack down on botmasters. As a result, an increasing number of hackers are trying to cover their tracks by taking advantage of the services of companies like Norris's, which allow Internet browsers to find hundreds of small Web sites by name (for example: smallwebsite.com), even though the actual numeric address of the sites can change from day to day. Botmasters like 0x80, however, have turned that process inside out. They use Norris's service to hide their botnets when they jump from server to server. Should authorities or computer security experts start to zero in on the server that's running their botnet, they can switch servers, and ChangeIP.com will enable the hijacked computers to find the new hideout. In most cases, it is easy for Norris to tell which hosts on his network are legitimate Web sites and which are botnets: Most small Web sites don't have thousands of computers trying to access the site at precisely the same time. By tracking the communications traffic between the infected machines and the botmaster's control channel, Norris can capture data that might be useful to law enforcement, including snippets of text or code that may hold clues about the geographic location or identity of the botmaster. Norris says he sees an average of 37 new botnets per week trying to use his company's service, and sometimes as many as 10 new botnets per day. Last spring, he cut off access to a botnet of more than 40,000 PCs that was being used as a massive install base for spyware. "I am seeing this botnet-spyware connection just skyrocket," Norris says, "and I think it's because these guys are realizing there's tons of cash to be made here." A computer programmer by trade, Norris dissected a copy of the bot used by one hacker he recently banished from ChangeIP.com's network. The program contained instructions for installing 14 adware and spyware programs, and Norris says the bot code was encrypted and so thoroughly disguised that none of the antivirus software he used detected the code as malicious. As he was examining the bot program, Norris accidentally executed it, causing his machine to become infected. Almost immediately, he says, the program downloaded a package of adware and launched several pop-up ads for pornographic Web sites. It also installed GammaCash's infamous XXX toolbar. Norris's forensics work revealed that the bot program also contained more than 30 other features, including the ability to capture all of the victim's Web traffic and keystrokes, as well as a program that looks for PayPal user names and passwords. Other programs installed by the bot allowed the attackers to peek through a user's webcam. Norris often works out of his home in the auburn hills of San Marcos, Calif., where F-16 fighter jets from nearby Miramar Naval Air Station streak across the sky. Today he sits down at the desk in his cramped home office and clacks away at his keyboard, generating a slew of line graphs measuring the level of traffic flowing across his company's networks. He's a member of an informal enforcement group of more than 100 independent security experts worldwide who share daily data on the size, location and activity of the Web's most disruptive botnets. Hailing from Internet service providers, computer hardware manufacturers and software security firms, the group's members use that information to shut down botnets by cutting off the infected computers and forwarding the intelligence they glean to law enforcement. Each morning, Norris receives an e-mail listing the online locations of the Web servers used to control some the world's most dangerous botnets. "First thing I do most days is go through this list and try to find out which ones" are using his network, he says, pointing to a report he just generated that lists the top 20 traffic-generating sites on his company's system. "Most of these are botnets." And the botnets are hardly limited to hijacked home computers. A few months back, Norris found more than 10,000 infected PCs on the inside of a Fortune 100 company network, all trying to contact a control server located at ChangeIP.com. When Norris called the company with the bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've got 10,000 infected computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do about it?' " Norris says that after collecting enough evidence about a botnet, he terminates the account and, he hopes, disconnects the botmaster from his army of infected machines. He says "he hopes" because many times the botmaster will have instructed his enslaved machines in advance to try several other domain names should the main control channel be shuttered. But in most cases, Norris says, the botmaster simply shifts control of his botnet to another Internet service provider. "Other times, the attackers play dumb and send polite e-mails asking why their service has been shut off." And, occasionally, the hackers will rebuild their botnets elsewhere and use them to retaliate against ChangeIP. Last year a botmaster who had been cut off joined forces with another botnet to direct such a massive, constant stream of bogus Web traffic at ChangeIP.com that the site had difficulty processing legitimate traffic for nearly a week. As the botnet problem has escalated, so has the interest of federal law enforcement, Norris says. Not long ago, he was contacted by a National Security Agency official who asked for records related to several ChangeIP accounts. He's also had visits from FBI agents hot on the trail of several botmasters. One FBI agent said he couldn't disclose the details of his investigation but handed Norris a copy of a Time magazine article about Chinese hackers suspected of infiltrating U.S. corporate and military computer networks. "The feds are finally starting to understand that botnets are more than just a nuisance: They're the source of all that's evil on the Internet today, from hacking and spamming to phishing and spying," Norris says. (Phishing involves impersonating trusted Web sites to gain confidential information from computer users.) Shutting down a botnet can be arduous work, but finding the criminal on the controlling end of the herd has proven an especially challenging task for law enforcement. That's in part because security experts like Norris and others often disagree over whether to dismantle the botnets as soon as possible or to monitor them for a period of time in order to gather intelligence that might prove useful in helping investigators track down the criminals behind them. Hank Nussbacher, an independent Internet security consultant based in Israel and a member of the group that's sharing information on botnet activity, says most members have their hands full just shutting down the botnets' command and control centers. "Occasionally, the Internet service provider where the [bot control center] is located requests that it not be shut down because they are collecting forensics information for some law enforcement agency, but I'd say about 98 percent of the time, as soon as we find one, we shut it down." Louis Reigel III, assistant director of the FBI's Cyber Division, says the botnet data regularly shared by security experts like Norris is invaluable. But Reigel stresses that prosecuting botmasters is difficult because their crimes and networks usually span multiple continents, which means working with foreign law enforcement agencies and depending on their cooperation. The FBI has dedicated several agents from its special technologies section to tracking down botnet operators and is pursuing hundreds of investigations, Reigel says. But "the techniques being used by these bot guys are becoming more efficient every day, so the bot situation is probably going to get a lot worse before it gets better." Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the sort that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved computers to communicate instructions and share software updates among one other, so that they would no longer depend on orders from the master servers that Norris and other bot hunters search out and disable every day. "When P2P becomes the norm with these bots," Norris says, "that's when I call it quits with this botnet stuff, because, at that point, it will be pretty much out of my hands." On the eve of a visit to his home by a Washington Post photographer, 0x80 decides to tell his father what he really does for a living, in part, he says, because hiding it is starting to eat him up inside. 0x80 tells his father the whole truth, but he can't bring himself to break the news to his mother because, as he puts it, "she's really Christian and that would just crush her to know I'm involved in something like this." "I told my dad I had made an Internet worm that infected people, and then I used their computers to make money, and he just shook his