From isn at c4i.org Wed Jan 4 06:06:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:06:10 -0600 (CST) Subject: [ISN] Wait for Windows patch opens attack window Message-ID: http://news.com.com/Wait+for+Windows+patch+opens+attack+window/2100-1002_3-6016747.html By Joris Evers Staff Writer, CNET News.com January 3, 2006 A serious flaw in Windows is generating a rising number of cyberattacks, but Microsoft says it won't deliver a fix until next week. That could be too late, security experts said. The vulnerability, which lies in the way the operating system renders Windows Meta File images, could infect a PC if the victim simply visits a Web site that contains a malicious image file. Consumers and businesses face a serious risk until it's fixed, experts said. "This vulnerability is rising in popularity among hackers, and it is simple to exploit," said Sam Curry, a vice president at security vendor Computer Associates International. "This has to be taken very seriously, and time is of the essence. A patch coming out as soon as possible is what the responsible thing to do." Microsoft has come under fire in the past for the way it releases security patches. The company has responded in the past by instituting a monthly patching program, so system administrators could plan for the updates. Critics contend that in high-urgency cases such as the WMF flaw, Microsoft should release a fix outside of its monthly schedule. Details on the WMF security problem were publicly reported last week. Since then, a number of attacks that take advantage of the flaw have surfaced, including thousands of malicious Web sites, Trojan horses and at least one instant messaging worm, according to security reports. More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs. Microsoft has said that a patch will not be made available until Tuesday, its next official patch release day. That delay could provide an opportunity for attackers, security provider Symantec said on Tuesday. "There is a potential 7-day window for which attackers could exploit this issue in a potentially widespread and serious fashion," Symantec said in a notice sent to subscribers of its DeepSight alert service. Hackers have been quick to craft tools that make it easy to create malicious image files that advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the Internet. Many of the attacks today use the unpatched bug to attempt to install unwanted software, such as spyware and programs that display pop-up advertising, on Windows PCs. The flaw affects all current versions of the operating system, and a vulnerable system can be attacked simply if the user views a specially crafted image, according to a Microsoft security advisory. In most cases, the attacks require a user to visit a malicious Web site, but the schemes are likely to become more sophisticated, antivirus specialist Marx said. "I'm sure it's just a matter of days until the first (self-propagating) WMF worm will appear," he said. "A patch is urgently needed." Microsoft is urging people to be cautious when surfing the Web. "Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code," it said in its advisory. But most ordinary PC owners simply aren't aware of this type of threat, said Stacey Quandt, an analyst with the Aberdeen Group. "There are a lot of Windows users who aren't paranoid enough about never clicking on an unknown link," she said. Patch ahoy Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. "Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins," the company said. To protect Windows users, Microsoft shouldn't wait, but release the patch now, several critics said. "The flaw is actively exploited on multiple sites, and antivirus provides only limited protection," said Johannes Ullrich, the chief research officer at the SANS Institute. "Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch." Marx agreed. "As the vulnerability is already known, Microsoft should make this patch available now," he said. System administrators could do their own testing and then apply the patch, Marx and Ullrich said. Increasingly sophisticated computer code that exploits the Windows flaw has been made publicly available, Symantec said. In response, the security provider raised its ThreatCon global threat index to Level 3. Microsoft, however, said the threat is limited. "Although the issue is serious, and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks is not widespread," the software maker said in its advisory. Calculating potential cost Whether to issue the fix sooner rather than later has to be a matter of risk analysis, CA's Curry said. "They have to balance out what the risk involved with not having a patch for a day or two days is, versus not testing all scenarios. The only thing they could do worse than delaying a patch is if they bring out a bad patch," he said. Part of the problem is that the Microsoft's software is complicated and vulnerable to unintended side effects of patches, Quandt said. If the company sends out a fix prematurely, the update could cause bugs that affect the normal operation of systems, she said. Attacks designed to exploit WMF flaw range from malicious spam to MSN Messenger worm. Beyond this single instance is what appears to be a wider problem with WMF files, said John Pescatore, a Gartner analyst. Other flaws related to WMF have been put right in recent months, he noted. "I hope Microsoft is going to fix the underlying problem in how WMF files are handled," he said. "We need a stronger fix, so that we're not going to see another vulnerability like this one two weeks from now." While Microsoft is testing its patch, users can protect themselves with an unofficial, third-party fix. In an unusual move, some security experts are even recommending that people apply this solution while waiting for Microsoft to deliver the official update. "We carefully checked this patch and are 100 percent sure that it is not malicious," the SANS Institute's Ullrich said. "The patch is, of course, not as carefully tested as an official patch. But we feel it is worth the risk. We know it blocks all exploit attempts we are aware of." F-Secure, an antivirus company in Finland, has also tested the fix, created by Ilfak Guilfanov, a programmer in Europe. "We've tested and audited it and can recommend it. We're running it on all of our own Windows machines," said Mikko Hypponen chief research officer at F-Secure. But Microsoft cautions against Guilfanov's patch. "As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software," Microsoft said. At least one user has reported difficulties after installing the fix. The update can cause network printing problems, according to an e-mail sent to the Full Disclosure security mailing list. While some critics have given Microsoft's response to the WMF flaw a failing grade, the company has also gained some respect for its handling of the issue. "Everybody would like to see the patch as soon as possible, but I can't blame Microsoft for wanting to test it thoroughly," Hypponen said. "However, if a widespread worm is found before next Tuesday, I do believe they will break the cycle and just release the patch." As the official January patch day is only next week, the length of the wait for the update is fine, Gartner's Pescatore said. "If we were three weeks, or almost four weeks from the next regular patch cycle, it might be a different story," he said. "This close, most enterprises don't want to go through one patch this week and another next week." Still, Gartner is urging people to protect themselves while waiting for Microsoft's fix--by blocking access to known malicious sites, for example, Pescatore said. Microsoft also offers some workarounds in its advisory. From isn at c4i.org Wed Jan 4 06:06:45 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:06:45 -0600 (CST) Subject: [ISN] Terror stalks India's booming tech industry Message-ID: http://www.smh.com.au/news/breaking/terror-stalks-indias-tech-industry/2006/01/01/1136050343831.html New Delhi January 2, 2006 A suspected militant raid on one of India's top science universities has confirmed fears that the country's booming information technology sector could be a new target for terror groups, officials and analysts said. A professor was shot dead and four other people were wounded last week when an unidentified gunman drove on to the Indian Institute of Science (IISc) campus in the southern city of Bangalore, India's tech capital, and opened indiscriminate fire from an automatic rifle outside a conference hall. No group has claimed responsibility for the attack on what security experts said is a "soft target". But the nature of the attack - the use of a Kalashnikov rifle to open fire randomly and the recovery of unexploded grenades and cartridges from the site - points to anti-Indian Islamist militant groups, they said. "Whatever information is coming out of Bangalore shows that one of these groups is responsible," said B. Raman, a former head of the Research and Analysis Wing, India's external intelligence agency. "Although the damage was not much, it was a very daring attack. Unless there is evidence to the contrary, I would believe this is the work of jihadi groups," he said, referring to Muslim militants fighting Indian rule in disputed Kashmir. India has been a victim of separatist violence for decades and Kashmiri militants have struck regularly in the disputed Himalayan region as well as at targets in northern India, including in the capital, New Delhi, since the 1990s. India has long accused arch rival Pakistan - with which it is locked in a decades-old dispute over Kashmir - of aiding the militants and sending them across the border. Islamabad denies the charge. While southern India has largely been peaceful during this period, intelligence agencies have warned over the past two years that Islamist militants were making inroads in the south, setting up cells and recruiting sympathisers. Bangalore and the rival tech centres of Hyderabad and Chennai were prime targets as they were symbols of India's technological might and economic progress, analysts said. A city of 6.5 million people, Bangalore alone is home to more than 1,500 technology and back-office firms, among them dozens of global giants such as Intel, Motorola and IBM, and is now known as 'India's Silicon Valley'. The firms account for a third of India's $17.2 billion software industry and employ about one million people. Several Indian defence, space and scientific research institutions are also based in Bangalore. "The country is waking up to a new reality - its success in IT and concomitant economic boom has excited malice in certain quarters, who would like to attack symbols of that success," the Times of India wrote in an editorial on Friday. "Within the frame of this inchoate rage against modernity, an international conference of scientists is also a target," it said referring to the shooting at the IISc. While hard targets such as government offices and defence establishments are well protected, security at technology firms and institutions is in now way comparable, experts said. Following the Bangalore shooting, IT firms would need to boost 'physical security' at their facilities while government agencies should strengthen intelligence gathering and destroy militant cells before they could strike, they said. "The Indian IT industry ... already has in place many security measures," the National Association of Software and Service Companies (NASSCOM), the leading industry body, said in a statement after the Bangalore shooting. "This incident emphasises the need to review and upgrade these. NASSCOM and the IT industry will work, in collaboration with the police and government, towards tightening security measures to create a safer working environment for the industry," it said. From isn at c4i.org Wed Jan 4 06:03:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:03:21 -0600 (CST) Subject: [ISN] To Convergence (and Back) Message-ID: http://www.csoonline.com/read/010106/convergence.html By Anonymous January 2006 Issue Security convergence - that is, the true meshing of physical and cybersecurity along with business continuity management.is one of the most logical concepts that's been introduced to the security world in a very long time. Convergence makes sense conceptually in the boardroom and functionally within the organization. It saves security dollars, increases efficiency and provides more effective incident response, all of which are great incentives for getting and maintaining senior executive support. But here's a warning for all of you daring enough to push for change. You can do everything right as you go down the road to convergence. You can start getting past the cultural and political issues involved with convergence, and you can begin the tedious process of collecting metrics that demonstrate its positive impacts on the organization. But it may not be enough. The new combined organization may become a target of an efficiency program or a general cost-cutting initiative, or it may suffer after a risk decision upsets the wrong inside player. Then, you may suddenly find yourself overseeing a transition team into the Dark Ages. The CSO is told that the company needs to "focus on other things." But hey, they say, thanks.your efforts have improved security, so we can now go back to business as usual. (And oh, by the way, we now have one less VP mouth to feed.) I say all this because I've learned the hard way. But I still wouldn't have done anything differently. The Beginning and the End There are two camps as far as how companies deal with issues and resolve problems. In the first kind, the CEO hires people and puts them in charge of business units. If things blow up, then it's their problem; it's not the corporation going awry. In the second kind, the business aims for transparency. The CSO outlines risk and works with the business units to accept it. I belong to the latter camp. When I started with my former employer several years ago, I was asked to build a program that put together all the security pieces, including business continuity, and to be transparent. As a security department, we'd say: Here's where we think we are; we've done vulnerability and risk assessments; here are our results. We strove to make security very much a part of the business process, to be businesspeople who understood how our business worked and built programs that benefited it. Then the company got a new CEO, who brought in a lot of new executives. At first the organizational changes that followed were presented as cost-cutting measures. But soon it became clear that the new regime thought that transparency wasn't a great thing, and that sometimes it was better to have a risk be the responsibility of a business unit. The new attitude was, "Why are we hearing about this security problem? Here's an issue that we have to deal with now that it's down on paper." The moment I realized the extent of the change was when the new CFO was indicating to the chief risk officer that there would be changes in risk management. Once I heard that, I realized that the new leadership really didn't like the transparency we had. Culturally, my security program was the same as the CRO's risk management program. I thought the same way he did. If he was going down, and his program was structured the same as mine, that was bad news. Sure enough, several changes were announced. An internal non-risk management person was taking over a smaller risk management organization, and I was told that the new leadership wanted to transfer me into the shared service organization. Those groups are usually ones that other business units opt into.like with IT projects, you could go outside into the market, or you could go to the CIO. From a security perspective, though, you can't opt in or out of security. It was pretty clear to me, uh oh, here it comes. I was still the CSO, and I had my first meeting with the head of shared services. At the end of the conversation, that person basically said, your last day will be X days out. The new CEO's view was that IT security is an IT issue, and physical security is a facilities activity. They said, Let's figure out a conversion plan to integrate those pieces back into the different parts of the organization. To deconverge. I had a director for physical security and a director for information security, and management wanted those people to take demotions. It was very difficult. The security department had incredible executive support before the leadership transition. There had been nothing but accolades. We had done lots of things that had cost savings. We had gone out and nationally competed our guard-force contract and saved more than $1 million a year. We were much leaner and more efficient than many of our peers. We had one training group and a common voice to the employees. We had caught incidents, returned property, recovered dollars and stopped internal fraud. We were out there solving problems, protecting value and getting rid of bad apples. But under a regime where the leadership doesn't like the transparency of risk, those are all bad things. The CEO doesn't want to hear about a serious fraud, even if you brought the money back and caught everyone involved. The Transparency Backlash A lot of security guys get away with keeping very under-the-radar programs. They don't bring things up, and they resolve things at very low levels. Maybe it works for them. For me, I had a three-ring binder with 100 pages of all the incidents that occurred, all the regulatory issues that were affecting us, all the risk remediation activities that we had conducted. I always said, "Hey, I'm not hiding anything. My program is here to support the business. I want absolute transparency." In the end, it worked against me. If anybody wanted to take a punch at me, they could. I provided all the information. I don't think I would have been able to stomach taking the program so far under the radar that it wasn't an issue with the new leadership. I always thought we could let our accomplishments speak for themselves. But in the end, the decision for the company to deconverge seemed like an emotional outcome of how the new leadership liked to think about the world. Even with everything that happened, even after watching my unified security department be systematically taken apart, I still really believe in the convergence model. I believe that today's security organizations need to be wholly unified and manage all security risk across the organization. Traditional walls between security disciplines have to come down, and new positions have to be created to consolidate functions such as reporting, incident response, blended risk assessments, security policy and standards development. This combined security framework, which is made up of many integrated processes, begins to create its own business function, and it moves toward a security governance model that is better suited to support and guide the organization. The process of architecting this structure emphasizes the requirements and scope of the program, and it raises security awareness. It allows the security program to identify opportunities where security can produce business benefits, increase system and resource efficiency, and achieve enterprise compliance. A converged organization is positioned to make security a functional strategy and possibly a business opportunity. Expanding the view and scope of security is a necessary part of integrating security risk management into an organization. The definition of security is broadened to include physical security, information security, risk management and business continuity. A CSO with this functional breadth provides more value to the organization and to the overall leadership team. The overall goal is to embed security into business processes and executive decision-making. This is the convergence recipe. The only ingredients that the CSO can't provide are forward-thinking senior executives who are willing to do more than pay lip service to ensuring the company's sustained secure performance.even if this support stems only from the realization that security will protect their lucrative jobs and incentive plans. In doing all this, though, the CSO is taking a personal risk.first, by getting that level of visibility, and second, by consolidating what in some people's minds are several cost centers into one bigger cost center. In a Fortune 500 company with many executives, the CSO, usually one of the junior executives, is opening himself up by getting that level of attention in the boardroom. You're going to get your advocates, and you're going to have the folks who traditionally will look at security as a cost center no matter what. There were certain executives that appreciated our level of transparency and were strong advocates. There were others for whom it was too much. They didn't want to review and approve the policies we were writing. They saw security as cumbersome. Low-level grumbling about security ensued, growing louder, more insistent, its increasing volume usually inversely proportionate to its substance. When this happens, it's only a matter of time before CEOs are making critical decisions on security initiatives.and even on the continued existence of the security program itself.that are based on 10 percent facts, 80 percent blind acceptance of unfounded opinion and 10 percent their own uninformed conclusions. The attitude becomes, Don't ask the security experts; they'll probably just muddy up the water. Some of us will not survive the process, and organizational pressure will push the unified organizations back into a more traditional cost center model. Some will successfully make the transition, and slowly over time this new and valuable approach will become the norm. Down the road, I hope to be CSO of an organization where convergence is not just the reality, but the norm. I'm optimistic that I will be. I even predict that in a few years, my former employer will go back to the converged model. Everything worth achieving comes with risk. As CSOs, we do our best when facing and managing risk. We should continue to take the challenge and go into the breach. Chasing after a unified program is worth it. This column is written anonymously by a real CSO. Send your comments via e-mail to csoundercover at cxo.com. From isn at c4i.org Wed Jan 4 06:07:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:07:23 -0600 (CST) Subject: [ISN] Security Hole Claimed for BlackBerrys Message-ID: http://blogs.washingtonpost.com/securityfix/2006/01/security_hole_e.html By Brian Krebs January 3, 2006 Security Hole Claimed for BlackBerrys New research released over the weekend indicated that BlackBerrys -- the ubiquitous handheld devices favored by on-the-go types -- are vulnerable to a security hole that could let attackers break in to the gadgets by convincing users to open a specially crafted image file attached to an e-mail. The information was released at the 22nd Chaos Communication Congress hacker convention in Berlin by this guy -- "FX" of the security research group Phenoelit. Research in Motion Ltd., the Canadian company that makes the devices, said it is a previously reported issue "that has been escalated internally to our development team. No resolution time frame is currently available." RIM's advisory downplays the threat, saying that "a corrupt Tagged Image File Format (TIFF) file sent to a user may stop a user's ability to view attachments. There is no impact on any other services (for example, sending and receiving messages, making phone calls, browsing the Internet, and running handheld applications to access a corporate network)." RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat. I obviously didn't hear FX's talk, but an alert released over the weekend by US-CERT says remote code execution is possible. RIM doesn't say when it plans to have a fix available, but for now it is urging companies who use the service to reconfigure any machine serving as an internal BlackBerry Internet Server to filter TIFF images or disable the file-attachment capability altogether. Update, 10:27 a.m. ET: Having just spoken with FX (a.k.a Felix Lindner), I definitely feel like I understand the threat here a bit better, and it is a little more serious than I first thought. Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory. Lindner said he suspects that's because this PNG flaw is present not in the newest version of Blackberry server but in all versions from 4.0 to 4.0.1.9 (the latter was released roughly a month ago, and no doubt many companies still run that version). Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server. "We started looking at all of the privileges this server needs while sitting right in the middle of the network and realized we didn't know anything about it," Lindner said. "In a lot of companies, corporate managers want to install it because they want their Blackberrys, but we wanted to find out what risks are there connected to running this thing." Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Micorosft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network. I put in a call to the RIM folks: Will update the post if I get a response from them directly. From isn at c4i.org Wed Jan 4 06:07:59 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:07:59 -0600 (CST) Subject: [ISN] Update: Microsoft says 'wait for us' as WMF threat climbs Message-ID: http://www.infoworld.com/article/06/01/03/HNmssayswait_1.html By Peter Sayer IDG News Service January 03, 2006 Some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in the way the OS renders graphics files, but Microsoft (Profile, Products, Articles) Corp. wants customers to wait another week for its official security update, it announced Tuesday. The problem is in the way various versions of Windows handle graphics in the WMF (Windows Metafile) format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published a first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary. On Tuesday, Microsoft updated the advisory to say it has completed development of its own patch, and is now testing it for release next week. "Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006," said the advisory, the full text of which can be found here [1]. The company said it carefully reviews and tests its security updates, and offers them in 23 languages for all affected versions of its software simultaneously. It "cannot provide similar assurance for independent third-party security updates," it said. The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say. Staff at McAfee Inc.'s Avert security research lab report that 7.45 percent of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of Tuesday. That's up from 6 percent of users on Saturday. However, the chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system. Already, one security Web site has had to warn its readers to stay away: the owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site so as to attempt to exploit the vulnerability on site visitors' machines. There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president with Gartner Inc. and the company's lead analyst on information security issues. "If it can be exploited in any significant way, it would be an extremely big risk." "It's a race between Microsoft and the exploit community," he said. The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27, but those sites may have been doing so as early as Dec. 14, the company said. On Dec. 28, Microsoft ambled out of the starting blocks with its first security advisory acknowledging a potential problem. Over the weekend, it updated this to suggest a way in which users could reduce the risk by disabling an affected part of the OS, called shimgvw.dll. Microsoft warned that the fix has the side effect of stopping the Windows Picture and Fax Viewer from functioning normally. Others report that it also stops Windows Explorer from showing thumbnails for digital photos. Security researchers outside Microsoft had other ideas: rather than disable shimgvw.dll, they would modify it so that only the functionality considered dangerous was blocked. By Dec. 31, programmer Ilfak Guilfanov had developed an unofficial patch to reduce the danger of attack, without impairing Windows' graphics functions. His patch quickly won the support of security researchers including The SANS Institute's Internet Storm Center (ISC) and F-Secure Corp. Mikko Hypponen, chief research officer at F-Secure, feels safe recommending the Guilfanov patch for several reasons. "We know this guy. We have checked the code. It does exactly what he says it does, and nothing else. We've checked the binary, and we've checked that the fix works," he said. He had one final vote of confidence: "We've installed it on all our own computers." Sophos PLC's Senior Security Consultant Carole Theriault advised businesses not to install the unofficial patch. "We wouldn't recommend it, for testing reasons," she said. One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their .WMF file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as .JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name. That was the case with a file with the title "happynewyear.jpg" that began circulating in e-mail messages on Dec. 31: If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose. As a consequence, said Theriault, businesses should keep existing antivirus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practice safe computing by only visiting reputable Web sites and taking care with what they download, she said. (Jeremy Kirk in London contributed to this report.) [1] http://www.microsoft.com/technet/security/advisory/912840.mspx From isn at c4i.org Wed Jan 4 06:08:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:08:33 -0600 (CST) Subject: [ISN] H&R Block Mailing Reveals Customers' SSNs Message-ID: http://www.eweek.com/article2/0,1895,1907596,00.asp By Paul F. Roberts January 3, 2006 Some H&R Block customers who received free copies of the company's TaxCut software also had their Social Security numbers exposed, according to a company spokesperson. H&R Block sent a letter to customers in late December saying that a tracking number used on packages containing TaxCut contained the customer's Social Security number as part of a unique, 47-digit tracking number. H&R Block blamed user error for the slip and said the number would be impossible to spot, and that no customer data has been lost or stolen as a result of the mistake, according to Denise Sposato, a spokesperson for H&R Block. H&R Block learned of the slip-up in late December, after a customer informed the company that a unique ID that appeared on the package, above the mailing label, contained his or her Social Security number. The number is used by H&R Block's marketing department, Sposato said. After learning of the mishap, H&R Block moved quickly to identify the source of the error and customers who were affected by it, Sposato said. The Kansas City, Mo., company said it believes that less than 3 percent of those who were mailed a copy of TaxCut had their Social Security numbers used. Sposato declined to say how big the mailing was or to provide an estimate of how many of the company's current and former customers were affected. Sposato said the incident was an accident and "completely contrary to established procedure" at company, which makes its money helping individuals prepare and file tax returns. Social Security numbers are not used to track other mailings, nor are they used to derive the unique tracking numbers used on mailings, she said. H&R Block informed customers of the mistake in a letter, and set up a Web page on the company's site with information for those whose Social Security numbers were disclosed. H&R block feels the risk of identity theft is minimal, Sposato said. This is the first year that H&R Block mailed the TaxCut software to current and former customers. Some of those receiving the tax preparation software have not used H&R Block for a year or more, Sposato said. H&R Block has notified its compliance officer about the problem, but declined to say whether authorities or federal regulators were informed of the information leak. The news from H&R Block is just the latest in a long string of disclosures of corporate data leaks. Just last week, Marriott Vacation Club International, a division of Marriott International Inc., said computer backup tapes with information on more than 200,000 customers disappeared from the company's Orlando, Fla., offices. The tapes may contain credit card numbers, Social Security numbers and addresses of customers of the timeshare property business. Data privacy will be a top issue for federal lawmakers in 2006. The U.S. Congress will consider a federal data breach notification law next year, in addition to new regulations aimed at spyware programs. From isn at c4i.org Wed Jan 4 06:09:07 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:09:07 -0600 (CST) Subject: [ISN] Report: School technology should cough up hackers Message-ID: http://www.insidebayarea.com/dailyreview/localnews/ci_3367058 By Grace Rauh STAFF WRITER 01/03/2006 UNION CITY - A team of experts from outside the New Haven school district is recommending that the district take new steps to better safeguard student information and improve its technology. The recommendations were compiled in a report that will be shared with school board members at their meeting tonight. The board hired the Fiscal Crisis and Management Assistance Team for about $7,500 in October to study the district's technology system to try to keep hackers at bay. The decision was made on the heels of a security scare last spring, when it was mistakenly believed that an unauthorized user broke into the student information system. Superintendent Pat Jaurequi said at the time she wanted the district to conduct this study to prevent security breaches in the future. Team members visited the school district Oct. 10-11 and interviewed employees, collected data and reviewed information about technology in New Haven. They found the school district's technology department has motivated employees who are willing to improve the system, but lacks leadership. Some obvious security risks the team discovered during its two-day visit included teachers who let students work on their classroom computers and shared passwords with them, giving them access to confidential information. Team members found the door to New Haven's main data center unlocked and discovered there is no system in place to end an employee's access to confidential information before he or she is fired, leaving the district open to a security breach by a former employee. The meeting begins at 7:30 at the Educational Services Center board room, 34200 Alvarado-Niles Road. From isn at c4i.org Wed Jan 4 06:04:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:04:33 -0600 (CST) Subject: [ISN] Linux Security Week - January 2nd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 2nd, 2006 Volume 7, Number 1n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Adaptive Firewalls with iptables," "Bandwidth monitoring with iptables," "Four Security Resolutions For The New Year," and "DNS Name Prediction With Google." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- LINUX ADVISORY WATCH This week, advisories were released for phpbb2, ketm, tkdiff, dhis-tools-dns, Mantis, NDB, rssh, OpenMotif, scponly, msec, fetchmail, cpio, php-mbstring, and libgphoto. The distributors include Debian, Gentoo, and Mandriva. http://www.linuxsecurity.com/content/view/121125/150/ --- * EnGarde Secure Community 3.0.2 Released 6th, December, 2005 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.2 (Version 3.0, Release 2). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/120951 --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Ethereal 0.10.14 Release Notes 30th, December, 2005 Ethereal 0.10.14 has been released. Several security-related vulnerabilities have been fixed. Everyone is encouraged to upgrade. The following features are new (or have been significantly updated) since the last release. http://www.linuxsecurity.com/content/view/121127 * Adaptive Firewalls with iptables 26th, December, 2005 Up until now, we've looked at stateless and stateful firewalls. Remember, stateless firewalls only have the features of a given packet to use as criteria for whether that packet should be passed, blocked, or logged. With a stateful firewall, in addition to the fields in that packet, we also have access to the kernel's table of open connections to use in deciding the fate of this packet. http://www.linuxsecurity.com/content/view/121099 * Bandwidth monitoring with iptables 27th, December, 2005 Linux has a number of useful bandwidth monitoring and management programs. A quick search on Freshmeat.net for bandwidth returns a number of applications. However, if all you need is a basic overview of your total bandwidth usage, iptables is all you really need -- and it's already installed if you're using a Linux distribution based on the 2.4.x or 2.6.x kernels. Most of the time we use iptables to set up a firewall on a machine, but iptables also provides packet and byte counters. Every time an iptables rule is matched by incoming or outgoing data streams, the software tracks the number of packets and the amount of data that passes through the rules. http://www.linuxsecurity.com/content/view/121106 * Cisco vulnerability posted to Internet 29th, December, 2005 One day after a security researcher and organizers of the Black Hat USA conference agreed not to post details of vulnerabilities in Cisco 's router software, the information has been published on the Internet.On Friday, the Web site Cryptome.org posted what appear to be slides written to accompany a presentation given by former Internet Security Systems Inc. (ISS) researcher Michael Lynn, at the Black Hat conference in Las Vegas. http://www.linuxsecurity.com/content/view/121119 * An Inexpensive and Versatile IDS 27th, December, 2005 An intrusion detection system can be an effective technical control in the modern world of information and network security. One option that provides for low cost NIDS sensor deployment is the use of the open source IDS software Snort in combination with a consumer grade LinkSys cable/DSL router and the open source firmware distribution OpenWrt. These three items together form a powerful yet inexpensive unit that delivers IDS, routing, firewall, wireless, and NAT functionality for use in a light-weight environment, i.e. consumer or small business deployments. http://www.linuxsecurity.com/content/view/121104 * D at TA Protection and the Linux Environment 28th, December, 2005 This is an exciting time for people involved in data protection, and not in the bad way that things can be exciting. Many more options, techniques, and practices have become available to IT professionals. The new technology solves a great many problems. http://www.linuxsecurity.com/content/view/121113 * Researchers pore over biometrics spoofing data 29th, December, 2005 Sweaty hands might make you unpopular as a dance partner but they could someday prevent hackers from getting into your bank account. Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-Doh or gelatine or a model of a finger moulded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers. http://www.linuxsecurity.com/content/view/121120 * Linux in a Business - Got Root? 30th, December, 2005 I work for a government contractor, and have recently convinced them to purchase a Beowulf cluster, and start moving their numeric modelers from Sun to Linux. Like most historically UNIX shops, they don't allow users even low-level SUDO access, to do silly things like change file permissions or ownerships, in a tracked environment. I am an ex-*NIX admin myself ,so I understand their perspective and wish to keep control over the environment, but as a user, I'm frustrated by having to frequently call the help-desk just to get a file ownership changed or a specific package installed. http://www.linuxsecurity.com/content/view/121126 * Financial institutions lead march to Linux in Korea 29th, December, 2005 In the latest in a series of moves aimed at getting Korean government institutions to move away from their reliance on Windows and Unix and adopt open source software, two state-owned financial institutions planned to launch the country's first Linux-based Internet banking services in December. The state-owned Korea Post and the National Agricultural Cooperative Federation (NACF) have both said their systems will be up and running for Linux users before the end of December as a part of the open source software fostering projects of the Ministry of Information and Communication. http://www.linuxsecurity.com/content/view/121121 * Four Security Resolutions For The New Year 26th, December, 2005 I always know what my first New Year=E2..s resolution is going to be, because it=E2..s the same every year: lose weight. Chances are, you have the same one. But by the time the Super Bowl happens, and you eat seven thousand calories on that one day, you=E2..ll have already have given up on that resolution. http://www.linuxsecurity.com/content/view/121098 * IT security professionals moving up the corporate pecking order 26th, December, 2005 Ultimate responsibility for information security is moving up corporate management hierarchies, as board-level directors and CEOs or CISO/CSOs are increasingly held accountable for safeguarding IT infrastructures, new research has revealed. The second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by not-for-profit IT security educational organisation, the International Information Systems Security Certification Consortium (ISC)2, expects this accountability shift to continue as information security becomes more relevant in risk management and IT governance strategies. http://www.linuxsecurity.com/content/view/121100 * Browser developers meet, see eye to eye on security 27th, December, 2005 Developers of four major Web browsers -- Konqueror, Mozilla Firefox, Opera, and Internet Explorer (IE) -- gathered at an informal meeting in Toronto on November 17 to review plans and share progress on security improvements and standards. The intents were making security information more meaningful to users, and balancing security for high-traffic sites (such as banks) and smaller organizations and businesses. http://www.linuxsecurity.com/content/view/121105 * Security Is Not Insurance 27th, December, 2005 What's the hardest part of a chief security officer's job? Evaluating new technologies? Establishing policies for users to follow? Actually, it's more political than that, Jim Routh, chief security officer of Depository Trust & Clearing Corp., said during an Interop presentation Tuesday. "The hardest part of a CSO's job is influencing information security and practices that will be implemented throughout an organization," he said. "It's a delicate process, particularly when you're asking an IT or business manager to rethink how they operate. Education is probably the most important strategic tool for a CSO, without a doubt." And you thought wayward data tapes throwing themselves off of the back of delivery trucks were going to be your biggest challenge. http://www.linuxsecurity.com/content/view/121108 * Rootkits, cybercrime and OneCare 28th, December, 2005 The year 2005 in net security will likely be remembered as the year of the Sony rootkit DRM controversy. In other ways the last 12 months continued the trend of profit becoming a primary driver for the creation of computer viruses. The last 12 months also witnessed a number of high-profile cybercrime prosecutions, including the sentencing of NetSky author Sven Jaschan. http://www.linuxsecurity.com/content/view/121111 * The Linux Year: A Look Back at 2005 29th, December, 2005 With the birth of each new year, the accolade of 'year of the penguin' has been dusted off and pre-emptively awarded time after time. 2005 was no different, and there's little reason to suppose that 2006 will underwhelm either. http://www.linuxsecurity.com/content/view/121122 * What Tech Skills Are Hot For 2006? 29th, December, 2005 There's continued demand for people with information security skills, say Symons and others. And even though long-term demand is expected to remain strong, the growing ranks of people who have obtained IT security certifications has had a short-term dampening effect on compensation. http://www.linuxsecurity.com/content/view/121123 * Record bad year for tech security 30th, December, 2005 2005 saw the most computer security breaches ever, subjecting millions of Americans to potential identity fraud, according to a report published Thursday. Over 130 major intrusions exposed more than 55 million Americans to the growing variety of fraud as personal data like Social Security and credit card numbers were left unprotected, according to USA Today. http://www.linuxsecurity.com/content/view/121129 * All the Rage: It's 2006: Do You Know Where Your Security Policies Are? 2nd, January, 2006 It's the beginning of a new year--time to review your approach to security policy. If you think implementing firewalls, IDSs and antivirus/antispam products is enough, you're sorely mistaken. No matter the size of your enterprise, you must define a framework of security policies, standards and procedures for securing valuable corporate assets. If you don't, you may be leaving your company open to a variety of vulnerabilities. http://www.linuxsecurity.com/content/view/121132 * Marriott customer data missing 29th, December, 2005 A division of the Marriott International hotel empire has notified more than 200,000 clients of back-up security tapes missing from the company's Orlando corporate offices. The breached records contained personal information of about 206,000 associates, timeshare owners and timeshare customers, the company said this week in a statement. http://www.linuxsecurity.com/content/view/121118 * Data Security Movement Back-Burnered By Lawmakers 28th, December, 2005 Despite a year's worth of highly publicized security breaches and a lot of talk in Congress this summer on ways to protect consumers, there's been too little done to protect U.S. consumers' data, Gartner research director Avivah Litan says. http://www.linuxsecurity.com/content/view/121112 * DNS Name Prediction With Google 2nd, January, 2006 As discussed in Google Hacking for Penetration Testers from Syngress publishing[1], there are many different ways to perform network reconnaissance using Google. Since the publication of that text, many different ideas and techniques have come to light. This document addresses one interesting technique, which we=E2..ll call DNS name[2] prediction. This document assumes you have some knowledge of basic network recon, and is not intended as a hand-holding approach to hacking. If you're evil, stop reading this and go work out some aggression on a sack-o-potatoes or something. http://www.linuxsecurity.com/content/view/121131 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jan 9 04:35:56 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:35:56 -0600 (CST) Subject: [ISN] U.S. gov't department details IT audit plans for 2006 Message-ID: http://www.networkworld.com/news/2006/010406-government-it-audit.html By Linda Rosencrance Computerworld 01/04/06 Richard Skinner, the inspector general of the U.S. Department of Homeland Security, plans to conduct more than 12 audits of IT programs and operations in 2006, according to a recently released performance plan. As part of that plan, the DHS's Office of Information Technology will conduct audits and evaluations of the department's information management, cyber infrastructure and systems integration activities. For example, the Office of Information Technology (OIT) plans to look at whether security controls are effective in protecting personal information for the systems supporting the Transportation Worker Identification Credentialing (TWIC) program. Under that program, which was established in December 2001, some transportation workers are issued a standardized, secure identification card that allows them unescorted access to secure areas of the nation's transportation system -- as well as access to computer-based information systems involved in the security of the transportation system. The OIT also wants to determine whether the DHS has adequate security controls in place over the Automated Commercial Environment (ACE), which collects, processes and analyzes commercial import and export data. ACE simplifies dealings between U.S. Customs and Border Patrol and the trade community by automating time-consuming and labor-intensive transactions to move goods through ports faster and cheaper. In the Science and Technology area, Skinner's office will evaluate whether that DHS agency has established security controls for the sensitive information systems and data housed at the Plum Island Animal Disease Center on New York's Long Island. The OIT also hopes to determine the status of the DHS's initiatives, applications and progress in integrating automated surveillance system technologies to respond to modern-day threats; the department's progress in research and project application related to its goals and performance measures; the issues and challenges that exist for DHS deployment of this functionality; and whether there are sufficient management controls in place or planned to ensure compliance with security, privacy laws and policies and biometric standards. The inspector general is also planning to audit DHS operations for information sharing related to critical infrastructure protection. Skinner's office hopes to determine whether DHS strategies and tools for working with private industry would be effective in the event of a failure of, or attack on, critical sector operations. In addition, the OIG is set to review just how effectively the DHS shares disaster response and counter-terrorist information with state and local governments. The OIT will also review the DHS's Infrastructure Transformation Project Strategy and Implementation, which spells out how DHS's IT infrastructure will move from a decentralized delivery model to a centralized and shared IT infrastructure services model for all of its agencies. Skinner also wants to determine whether DHS has established adequate security policies and procedures to safeguard laptop computers -- as well as the data stored in those computers. Skinner's office also plans to determine whether the DHS has effectively managed the use of RFID technology to protect mission-critical data and information systems from unauthorized data. The DHS is using RFID technology to track and identify assets, weapons and baggage on flights. In the wake of problems sharing information between various government entities after Hurricane Katrina hit the Gulf coast last year, the OIG also plans to determine how effective DHA has been at ensuring effective communications to support future disaster response and recovery. Story copyright ? 2003 Computerworld, Inc. From isn at c4i.org Mon Jan 9 04:34:48 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:34:48 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-1 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-12-29 - 2006-01-05 This week : 36 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Due to the seriousness of the latest vulnerability in Microsoft Windows and the lack of an available patch, Secunia have chosen to include last weeks warning again in todays issue. A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. NOTE: This vulnerability can be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer. Additionally, exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif", ".tif", and ".png" etc. Please refer to the referenced Secunia advisory for additional details and information about a temporary workaround. Reference: http://secunia.com/SA18255 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 2. [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow 3. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 4. [SA18277] BlackBerry Enterprise Server Denial of Service Vulnerabilities 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA17498] Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution 7. [SA18250] VMware ESX Server Management Interface Unspecified Vulnerability 8. [SA17934] Mozilla Firefox History Information Denial of Service Weakness 9. [SA18162] VMware NAT Networking Buffer Overflow Vulnerability 10. [SA18261] ImageMagick Utilities Image Filename Handling Two Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18279] eFileGo Multiple Vulnerabilities [SA18294] ArcPad ".apm" Map File Handling Buffer Overflow [SA18263] Web Wiz Products "txtUserName" SQL Injection Vulnerability [SA18286] Intel "ialmrnt5" Graphics Accelerator Driver Denial of Service Vulnerability UNIX/Linux: [SA18291] SCO OpenServer update for BIND [SA18289] SCO OpenServer update for libtiff [SA18285] Open-Xchange Webmail HTML Attachment Script Insertion Vulnerability [SA18261] ImageMagick Utilities Image Filename Handling Two Vulnerabilities [SA18290] SCO OpenServer update for cpio [SA18283] Discus Error Message Cross-Site Scripting Vulnerability [SA18287] Mandriva update for printer-filters-utils [SA18284] Gentoo pinentry Insecure Permissions setgid Binaries Security Issue [SA18266] Ubuntu update for fetchmail [SA18280] Ubuntu update for cpio [SA18278] Fedora update for cpio Other: Cross Platform: [SA18302] NKads Login SQL Injection Vulnerability [SA18268] phpBook "email" PHP Code Injection Vulnerability [SA18305] SiteSuite CMS "page" SQL Injection Vulnerability [SA18299] vBulletin "Add Reminder" Script Insertion Vulnerability [SA18297] Lizard Cart CMS "id" SQL Injection Vulnerability [SA18292] raSMP User-Agent Script Insertion Vulnerability [SA18281] MyBB Multiple Vulnerabilities [SA18277] BlackBerry Enterprise Server Denial of Service Vulnerabilities [SA18273] VEGO Web Forum "theme_id" SQL Injection Vulnerability [SA18272] VEGO Links Builder "username" SQL Injection Vulnerability [SA18271] B-net Software Script Insertion Vulnerabilities [SA18270] Chipmunk GuestBook Script Insertion Vulnerability [SA18269] PHPenpals "personalID" SQL Injection Vulnerability [SA18265] PHPjournaler "readold" SQL Injection Vulnerability [SA18264] Primo Cart SQL Injection Vulnerabilities [SA18262] TinyMCE compressor Cross-Site Scripting and File Disclosure [SA18310] Enhanced Simple PHP Gallery "dir" Cross-Site Scripting Vulnerability [SA18309] Next Generation Image Gallery "page" Cross-Site Scripting Vulnerability [SA18306] @Card ME PHP "cat" Cross-Site Scripting Vulnerability [SA18298] IDV Directory Viewer Directory Listing Disclosure Vulnerability [SA18282] BugPort Cross-Site Scripting and SQL Injection Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18279] eFileGo Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2006-01-02 dr_insane has reported some vulnerabilities in eFileGo, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18279/ -- [SA18294] ArcPad ".apm" Map File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-04 bratax has discovered a vulnerability in ArcPad, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18294/ -- [SA18263] Web Wiz Products "txtUserName" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-02 DevilBox has reported a vulnerability in various Web Wiz Products, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18263/ -- [SA18286] Intel "ialmrnt5" Graphics Accelerator Driver Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-01-03 $um$id has discovered a vulnerability in Intel Graphics Accelerator Driver, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18286/ UNIX/Linux:-- [SA18291] SCO OpenServer update for BIND Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-04 SCO has issued an update for BIND. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18291/ -- [SA18289] SCO OpenServer update for libtiff Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-04 SCO has issued an update for libtiff. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18289/ -- [SA18285] Open-Xchange Webmail HTML Attachment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Thomas Pollet has reported a vulnerability in Open-Xchange, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18285/ -- [SA18261] ImageMagick Utilities Image Filename Handling Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-12-30 Two vulnerabilities have been discovered in ImageMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18261/ -- [SA18290] SCO OpenServer update for cpio Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-04 SCO has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/18290/ -- [SA18283] Discus Error Message Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-02 $um$id has discovered a vulnerability in Discus, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18283/ -- [SA18287] Mandriva update for printer-filters-utils Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-02 Mandriva has issued an update for printer-filters-utils. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18287/ -- [SA18284] Gentoo pinentry Insecure Permissions setgid Binaries Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-04 Tavis Ormandy has reported a security issue in pinentry, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18284/ -- [SA18266] Ubuntu update for fetchmail Critical: Not critical Where: From remote Impact: DoS Released: 2006-01-03 Ubuntu has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18266/ -- [SA18280] Ubuntu update for cpio Critical: Not critical Where: Local system Impact: DoS Released: 2006-01-03 Ubuntu has issued an update for cpio. This fixes a vulnerability, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18280/ -- [SA18278] Fedora update for cpio Critical: Not critical Where: Local system Impact: DoS Released: 2006-01-03 Fedora has issued an update for cpio. This fixes a vulnerability, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18278/ Other: Cross Platform:-- [SA18302] NKads Login SQL Injection Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2006-01-04 SoulBlack Security Research has discovered a vulnerability in NKads, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18302/ -- [SA18268] phpBook "email" PHP Code Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in phpBook, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18268/ -- [SA18305] SiteSuite CMS "page" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-04 Preddy has reported a vulnerability in SiteSuite CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18305/ -- [SA18299] vBulletin "Add Reminder" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 trueend5 has reported a vulnerability in vBulletin, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18299/ -- [SA18297] Lizard Cart CMS "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-04 Aliaksandr Hartsuyeu has discovered a vulnerability in Lizard Cart CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18297/ -- [SA18292] raSMP User-Agent Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Aliaksandr Hartsuyeu has discovered a vulnerability in raSMP, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18292/ -- [SA18281] MyBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data Released: 2006-01-02 Some vulnerabilities have been reported in MyBB, where some have unknown impacts and others can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18281/ -- [SA18277] BlackBerry Enterprise Server Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-02 FX has reported some vulnerabilities in BlackBerry Enterprise Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18277/ -- [SA18273] VEGO Web Forum "theme_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in VEGO Web Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18273/ -- [SA18272] VEGO Links Builder "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in VEGO Links Builder, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18272/ -- [SA18271] B-net Software Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-03 Aliaksandr Hartsuyeu has discovered some vulnerabilities in B-net Software, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18271/ -- [SA18270] Chipmunk GuestBook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in Chipmunk GuestBook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18270/ -- [SA18269] PHPenpals "personalID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in PHPenpals, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18269/ -- [SA18265] PHPjournaler "readold" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in PHPjournaler, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18265/ -- [SA18264] Primo Cart SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 r0t has reported two vulnerabilities in Primo Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18264/ -- [SA18262] TinyMCE compressor Cross-Site Scripting and File Disclosure Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-12-30 Stefan Esser has reported some vulnerabilities in TinyMCE compressor, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/18262/ -- [SA18310] Enhanced Simple PHP Gallery "dir" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 preddy has discovered a vulnerability in Enhanced Simple PHP Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18310/ -- [SA18309] Next Generation Image Gallery "page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Preddy has reported a vulnerability in Next Generation Image Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18309/ -- [SA18306] @Card ME PHP "cat" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Preddy has reported a vulnerability in @Card ME PHP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18306/ -- [SA18298] IDV Directory Viewer Directory Listing Disclosure Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information Released: 2006-01-04 A vulnerability has been reported in IDV Directory Viewer, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/18298/ -- [SA18282] BugPort Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-01-02 r0t has reported some vulnerabilities in BugPort, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18282/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Jan 9 04:35:16 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:35:16 -0600 (CST) Subject: [ISN] Open Letter on the Interpretation of "Vulnerability Statistics" Message-ID: Forwarded from: full-disclosure at lists.grok.org.uk From: Steven M. Christey To: dailydave at lists.immunitysec.com, bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk Date: Thu, 5 Jan 2006 02:12:32 -0500 (EST) Subject: Open Letter on the Interpretation of "Vulnerability Statistics" Open Letter on the Interpretation of "Vulnerability Statistics" --------------------------------------------------------------- Author: Steve Christey, CVE Editor Date: January 4, 2006 All, As the new year begins, there will be many temptations to generate, comment, or report on vulnerability statistics based on totals from 2005. The original reports will likely come from publicly available Refined Vulnerability Information (RVI) sources - that is, vulnerability databases (including CVE/NVD), notification services, and periodic summary producers. RVI sources collect unstructured vulnerability information from Raw Sources. Then, they refine, correlate, and redistribute the information to others. Raw sources include mailing lists like Bugtraq, Vulnwatch, and Full-Disclosure, web sites like PacketStorm and Securiteam, blogs, conferences, newsgroups, direct emails, etc. In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and COMPARABLE statistics. In general, consumers should treat current statistics as suggestive, not conclusive. Vulnerability statistics are difficult to interpret due to several factors: - VARIATIONS IN EDITORIAL POLICY. An RVI source's editorial policy dictates HOW MANY vulnerabilities are reported, and WHICH vulnerabilities are reported. RVIs have widely varying policies. You can't even compare an RVI against itself, unless you can be sure that its editorial policy has not changed within the relevant data set. The editorial policies of RVIs seem to take a few years before they stabilize, and there is evidence that they can change periodically. - FRACTURED VULNERABILITY INFORMATION. Each RVI source collects its information from its own list of raw sources - web sites, mailing lists, blogs, etc. RVIs can also use other RVIs as sources. Apparently for competitive reasons, some RVIs might not identify the raw source that was used for a vulnerability item, which is one aspect of what I refer to as the provenance problem. Long gone are the days when a couple mailing lists or newsgroups were the raw source for 90% of widely available vulnerability information. Based on what I have seen, the provenance problem is only going to get worse. - LACK OF COMPLETE CROSS-REFERENCING BETWEEN RVI SOURCES. No RVI has an exhaustive set of cross-references, so no RVI can be sure that it is 100% comprehensive, even with respect to its own editorial policy. Some RVIs compete with each other directly, so they don't cross-reference each other. Some sources could theoretically support all public cross-references - most notably OSVDB and CVE - but they do not, due to resource limitations or other priorities. - UNMEASURABLE RESEARCH COMMUNITY BIAS. Vulnerability researchers vary widely in skill sets, thoroughness, preference for certain vulnerability types or product classes, and so on. This collectively produces a bias that is not currently measurable against the number of latent vulnerabilities that actually exist. Example: web browser vulnerabilities were once thought to belong to Internet Explorer only, until people actually started researching other browsers; many elite researchers concentrate on a small number of operating systems or product classes; basic SQL injection and XSS are very easy to find manually; etc. - UNMEASURABLE DISCLOSURE BIAS. Vendors and researchers vary widely in their disclosure models, which creates an unmeasurable bias. For example, one vendor might hire an independent auditor and patch all reported vulnerabilities without publicly announcing any of them, or a different vendor might publish advisories even for very low-risk issues. One researcher might disclose without coordinating with the vendor at all, whereas another researcher might never disclose an issue until a patch is provided, even if the vendor takes an inordinate amount of time to respond. Note that many large-scale comparisons, such as "Linux vs. Windows," can not be verified due to unmeasurable bias, and/or editorial policy of the core RVI that was used to conduct the comparison. EDITORIAL POLICY VARIATIONS --------------------------- This is just a sample of variations in editorial policy. There are legitimate reasons for each variation, usually due to audience needs or availability of analytical resources. COMPLETENESS (what is included): 1) SEVERITY. Some RVIs do not include very low-risk items such as a bug that causes path disclosure in an error message in certain non-operational configurations. Secunia and SecurityFocus do not do this, although they might note this when other issues are identified. Others include low-risk issues, such as CVE, ISS X-Force, US-CERT Security Bulletins, and OSVDB. 2) VERACITY. Some RVIs will only publish vulnerabilities when they are confident that the original, raw report is legitimate - or if they're verified it themselves. Others will publish reports when they are first detected from the raw sources. Still others will only publish reports when they are included in other RVIs, which makes them subject to the editorial policies of those RVIs unless care is taken. For example, US-CERT's Vulnerability Notes have a high veracity requirement before they are published; OSVDB and CVE have a lower requirement for veracity, although they have correction mechanisms in place if veracity is questioned, and CVE has a two-stage approach (candidates and entries). 3) PRODUCT SPACE. Some RVIs might omit certain products that have very limited distribution, are in the beta development stage, or are not applicable to the intended audience. For example, version 0.0.1 of a low-distribution package might be omitted, or if the RVI is intended for a business audience, video game vulnerabilities might be excluded. On the other hand, some "beta" products have extremely wide distribution. 4) OTHER VARIATIONS. Other variations exist but have not been studied or categorized at this time. One example, though, is historical completeness. Most RVIs do not cover vulnerabilities before the RVI was first launched, whereas others - such as CVE and OSVDB - can include issues that are older than the RVI itself. As another example: a few years ago, Neohapsis made an editorial decision to omit most PHP application vulnerabilities from their summaries, if they were obscure products, or if the vulnerability was not exploitable in a typical operational configuration. ABSTRACTION (how vulnerabilities are "counted"): 5) VULNERABILITY TYPE. Some RVIs distinguish between types of vulnerabilities (e.g. buffer overflow, format string, symlink, XSS, SQL injection). CVE, OSVDB, ISS X-Force, and US-CERT Vulnerability Notes perform this distinction; Secunia, FrSIRT, and US-CERT Cyber Security Bulletins do not. Bugtraq IDs vary. As vulnerability classification becomes more detailed, there is more room for variation (e.g. integer overflows and off-by-ones might be separated from "classic" overflows). 6) REPLICATION. Some RVIs will produce multiple records for the same core vulnerability, even based on the RVI's own definition. Usually this is done when the same vulnerability affects multiple vendors, or if important information is released at a later date. Secunia and US-CERT Security Bulletins use replication; so might vendor advisories (for each supported distribution). OSVDB, Bugtraq ID, CVE, US-CERT Vulnerability Notes, and ISS X-Force do not - or, they use different replication than others. Replication's impact on statistics is not well understood. 7) OTHER VARIATIONS. Other abstraction variations exist but have not been studied or categorized at this time. As one example, if an SQL injection vulnerability affects multiple executables in the same product, OSVDB will create one record for each affected program, whereas CVE will combine them. TIMELINESS: 8) RVIs differ in how quickly they must release vulnerability information. While this used to vary significantly in the past, these days most public RVIs have very short timelines, from the hour of release to within a few days. Vulnerability information can be volatile in the early stages, so an RVI's requirements for timeliness directly affects its veracity and completeness. REALITY: 9) All RVIs deal with limited resources or time, which significantly affects completeness, especially with respect to veracity, or timeliness (which is strongly associated with the ability to achieve completeness). Abstraction might also be affected, although usually to a lesser degree, except in the case of large-scale disclosures. Conclusion ---------- In my opinion: You should not interpret any RVI's statistics without considering its editorial policy. For example, the US-CERT Cyber Security Bulletin Summary for 2005 uses statistics that include replication. (As a side note, a causal glance at the bulletin's contents makes it clear that it cannot be used to compare Windows to Linux as operating systems.) In addition, you should not compare statistics from different RVIs until (a) the RVIs are clear about their editorial policy and (b) the differences in editorial policy can be normalized. Example: based on my PRELIMINARY investigations of a few hours' work, OSVDB would have about 50% more records than CVE, even though it has the same underlying number of vulnerabilities and the same completeness policy for recent issues. Third, for the sake of more knowledgeable analysis, RVIs should consider developing and publishing their own editorial policies. (Note that based on CVE's experience, this can be difficult to do.) Consumers should be aware that some RVIs might not be open about their raw sources, veracity analysis, and/or completeness. Finally: while RVIs are not yet ready to provide usable, conclusive statistics, there is a solid chance that they will be able to do so in the near future. Then, the only problem will be whether the statistics are properly interpreted. But that is beyond the scope of this letter. Steve Christey CVE Editor P.S. This post was written for the purpose of timely technical exchange. Members of the press are politely requested to consult me before directly attributing quotes from this article, especially with respect to stated opinion. From isn at c4i.org Mon Jan 9 04:35:33 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:35:33 -0600 (CST) Subject: [ISN] Former Cyber-Security Chief to Head CIA's Venture Capital Arm Message-ID: http://www.eweek.com/article2/0,1895,1907899,00.asp By Caron Carlson January 4, 2006 After a brief stint at the Department of Homeland Security, former cyber-security czar Amit Yoran has gone to work for the CIA. More specifically, Yoran this week was named president and CEO of In-Q-Tel Inc., the CIA's venture capital unit. In-Q-Tel, based in Menlo Park, Calif., was established in 1999 as a way for the government to invest in novel technologies by providing equity, product development funding, innovative intellectual property arrangements and contracting guidance. Yoran is the outfit's second chief executive, succeeding Gilman Louie. His experience blends private and public sector endeavors. He graduated from the U.S. Military Academy at West Point and went on to earn a master's degree from George Washington University. Yoran's venture capital knowledge dates to his founding of RipTech Inc. in 1998, which he sold to Symantec Corp. in 2002. His government expertise includes a stint as director of the National Cyber Security Division of the Department of Homeland Security and a job early in his career with the Pentagon's Computer Emergency Response Team. Yoran resigned from the Department of Homeland Security in 2004. "Amit's lifetime experience?as an entrepreneur, a venture investor and leader in commercial companies and national security?makes him the perfect fit for our organization," Louie said. "His critical understanding of key technologies and security needs will position In-Q-Tel to continue to serve as a unique tool driving innovation across the broader Intelligence Community." In-Q-Tel has invested in at least 80 companies over the last six years, generally providing between $1 million and $3 million, according to the organization's Web site. Its stated mission is to not only nurture technologies for government use, but also to look for commercial counterparts to the intelligence community's enterprise challenges. Specific areas of interest include software for search and categorization, translation and simulation, as well as wireless, security, semiconductor and nanotechnology infrastructure. Additionally, In-Q-Tel invests in biotechnology, power and sensor technologies. From isn at c4i.org Mon Jan 9 04:36:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:36:12 -0600 (CST) Subject: [ISN] Unauthorized Patch For Microsoft WMF Bug Sparks Controversy Message-ID: http://www.informationweek.com/software/showArticle.jhtml?articleID=175801150 By Larry Greenemeier InformationWeek Jan 4, 2006 Concerns over the lack of a Microsoft-issued patch have pushed the Windows Metafile/Zero-Day bug to top of mind, surpassing even tomorrow's much-anticipated Sober worm attack. The lag time between the Dec. 27 discovery of the WMF vulnerability and Microsoft's planned Jan. 10 patch availability has forced IT security departments to find alternative means for protecting their systems and prompted a non-Microsoft developer to create a patch that others could use. All of this serves to damage Microsoft's reputation as a company that can secure its own products?a reputation that only recently was beginning to improve after years of being dragged through the mud. Experts are divided over whether it's wise to use Ilfak Guilfanov's Hexblog patch to fix the WMF vulnerability, which could allow attackers to use WMF images to execute malicious code on their victims' computers. Some say it's a necessary measure to protect systems until the official Microsoft patch arrives; others say it's not worth the extra work to patch twice or to take the risk of using a third-party fix. "We're advising against this third-party patch," says Gartner VP and research fellow John Pescatore. Even if the patch works perfectly, users will have to modify their Windows environments when they deploy the patch, and then uninstall the patch by next Tuesday, leaving two opportunities for something to go wrong. Gartner advises that companies should employ workarounds that ensure that their URL-blocking capabilities are up to date, that all WMF files are blocked, and that they expedite testing and deployment of Microsoft's patch when it becomes available. But the SANS Institute's Internet Storm Center recommended Tuesday that users not wait for Microsoft's fix, but unregister a vulnerable Dynamic Link Library, or DLL, executable program modules in Windows and apply Guilfanov's patch. Either way, the WMF vulnerability has been widely acknowledged as a major security threat. The vulnerability is already being exploited, and Symantec has raised its ThreatCon to a Level 3, out of four. The company, which last placed a ThreatCon Level 3 in July 2004 because of MyDoom.M, has expressed concern over the window of time Microsoft has allowed between discovery of the vulnerability and the planned issuance of a patch. Symantec recommends that companies instruct their users to avoid opening unknown or unexpected E-mail attachments or following Web links from unknown or unverified sources, and turn off preview features on E-mail programs to prevent infection from HTML E-mails. The WMF vulnerability affects a number of different versions of Windows XP, Server 2003, ME, 98, and 2000, as well as some versions of Lotus Notes. Microsoft claims, via its Security Response Center blog, that the company is continuing to work on finalizing a security update for the vulnerability in WMF. In the blog, Security Response Center operations manager Mike Reavey acknowledges that in Microsoft's effort to "put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site." Microsoft is recommending its customers disregard the posting and wait until a fully tested patch is issued next week. Microsoft's response to the vulnerability has been particularly poor, says the assistant VP of IT security for a global financial-services firm. While Microsoft has chosen to patch the WMF vulnerability during its normal Patch Tuesday download, this comes well after it should have. "They have historically released patches on special occasions, and this is clearly one of those occasions," she says, preferring to speak anonymously on the topic of an unpatched vulnerability. She added that her company has "wasted countless man-hours" to mitigate the chance of being hit by an exploit, but that no amount of workarounds can fully replace a patch from the vendor. Third-party patches are not a new concept, but the one issued for the WMF vulnerability is particularly troubling because it raises the question of why Microsoft couldn't issue its own patch in a timely fashion. In fact, the availability of Guilfanov's Hexblog patch makes Microsoft look even worse, the financial-services assistant VP of IT security says. "If a third party can put out a stable patch, Microsoft should have been able to," she adds. "It shames Microsoft." While the popular Hexblog patch?Guilfanov's Web site was down on Wednesday morning, possibly because of bandwidth issues?is by all appearances a solid piece of coding, the financial-services firm won't download the patch because of the risk of implementing a patch that's not been properly tested, "which it isn't because it's not coming from Microsoft," the assistant VP adds. As long as Windows systems remain unpatched, companies are at risk for WMF exploits whenever their employees browse the Internet. "There's no way for you to know whether a site is dangerous for a WMF exploit," says Ken Dunham, director of VeriSign iDefense's rapid response team. Even if companies set their defenses to strip out all executable files from incoming E-mails and instant messages, attackers can disguise their executables to look like a JPG or GIF file. As of Jan. 2, VeriSign iDefense had found at least 67 hostile sites containing exploits against the WMF vulnerability, and the company is investigating another 100 sites. When users visit these malicious sites, their computers can be infected with Trojans, adware, spyware, or files that use them as a base for sending out spam to other computers. Unlike the Sober worm, which spreads spam with politically charged messages but tends not to damage systems, WMF vulnerability-inspired spam is much more malicious. VeriSign iDefense captured a WMF culprit on Dec. 28 that used the output.gif file to spam messages over the Internet from a company called Smallcap-Investors, which promote a Chinese pharmaceutical company called Habin Pingchuan Pharmaceutical. The spam message was sent out as a GIF file in an apparent attempt to evade spam filters. Using spam as the underpinning of a stock "pump and dump" scheme, Smallcap encouraged users to buy cheap stocks. As is typical in such a ruse, once the fraudster has raised the value of the stock, he or she sells off the stock, making it worthless to the victims who've been duped into investing. Another WMF exploit came in the form of the HappyNY.a worm, which looks to a user like a JPG file but is actually a malicious WMF file. The HappyNY.a worm contains Nascene.C code, which attempts to exploit the WMF vulnerability and fully compromise a user's computer. If users come to depend too much on third-party patches to avoid such scams, it could set a dangerous precedent for security. "You'll see phishing E-mails that say they offer volunteer patches," Pescatore says. "If people starting using these sites that are not from a vendor, this could be a whole new problem." Concerns over the proliferation of Microsoft-based phishing scams come as an Iowa man recently pleaded guilty to computer fraud charges arising from a phishing scheme conducted from January 2003 through June 2004 on Microsoft's MSN Internet service. The scam involved sending E-mail falsely claiming that MSN customers would receive a 50% credit toward their next bill. Meanwhile, the buzz around the WMF vulnerability has helped eclipse concerns over the upcoming Sober worm threat. "All of the antivirus guys have put out their signature updates" for the latest incarnation of Sober, and "the payload has been analyzed, so you know what DNS servers it's going to call," Pescatore says. The most important things for IT security professionals to realize is that there is a patch for Sober and that, while the attacks will start by Jan. 5, there will likely be new variants of Sober each subsequent week. On Jan. 5, the code contained in the Sober worm will start updating and sending itself out to thousands, if not millions, of computers, adds Dunham. So far, the Sober attacks have been more motivated at spreading political and social messages rather than delivering malicious payloads. "Sober has the ability to download code, but the attackers haven't done this," he adds. "Instead, they use it to send spam and clog E-mail servers and promote their agenda." Signature-based antivirus programs won't have any problems detecting known variants of Sober. New variants will prove a bit trickier, and companies should make sure executable and JPG attachments are stripped out of E-mails traversing their networks, says Shane Coursen, a senior technical consultant for antivirus software maker Kaspersky Lab. For this latest generation of Sober, companies will rely less on signature-based antivirus defenses and more on those that employ heuristic routines that flag strange behavior on the network. From isn at c4i.org Mon Jan 9 04:36:24 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:36:24 -0600 (CST) Subject: [ISN] BlackBerry squeezed by DoS security bugs Message-ID: http://www.theregister.co.uk/2006/01/04/blackberry_security_bugs/ By John Leyden 4th January 2006 Research In Motion (RIM) has warned of a trio of vulnerabilities in its popular BlackBerry software that create a means for hackers to launch denial of service attacks. Patches are available to defend against only one of the vulnerabilities, but RIM has issued advice on how to guard against attack from the other two. The most serious unfixed risk stems from a flaw in processing Server Routing Protocol (SRP) packets. This security bug creates a possible means to disrupt communication between BlackBerry Enterprise Server and BlackBerry Router, potentially disrupting service. A separate unpatched security bug in the handling of malformed Tiff image attachments creates a means for a remote hacker to launch denial of service attacks against the BlackBerry Attachment Service, providing an internal user is duped into viewing malicious files on a BlackBerry handheld. The vulnerabilities have been reported in BlackBerry Enterprise Server 4.0 as well as later versions. Domino, Exchange and Novell GroupWise versions of the platform are all affected. Exploitation of the first vulnerability means a hacker needs to be able to connect to the BlackBerry Server or Router via port 3101/TCP. Shielding BlackBerry servers behind a firewall ought to thwart these attacks. Additionally, RIM advises users to exclude the processing of Tiff images as a workaround against the second threat, pending the availability of a more complete fix. A third security bug - for which a fix has been made available - sees a BlackBerry handheld web browser vulnerable to a denial of service via a specially crafted Java Application Description (JAD) file. Users are advised to install BlackBerry device software version 4.0.2 or later to guard against attack. Details of the vulnerabilities were outlined by FX of the Phenoelit group during a presentation at the 22nd Chaos Communication Congress in Berlin last week. US CERT has produced an overview of the vulnerabilities here. In a statement, RIM said that it had "already developed software fixes for the issues identified by FX and, although there have been no customer reports of any actual problems, RIM has also provided temporary precautionary measures that can be taken in the meantime until customers are able to implement the software updates". ? From isn at c4i.org Mon Jan 9 04:36:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:36:38 -0600 (CST) Subject: [ISN] N.J. forms cyber-crime task force Message-ID: http://www.philly.com/mld/inquirer/news/local/13553073.htm By Sam Wood Inquirer Staff Writer Jan. 05, 2006 Victims of computer crime now have a powerful ally in the State of New Jersey. The Attorney General's Office announced yesterday that a Computer Crime Task Force had been formed by merging the nationally known state police cyber-crimes unit with the office's computer analysis and technology unit. The unit is designed to track down such crimes as computer hacking and child pornography. "The game plan is to pool training and experience that will lead to more prosecution of cyber crime in the state," said State Police Capt. Ken Schairer, who will be co-chief of the task force. The state police cyber-crimes unit initiated about 125 investigations in 2005 and made about 100 arrests, Schairer said. The task force is made up of about 20 investigators, said Aurora Fagan, supervising deputy attorney general, who will also serve as co-chief. "There should be less overlap now that we're both aware of the investigations that we're both doing," said Fagan, who previously led the computer analysis unit in the Attorney General's Office. She said many computer crimes went uninvestigated because victims did not know where to report them. -=- More Information To report cyber crime, call the Computer Crime Task Force at 1-888-648-6007. To learn more about the task force or fill out an online incident form, visit www.cctf.nj.gov From isn at c4i.org Mon Jan 9 04:37:21 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:37:21 -0600 (CST) Subject: [ISN] RECON 2006 - Call for papers Message-ID: Forwarded from: Hugo Fortier RECON 2006 - Call for papers - 06/01/06 Montreal, Quebec, Canada 16 - 18 June 2006 We are pleased to announce the second annual RECON conference, which will take place in Montreal from the 16th to the 18th of June 2006. We are looking for original technical presentations, in the fields of reverse engineering and/or information security. Presentations should last no longer than 50 minutes and be presented in english. We will be accepting talk proposals until the 31st of March, 2006. All submitted presentations will be reviewed by the RECON program committee. Preferred topics Reverse engineering (Software, Protocols, Hardware, Social) Exploit development and vulnerability assessment Data analysis and visualization techniques Crypto and anonymity Physical security countermeasures Cool network stuff Please include the following with your submission 1) Speaker name(s) and/or handle 2) Contact information (Email and Cell phone) 3) Brief biography 4) Motivations for presentation (500 words max.) 5) Presentation abstract (500 words max.) 6) If your presentation references a paper or piece of software that you have published please provide us with either a copy of the said paper or software or, an URL where we can obtain them. Please send the above information to cfp (at) recon.cx RECON program committee C?dric Blancher Nicolas Brulez Guillaume Duteille Hugo Fortier Jason Geffner Ryan Russel Mathieu Sauv?-Frankel Visit http://recon.cx for more information. From isn at c4i.org Mon Jan 9 04:37:36 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:37:36 -0600 (CST) Subject: [ISN] Web extra: DOD, orgs: SANS survey findings not dire Message-ID: http://www.fcw.com/article91890-01-09-06-Web By Michael Arnone Jan. 9, 2006 Survey respondents say several popular certifications don't prepare employees to handle information security as well as vendor-specific certifications do. Providers of a number of popular information security certifications are calling findings from the SANS Institute survey a case of apples and oranges. SANS is a nonprofit training and education organization for security professionals. The institute's survey finds that respondents with certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems Security Certification Consortium - also known as (ISC)2 - and the Information Systems Audit and Control Association (ISACA) think that their training does not give them a strong advantage in performing hands-on security jobs. Those organizations' certifications don't improve holders' ability to protect computer systems as much as the SANS Institute's Global Information Assurance Certification and vendor-specific certifications do, said Alan Paller, SANS' director of research. But officials with the other organizations said they are not surprised that SANS put its certifications ahead of theirs for hands-on security. The survey illustrates the division of emphasis among security certification providers, said Lynn McNulty, (ISC)2's director of government services. ISACA aims for IT security governance, McNulty said. CompTIA courts entry-level employees, and (ISC)2 concentrates on policy and management training. All three are vendor-neutral. Certifications set a baseline of technical experience and knowledge, but holders must keep their skills current by other means to stay effective, said Everett Johnson, president of ISACA's International Board of Directors. The survey's findings indicate that "the certifications are doing the job they are intended to do," Johnson said. "The certifications are for different purposes." Paller said he is especially worried because the Defense Department requires its frontline information assurance employees to have those nontechnical certifications. DOD officials are confident in their choice of certifications, said Bob Lentz, director of information assurance in the DOD chief information officer's office. The department has codified security competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management." Frontline security employees must have certifications from CompTIA or (ISC)2 but not SANS or vendors. "The key error is that [DOD officials] took security managers who never had hands-on security experience to design a security certification," Paller said. "If all you've ever done is write policy, how would you know what to do to secure a Unix box?" The required certifications are fine for low- and midlevel security employees, but SANS training should dominate the certifications that technical staff members receive, said Robert Ashworth, a contractor at Government Solutions Group working on information assurance at the Navy's Space and Naval Warfare Systems Command. Ashworth holds eight professional certifications, including (ISC)2's Certified Information Systems Security Professional (CISSP) and ISACA's Certified Information Security Manager. Under DOD's directive, someone with CISSP certification could get any technical or managerial position, even though CISSP should not qualify people for technical positions because it is more analytical, Ashworth said. Officials might have chosen CISSP because many people hold that certification, which could make it easier for DOD to fill positions, Ashworth said. To improve frontline security, DOD and certification vendors must create progressively harder, platform-specific security tests to evaluate low-level security employees, Paller said. Once they do, Paller predicts that the rest of the government and industry will follow suit, improving security for everyone. From isn at c4i.org Tue Jan 10 01:33:48 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:33:48 -0600 (CST) Subject: [ISN] Ex-UD student faces hacking charges Message-ID: http://www.delawareonline.com/apps/pbcs.dll/article?AID=/20060109/NEWS/601090322/-1/NEWS01 By ESTEBAN PARRA The News Journal 01/09/2006 A former University of Delaware student could face up to 36 years in prison on charges of hacking into a professor's computer to try to change an exam date. Marc J. Simpson, of Toms River, N.J., is accused of using a software program that could spy on other computers via a wireless connection. The software, court documents said, gave Simpson the ability to gain his professor's password as the instructor typed it during a class. But in the end, UD police said, the 20-year-old's scheme was undone by an anonymous tip delivered the old-fashioned way -- on a piece of paper. Simpson, who had been a computer engineering student, is charged with two counts each of identity theft, unauthorized access of a computer and misuse of computer system information. Simpson could not be reached, but his attorney, Mark D. Sisk, said his client is not guilty. UD spokesman Martin Mbugua said the school would not comment. The case is pending in Superior Court. According to court records, several of associate professor Michael Shay's students complained after he scheduled a physics exam for Oct. 7, the same date as an exam another professor was giving. They asked Shay to reschedule his exam, but he refused. A day before the test, however, students in the class received an e-mail from Shay's account telling them the exam had been rescheduled. Later that day, Shay found out what had happened. He tried to log on to his e-mail server three times, but discovered his password had been changed. He also saw that the class Web page had been accessed and edited to indicate the exam was rescheduled. With the help of the department's computer technician, Shay gained access to his account. But when he tried to correct the Web page, he found a code had been installed that changed it back to the altered version. The code eventually was disabled. Shay contacted the students, told them what happened and said the exam still would be Oct. 7. He also contacted university police, who determined Shay's account was accessed from a Comcast account in the 100 block of Main St. Then, on Oct. 19, Shay told police he received an anonymous letter that identified Simpson as the hacker and explained how he did it. "He obtained your password by running a program on his laptop during class that picks up keystrokes on linked computers," the letter said. "He linked his laptop to yours wirelessly and undetected during class and obtained your password while you were typing it." The letter also said Simpson, who was arrested last year, used a wireless network in the 100 block of Main St. Police said Simpson took a laptop to a restaurant and used a wireless network belonging to residents living above the business. This made it harder to trace the hacking, police said. The case occurred during what computer experts call the worst year ever for known computer-security breaches. At least 130 were reported, exposing more than 55 million Americans to potential identity theft. It is difficult to measure the actual number of break-ins, however, since many companies are unaware they were hacked. Those that disclosed breaches include Marriott International, Ford Motor Co. and Sam's Club. USA Today contributed to this article. Copyright ? 2006, The News Journal. From isn at c4i.org Tue Jan 10 01:32:54 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:32:54 -0600 (CST) Subject: [ISN] Web extra: DOD, orgs: SANS survey findings not dire Message-ID: Forwarded from: Dennis Kezer SANS seems to have completely missed the part that says technical people must also be certified in the vendor specific technologies they support. The CAPS are from the guidance, not from me. They wisely chose not to attempt to list these out as there are so many vendors out there such a list would be all but impossible to compile or maintain. C3.2.4.8.7. In addition to the baseline IA certification requirement for their level, IATs with privileged access MUST OBTAIN APPROPRIATE COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s) they support as required by their employing organization. This requirement ensures they can effectively apply IA requirements to their hardware and software systems. -----Original Message----- Paller said he is especially worried because the Defense Department requires its frontline information assurance employees to have those nontechnical certifications. DOD officials are confident in their choice of certifications, said Bob Lentz, director of information assurance in the DOD chief information officer's office. The department has codified security competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management." Frontline security employees must have certifications from CompTIA or (ISC)2 but not SANS or vendors. "The key error is that [DOD officials] took security managers who never had hands-on security experience to design a security certification," Paller said. "If all you've ever done is write policy, how would you know what to do to secure a Unix box?" Under DOD's directive, someone with CISSP certification could get any technical or managerial position, even though CISSP should not qualify people for technical positions because it is more analytical, Ashworth said. Officials might have chosen CISSP because many people hold that certification, which could make it easier for DOD to fill positions, Ashworth said. To improve frontline security, DOD and certification vendors must create progressively harder, platform-specific security tests to evaluate low-level security employees, Paller said. Once they do, Paller predicts that the rest of the government and industry will follow suit, improving security for everyone. From isn at c4i.org Tue Jan 10 01:33:18 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:33:18 -0600 (CST) Subject: [ISN] Hackers use Yale name Message-ID: http://www.yaledailynews.com/article.asp?AID=31167 BY ROSS GOLDBERG Staff Reporter January 9, 2006 A forged Yale e-mail address has been used to spread a security exploit that infected over one million computers in the last two weeks, including some on the University network. The exploit, which attacks a weakness in the Windows operating system, can allow hackers to remotely control a computer that downloads it. In one version circulating in the United Kingdom, victims are tricked into clicking on a link in an e-mail purportedly sent by a Yale professor. Yale Information Security Officer Morrow Long said the University received about 30 complaints from British citizens, but given that victims of hackers rarely bother to complain, many more were likely infected. "We got some e-mails here from people who thought we were somehow behind it," Long said. "We weren't happy that we would have our name dragged through the mud in some major virus attacks." The Yale forgery is one of more than 200 versions of the bug, which takes advantage of a vulnerability in the way computers render Windows Meta File images. Several versions of WMF attacks -- though not the one using the University domain name -- successfully infiltrated about 10 Yale computers and attempted to infect 20 more, Long said. University officials first detected an attack on the network on Dec. 29, but Windows did not release a patch to fix the problem until a week later. Long said that given the exploit's severity, the computers could have been completely destroyed. "It's very critical," he said. "Basically, if somebody clicks on it, it can take over your system and do whatever it wants." Officials are urging students to download the patch with Windows Update to avoid a resurgence as they return to school. The Yale version of the bug is carried in an e-mail from a nonexistent "Professor Robert Gordens." The message announces that the University suffered graffiti damage and broken windows over New Year's, and it asks recipients to click on a link to see if they can "recognise [sic] the culprit's work." The link automatically downloads the exploit to victims' computers. Long said members of the Yale community are frequently sent e-mails with viruses attached from hackers forging the university domain name, but attacks on outsiders are unusual. Computer security experts said Yale may have been chosen due to its international prestige. "What you're trying to do in a social engineering attack is generate trust," said Alan Paller, director of research at the SANS Institute, which provides computer security training and research. "The idea of a university being a sleazy organization just doesn't compute in people's minds." Though no one at Yale has been linked to the WMF attacks in Britain, Paller said he hopes the incident will alert faculty to the dangers of reckless network use, which he said is a chronic problem on university campuses. "Probably the best effect is it will wake your faculty to the idea that they have a role to play here," Paller said. "When they don't keep their systems safe, they put the whole community at risk." Paller said faculty usually resist attempts to secure their networks with Web site restrictions, but Yale Chief Information Officer Philip Long said Yale has introduced netblocks on the primary sites involved in the attacks. Since Jan. 1, administrators have also blocked all e-mails with "Happy New Year" written in the subject line to protect against another version of the exploit. Officials said they expect that the e-mail block likely thwarted a number of innocent e-mails. "We knew it would affect people, but we weighted that against the risk of a lot of people getting infected," Morrow Long said. But Philip Long said administrators were unable to filter data with ".wmf" file extensions -- a step that Paller said was essential but largely ignored by most universities. Yale can take legal action against the hackers who forged its domain name, Morrow Long said, but law enforcement will likely be unable to identify the perpetrators given that the attacks cross several national boundaries. From isn at c4i.org Tue Jan 10 01:33:33 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:33:33 -0600 (CST) Subject: [ISN] Two new WMF bugs found Message-ID: http://www.networkworld.com/news/2006/010906-microsoft-wmf-bug.html By Robert McMillan IDG News Service 01/09/06 Just days after Microsoft patched a critical vulnerability in the way the Windows operating system renders certain types of graphics files, a hacker has published details of two new flaws that affect the same part of the operating system. The new vulnerabilities were posted to the Bugtraq security mailing list on Monday by a hacker going by the name of "cocoruder." All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some computer-aided design applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch to the problem, ahead of its monthly security software update. While the patched flaw was being exploited by attackers to take control of Windows machines, the latest vulnerabilities appear to pose the risk of simply crashing the WMF-viewing software, typically Internet Explorer. However, users would first need to trick a victim into viewing a specially crafted WMF image in order for this to happen, security experts say. The vulnerabilities can be found in a number of versions of Windows, including Windows XP, Service Pack 2, Windows Server 2003, Service Pack 1, and Windows 2000, Service Pack 4, according to cocoruder's Bugtraq posting. Because of the inherent complexity of image formats, there are plenty of opportunities for attackers to find bugs similar to the two that were revealed Monday, said Russ Cooper, senior information security analyst for Cybertrust. Cooper said that the new WMF vulnerabilities are not a major cause of concern. "New malformed images that simply crash things aren't really that important unless they can be shown to cause code to execute," he said via instant message. "This is only getting any attention because its WMF and Microsoft just released a WMF patch." Johannes Ullrich, chief research officer for the SANS Institute, agreed that these type of image problems are fairly common, but he said that the fact that so many WMF vulnerabilities have popped up of late -- Microsoft fixed three other WMF bugs in November -- indicates that the software vendor could be doing a better job of predicting where its security problems might lie. Microsoft should have been able to catch these latest flaws and fix them with its November patch, Ullrich said. "They really seem to have a problem thinking offensively," he said of Microsoft. "If you don't really look for these vulnerabilities with this offensive mindset, but if you instead look at it from a programmers perspective ... you just don't find a lot of these things." "Every month they have one or two image problems they fix," Ullrich added. "It's actually kind of surprising they don't get exploited more." A spokeswoman from Microsoft was unable to provide comment for this story. From isn at c4i.org Tue Jan 10 01:34:05 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:34:05 -0600 (CST) Subject: [ISN] ISPs told to help eradicate Sober Message-ID: http://news.zdnet.co.uk/0,39020330,39246203,00.htm Tom Espiner ZDNet UK January 09, 2006 Infected PCs should be cut off from the Internet by their service providers, say some; AOL says it prefers to focus on prevention ISPs were urged on Monday to check their user traffic patterns to locate and shut down machines infected with the mass-mailing Sober worm. Although Sober is no longer trying to replicate, antivirus company F-Secure believes ISPs must warn infected customers so they can disinfect themselves. Infected PCs had been programmed to download new instructions from the Internet last week, which would have heralded another attack. As previously reported, this update did not actually appear online, but infected machines are still trying to download it. "ISPs: we urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Contact these users and let them know they are likely to be infected with Sober and they should clean up their act," F-Secure said on its blog. Computers infected by Sober are likely to contain spyware, or could have been turned into zombie PCs and used to send spam or launch denial-of-service attacks. They could also download a Sober update in the future, sparking another mass-mailing attack. F-Secure said ISPs should let customers know they have been infected automatically, and redirect users to sites so they can disinfect their machines. "Most affected computers belong to home users, who have no idea they've been infected. ISPs are in the best position to distinguish infected users." Mikko Hypp?nen, director of antivirus research at F-Secure, told ZDNet UK. "Service providers can automatically shut down a user connection, and specify that to get back online users have to follow certain steps, for example, by visiting the Microsoft site for the latest updates. ISPs can automatically shut down what they want, and can still connect users to Microsoft," said Hypp?nen. ISPs have an economic motive to overcome reluctance to inform users that their machines have been compromised, Hypp?nen argued. "It might be hard for ISPs to find the motivation to do it, because it's a lot of work and a thankless job as no-one wants to hear they are infected. However, ISPs are losing money because of the huge amounts of traffic generated by infected machines," Hypp?nen said. But AOL said it would not be contacting users, as it put more emphasis on prevention of infection through email filtering, and blocking links to certain Web sites. Users who had been infected had access to McAfee antivirus services, AOL said. "We have on occasion made outbound contact with members in specific situations, such as the Mydoom worm, but have no plans to do so in this instance as we focus our efforts on prevention," said Jonathan Lambeth, director of communications for AOL UK. "Our anti-spam systems, which block more than 1.5 billion spam emails each day, block a large number of emails containing links to the Sober virus in the first place. Links are default-disabled on emails within AOL to prevent casual clicking on rogue links, requiring a more positive action to click through, although this setting can be switched off if the user prefers," Lambeth added. From isn at c4i.org Tue Jan 10 01:34:38 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:34:38 -0600 (CST) Subject: [ISN] Linux Security Week - January 9th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 9th, 2005 Volume 7, Number 2n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Demystifying Security Enhanced Linux," "INFOSEC Assurance Capability Maturity Model," and "The Importance of a Security, Education, Training and Awareness Program." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- LINUX ADVISORY WATCH This week, advisories were released for tkdiff, scponly, XnView, pineentry, KPdf, libgphoto, printer-filters-utils, nss_ldap, mdkonline, tkcvs, and ethereal. The distributors include Debian, Gentoo, and Mandriva. http://www.linuxsecurity.com/content/view/121170/150/ --- * EnGarde Secure Community 3.0.3 Released 6th, December, 2005 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Review: Advancing Firewall Protection 9th, January, 2006 With more than one million users, U.K.-based SmoothWall.s Firewall may just be the most popular software firewall that has yet to become a household name. Test Center engineers recently took at look at products from SmoothWall to see what all the buzz is about and to see exactly why one million users have chosen the product. http://www.linuxsecurity.com/content/view/121188 * What are Rootkits? 3rd, January, 2006 Rootkits are Internet-based threats that have recently been discussed at great length, basically in the light of the fact that a large company distributed a rootkit with some of its products. But, what exactly is a rootkit? Why are rootkits so dangerous? Is it true that they cannot be removed from systems? We are going to try to give answers to these questions and lay various myths to rest. http://www.linuxsecurity.com/content/view/121138 * A better VNC with FreeNX for remote desktop control 9th, January, 2006 VNC is well-known for allowing the remote control of another desktop machine via your own computer. For instance, using VNC you can easily control your home PC from work, and vice versa. The problem with VNC is that it's not overly secure and it can be quite slow, particularly if you have a lot of fancy graphics or backgrounds on the remote computer. Other solutions also exist for remote control of a GUI, such as running X over ssh, proprietary tools like Apple's Remote Desktop, etc., but they all tend to have the same drawbacks; they are either insecure or tend to be slow. http://www.linuxsecurity.com/content/view/121185 * Registration Open for the Second Security-Enhanced Linux Symposium and Developer Summit 5th, January, 2006 Registration for the Security-Enhanced Linux (SELinux) Symposium is now open at www.selinux-symposium.org. The event, scheduled for February 27-March 3, 2006 in Baltimore, Maryland, explores the emerging SELinux technology and the power of flexible mandatory access control in Linux. http://www.linuxsecurity.com/content/view/121164 * Demystifying Security Enhanced Linux 6th, January, 2006 In this paper I will try to explain the philosophy behind the Security Enhanced Linux (SE Linux). I will however try to explain the concept with an example but to keep the length readable I will restrain myself to go into much of implementation details for e.g. commands and similar stuff. http://www.linuxsecurity.com/content/view/121180 * Security Hole Claimed for BlackBerrys 3rd, January, 2006 New research released over the weekend indicated that BlackBerrys -- the ubiquitous handheld devices favored by on-the-go types -- are vulnerable to a security hole that could let attackers break in to the gadgets by convincing users to open a specially crafted image file attached to an e-mail. http://www.linuxsecurity.com/content/view/121148 * Linux Kernel Multiple Denial of Service and Privilege Escalation Issues 4th, January, 2006 Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by malicious [local] users to cause a denial of service and potentially obtain elevated privileges. http://www.linuxsecurity.com/content/view/121159 * Debian developers trim platform support 5th, January, 2006 Debian Etch, the next major version of the Linux distribution, will only be available on eight architectures, with four getting the boot. http://www.linuxsecurity.com/content/view/121165 * McAfee Settles Fraud Charges 5th, January, 2006 Security vendor McAfee agreed on Wednesday to pay a $50-million fine to the U.S. Securities and Exchange Commission to settle charges that it overstated its revenue and earnings by hundreds of millions of dollars, closing an unpleasant chapter in the company.s history. http://www.linuxsecurity.com/content/view/121168 * Apache shot with security holes 9th, January, 2006 Companies running Apache and a PostgreSQL database are at risk from serious Internet intrusion. Red Hat warned of a flaw late last week in mod_auth_pgsql, an Apache module that allows authentication against information in popular open-source database PostgreSQL. http://www.linuxsecurity.com/content/view/121187 * Linux Netwosix Creator Discusses 2.0 Vision, Future 3rd, January, 2006 The recent announcement of the 2.x branch of Linux Netwosix may prompt LinuxWorld readers to ask why there were two releases--1.3 and 2.0-rc1--of this software within a week. So we contacted its creator, 19-year-old Vincenzo Ciaglia of the University of Salerno, Italy to find the answer to this and other questions. http://www.linuxsecurity.com/content/view/121142 * Network Forensic Traffic Reconstruction with Tcpxtract 4th, January, 2006 Today I got a chance to try Nick Harbour's Tcpxtract program. I had heard of it several months ago, but I had trouble compiling it on FreeBSD. Just now I tried the regular ./configure, make, make install routine using version 1.0.1 and had no problems. http://www.linuxsecurity.com/content/view/121155 * All the Rage: It's 2006: Do You Know Where Your Security Policies Are? 2nd, January, 2006 It's the beginning of a new year--time to review your approach to security policy. If you think implementing firewalls, IDSs and antivirus/antispam products is enough, you're sorely mistaken. No matter the size of your enterprise, you must define a framework of security policies, standards and procedures for securing valuable corporate assets. If you don't, you may be leaving your company open to a variety of vulnerabilities. http://www.linuxsecurity.com/content/view/121132 * Over 5,000 bugs in 2005 2nd, January, 2006 The end of an old year and beginning of a new one is always a favorite time to compile lists. One such compendium comes from the US-CERT, the US Computer Emergency Readiness Team, which has come up with a list of 5,198 software bugs that were discovered during 2005, a 38 percent increase from 2004. The bugs ran the gamut from A (Aaron Outpost ASP inline Corporate Calendar Permits Remote SQL Injection on Windows OSes) to Z (the multiplatform Zyxel Prestige 650R-31 Router Remote Denial of Service). http://www.linuxsecurity.com/content/view/121135 * All the Rage: Happy Rue Year 3rd, January, 2006 If 2005 seemed a particularly overwhelming year in terms of security problems, you're not imagining things. According to an annual report compiled by U.K.-based security vendor Sophos, there were about 16,000 new worms, viruses and Trojans identified during the year--48 percent more than the 10,724 detected in 2004. Some 1,940 new threats were discovered in November alone--the largest monthly increase Sophos has ever registered. http://www.linuxsecurity.com/content/view/121139 * CISOs Move Beyond Tech 3rd, January, 2006 Top security executives will have some of the most fluid job descriptions in the industry this year. There will be a continuing separation of operational security from policy setting and oversight, predicts Paul Stamp, an analyst at Forrester Research. http://www.linuxsecurity.com/content/view/121140 * Reporter's Notebook: Security 3rd, January, 2006 Compliance will dominate the security agenda for 2006. The growing number of regulations -- and the consequences of not complying with them -- have elevated security into the boardroom. CIOs will use compliance to justify most of their information security spending this year -- even for technologies IT would have implemented anyway. http://www.linuxsecurity.com/content/view/121141 * Marriott loses data on 200,000 customers 3rd, January, 2006 Hotel chain Marriott admitted last Tuesday that backup computer tapes containing data on approximately 206,000 customers were missing from a company office in Florida. The data, which relates to customers of its time-share division, Marriott Vacation Club International, included personal information such as the credit card details, Social Security numbers and, in a few cases, the bank details of customers. http://www.linuxsecurity.com/content/view/121143 * Linux vs. Windows security 3rd, January, 2006 Microsoft and Linux both provide support for authentication, access control, audit trail/logging, Controlled Access Protection Profile, and cryptography. However, Linux is superior due to Linux Security Modules, SELinux, and winbind. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel. http://www.linuxsecurity.com/content/view/121145 * INFOSEC Assurance Capability Maturity Model 4th, January, 2006 The INFOSEC Assurance - Capability Maturity Model (IA-CMM) is based on the System Security Engineering Capability Maturity Model (SSE-CMM) and modified to address the INFOSEC assurance processes. Whereas IATRP methodology training focuses on an individual's ability to conduct an INFOSEC assurance service, the IA-CMM appraisal focuses on a provider organization's capability to support INFOSEC analyst in conducting their mission objectives (i.e. to provide quality INFOSEC Assurance or Evaluation). http://www.linuxsecurity.com/content/view/121153 * More IT Security Pros Filling Executive Roles 4th, January, 2006 Information security professionals, already experiencing a surge in demand for their badly needed technical skills, may also get a chance this year to flex their business acumen. IT security professionals are being invited into corporate board rooms around the globe, wielding more influence and finding increased opportunities. The 2005 Global Information Security Workforce Study, sponsored by the International Information Systems Security Certification Consortium, or (ISC)2, found that more than 70 percent of respondents believe they exercised more influence on executives in 2005 than in the previous year. More than 73 percent expect their influence to continue growing. http://www.linuxsecurity.com/content/view/121154 * Sad State Of Data Security 4th, January, 2006 How does this keep happening? Companies have been publicly humiliated, slapped with audits, and threatened with prosecution, but sensitive personal data continues to be compromised. The U.S. Department of Justice is the latest to demonstrate its information-security incompetence. The mistake: exposing Social Security numbers on its Web site. http://www.linuxsecurity.com/content/view/121156 * 2006: Year of the Hacker? 5th, January, 2006 Computer hackers sought to create havoc on the Web last week by launching two attacks targeting Microsoft Windows users -- one circulating a virus disguised as the company's instant messenger client, the other exploiting a previously unknown flaw in its operating system. The attacks came as computer security Relevant Products/Services from Microsoft experts warned that following a year that saw an unprecedented 150,000 computer viruses emerge, 2006 could be the worst on record for hacker mayhem. http://www.linuxsecurity.com/content/view/121161 * Massive demand for unauthorised Windows patch 5th, January, 2006 Ilfak Guilfanov's personal Web site has been taken offline by his hosting provider after hordes of Microsoft users scrambled to download his unofficial patch against the Windows Metafile vulnerability. According to antivirus firm F-Secure, demand for the unauthorised Windows Meta File (WMF) patch developed by Guilfanov was so high his hosting provider temporarily shut his Web site on Wednesday morning. http://www.linuxsecurity.com/content/view/121162 * The Importance of a Security, Education, Training and Awareness Program 5th, January, 2006 End-user computing has emerged as a vital component of the overall information resource of the organization. [1] This emergence has made its way not only into the information resource but also in the information security of an organization. The end-user has access to the most vital information a company has and either has the knowledge in how to circumvent the systems that have been put in place to protect the organizations information, or the lack of knowledge that is needed to protect this information, as well as the well-being of the organization's network itself. http://www.linuxsecurity.com/content/view/121163 * Why Linux Is More Secure Than Ever 5th, January, 2006 As Linux becomes more prevalent in today.s enterprise systems, it raises questions about the best way to protect the open source technology. David Humphrey, senior technology advisor for Ekaru, a Westbrook, Mass.-based technology services company, discussed some of those issues with Security Pipeline. http://www.linuxsecurity.com/content/view/121167 * You can.t manage what you can.t see! 6th, January, 2006 Security threats have grown more menacing with the appearance of the likes of Sober, Mytob, and Bagle. Along with the newer trends of spyware, phishing and key logging the implications of ineffective information security have become potentially debilitating to business operations and indeed strategy. http://www.linuxsecurity.com/content/view/121179 * US-CERT's FUD 6th, January, 2006 Everywhere you look in the trade press today, you'll find glowing misrepresentations of US-CERT's latest annual summary of vulnerabilities discovered in 2005. If you take the summary findings at face value, you would likely conclude that Windows -- with 812 reported vulnerabilities -- is a much safer operating system than something called "Unix/Linux," which totaled 2,328. The US-CERT summaries have become the fodder for a FUD festival, and many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges. http://www.linuxsecurity.com/content/view/121182 * Experts question Windows win in flaw tally 6th, January, 2006 Critics have taken aim at a study published by the U.S. Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows last year. The report, Cyber Security Bulletin 2005, was released last week. It claimed that out of 5,198 reported flaws, 812 were found in Microsoft's Windows operating system, 2,328 were found in open-source Unix/Linux systems. The rest were declared to be multiple operating-system vulnerabilities. http://www.linuxsecurity.com/content/view/121183 * A Step-By-Step Guide to Computer Attacks and Effective Defenses 9th, January, 2006 Five years after writing one of the original books in the hack attack and countermeasures genre of books, Ed Skoudis has teamed up with Tom Liston to create a revised and updated version. Counter Hack Reloaded brings Counter Hack up to date with new technologies and attack types as well as providing the informaion you need to protect your computer and network from being targeted by these attacks. http://www.linuxsecurity.com/content/view/121184 * Three more states add laws on data breaches 9th, January, 2006 Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as new security-breach notification laws went into effect in Illinois, Louisiana and New Jersey on Jan. 1. Like existing statutes in more than 20 other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers. http://www.linuxsecurity.com/content/view/121186 * DNS Name Prediction With Google 2nd, January, 2006 As discussed in .Google Hacking for Penetration Testers. from Syngress publishing[1], there are many different ways to perform network reconnaissance using Google. Since the publication of that text, many different ideas and techniques have come to light. This document addresses one interesting technique, which we'll call DNS name[2] prediction. This document assumes you have some knowledge of basic network recon, and is not intended as a hand-holding approach to hacking. If you're evil, stop reading this and go work out some aggression on a sack-o-potatoes or something. http://www.linuxsecurity.com/content/view/121131 * How to sue a British spammer 6th, January, 2006 Chartered engineer Nigel Roberts became the first person to win a court judgment over a company's breach of the UK's anti-spam law late last year. His success received widespread media coverage . and now he's encouraging others to do the same. Roberts sued Media Logistics (UK) Ltd, a marketing firm based in Falkirk, Scotland, for sending him unsolicited emails about contract car hire and fax broadcasting businesses. http://www.linuxsecurity.com/content/view/121178 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jan 10 01:34:52 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:34:52 -0600 (CST) Subject: [ISN] Information Security Salaries Rise Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=175802926 By Thomas Claburn InformationWeek Jan 9, 2006 Information security pros with bachelor's degrees don't get any more money than high school grads, but a master's or doctorate is convertible to higher salaries, according to the study. Moreover, communications skills rate more important than technical skills for career advancement. A new study released today confirms that there is indeed a growing market for IS expertise. Alan Paller, director of research at The SANS Institute, a respected IT research and education organization, suggests that people "are waking up to the fact that there's a shortage of security talent." The SANS Institute's 2005 Information Security Salary and Career Advancement study of over 4,250 IS pros finds that compensation for IS jobs is strong and growing. For U.S. IS professionals, the median income, including bonuses, is now $81,558. In Great Britain, it's $76,389. In Canada, it.s $67,982. In the rest of the world, it's $51,250. Paller says his organization has not conducted a salary survey since 2002 because it didn't want to "pile on" during a time when salaries were under pressure. But he contends salaries in 2005 were significantly higher than three years earlier. An infosec salary survey released in 2003 by Foote Partners LLC noted that compensation declined the previous year. The Foote survey found that in the fourth quarter of 2002, the overall base salaries for some 100 IT positions declined by an average of 2.8 percent from the fourth quarter of 2001. Yet even so, during this period salaries for corporate security positions rose an average of 5.5 percent, suggesting that even in bad times, good security remains a valuable commodity. One noteworthy finding in the SANS study is that there.s essentially no difference in terms of compensation between IS workers with high school degrees and those with bachelor's degrees. However, those with advanced degrees -- a Master's or Doctorate - can expect to earn significantly more than those with lesser academic credentials. Another finding of note: certifications from The International Information Systems Security Certification Consortium, Inc. (ISC) and the Information Systems Audit and Control Association (ISACA) translate into greater earnings than other certifications, such as those bestowed by individual vendors like Microsoft or Cisco. Respondents indicated that those certifications offered an edge in management or policy-centric jobs -- typically highly paid positions. But for hands-on security, survey takers said the Global Information Assurance Certification (GIAC), administered by SANS, and certifications offered by vendors were more advantageous. Paller interprets this as an indication that there.s no substitute for real world experience. "You can't become a pilot by studying airplanes," he says, suggesting that employers should be wary of computer security pros who have never wrestled with securing actual systems. Perhaps the most unexpected finding, according to Paller, is that those taking the survey rated communication skills, both verbal and written, as more important than technical knowledge in terms of career advancement. Copyright ? 2006 CMP Media LLC, All rights reserved. From isn at c4i.org Tue Jan 10 01:35:16 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:35:16 -0600 (CST) Subject: [ISN] Security flaws on the rise, questions remain Message-ID: http://www.theregister.co.uk/2006/01/09/computer_security_flaws_on_the_rise/ By Robert Lemos SecurityFocus 9th January 2006 After three years of modest or no gains, the number of publicly reported vulnerabilities jumped in 2005, boosted by easy-to-find bugs in web applications. Yet, questions remain about the value of analyzing current databases, whose data rarely correlates easily. A survey of four major vulnerability databases found that the number of flaws counted by each in the past five years differed significantly. However, three of the four databases exhibited a relative plateau in the number of flaws publicly disclosed in 2002 through 2004. And, every database saw a significant increase in their count of the flaws disclosed in 2005. A few common themes emerged from the data as well. In 2005, easy-to-find flaws in web applications were likely responsible for the majority of the increase, the database managers said in interviews with SecurityFocus. However, some of the increase came from a doubling in the number of flaws released by large software companies. The most important, and perhaps obvious, lesson is that the software flaws are here to stay, said Peter Mell, a senior computer scientist for the National Institute of Standards and Technology (NIST) and the creator of the National Vulnerability Database (NVD) [1], one of the four databases surveyed. "The problem of people breaking into computers is not going away any time soon," Mell said. "There is certainly more patches every year that system administrators need to install, but the caveat is that more vulnerabilities seem to apply to less important software." Vulnerability databases are coming of age. In 2005, NIST created the National Vulnerability Database [2] and software makers and security service providers have cooperated to create the Common Vulnerability Scoring System (CVSS) [3], a standardized measure of the severity of software flaws. The National Vulnerability Database completed scoring flaws [4] in its database using the CVSS in late November. While auctions of vulnerability research have not taken off [5], two companies now buy vulnerability information [6] from flaw finders. Four databases were surveyed: The Computer Emergency Response Team (CERT) Coordination Center's database, the National Vulnerability Database (NVD), the Open-Source Vulnerability Database (OSVDB), and the Symantec Vulnerability Database. (SecurityFocus is owned by Symantec.) The number of flaws cataloged by each database in 2005 varied widely, because of differing definitions of what constitutes a vulnerability and differing editorial policy. The OSVDB [7] - which counted the highest number of flaws in 2005 at 7,187 - breaks down vulnerabilities into their component parts, so what another database might classify as one flaw might be assigned multiple entries. SecurityFocus [8] had the lowest count of the vulnerabilities at 3,766. The variations in editorial policy and lack of cross-referencing between databases as well as unmeasurable biases in the research community and disclosure policy mean that the databases - or refined vulnerability information (RVI) sources - do not produce statistics that can be meaningfully compared, Steve Christey, the editor of the Common Vulnerability and Exposures (CVE) [9], wrote in an e-mail to security mailing lists [10] on Thursday. The CVE is a dictionary of security issues compiled by The MITRE Corp., a government contractor and nonprofit organization. "In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and comparable statistics," he wrote. "In general, consumers should treat current statistics as suggestive, not conclusive." Recent numbers produced by the U.S. Computer Emergency Readiness Team (US-CERT) revealed some of the problems with refined vulnerability sources. Managed by the CERT Coordination Center, the US-CERT's security bulletins outline security issues but are updated each week. In a year end list published last week, the US-CERT announced that 5,198 vulnerabilities had been reported in 2005. Some mainstream media outlets noted the number [11], compared it to the CERT Coordination Center's previous data - which is compiled from a different set of vulnerability reports - and concluded there was a 38 per cent increase in vulnerabilities in 2005 over the previous year. In fact, discounting the updated reports resulted in a 41 per cent decrease to 3,074 vulnerabilities, according to an analysis done by Alan Wylie, an independent computer programmer. If the data point could be compared with statistics from CERT/CC, that would have placed the number of flaws reported in line with the previous three years. Yet, while the data is significantly flawed, the original story told by US-CERT's list seems to be the right one. The number of vulnerabilities reported in 2005 increased, mainly due to researchers looking into the security of Web applications. The National Vulnerability Database noted the largest increase of 96 percent from 2004 to 2005, while the Symantec Vulnerability Database saw the smallest increase of 40 percent. While publicly reported flaws jumped, that does not necessarily mean dire prospects for home users' or businesses' security, said David Ahmad, manager for development at Symantec's Security Response team. "Web-based vulnerabilities are all over the place and they are really easy to find--they are the low-hanging fruit," Ahmad said." We have had high-profile vulnerabilities, but that is not what is driving this increase." Finding those flaws does not require much skills, said Brian Martin, content manager for the OSVDB. "We are seeing people discover vulnerabilities in software with tiny distribution and low installed base--free guestbooks that are written left and right, available by the thousands," he said. "And we are seeing that it takes no skill to find vulnerabilities in these applications." Disparate data The number of vulnerabilities entered into four major databases vary widely over the past five years, but seem to indicate that 2005 was a banner year for bugs. 2005 2004 2003 2002 2001 CERT/CC 5,990 3,780 3,784 4,129 2,437 NVD 4,584 2,340 1,248 1,943 1,672 OSVDB 7,187 4,629 2,632 2,184 1,656 Symantec 3,766 2,691 2,676 2,604 1,472 Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database. Yet, the entire focus should not be on the rash of Web application flaws, Mell said. The computer scientist conducted an informal survey of entries for flaws in products from well-known companies and found that six of 14 software makers had seen a doubling in the number of vulnerability reports, while another four firms saw a decrease in the number of reports. The remaining four companies reported a similar number of flaws as the year before. "I find it amazing that large and reputable software companies are seeing a large number more flaws this year (2005) than last year," Mell said. The database managers also cautioned that the vulnerability counts for any particular year generally do not reflect the state of secure software development, only where the research community's interests lie. "These numbers are showing the state of practice from a few years ago, rather than what the current state of practice is today," said Jeff Havrilla, team leader of vulnerability analysis at the CERT Coordination Center. Making the issue more difficult, several software vendors move to release patches on a specific day has resulted in most security bulletins detailing multiple vulnerabilities, a situation that makes the true number of flaws harder to count, Havrilla said. This article was originally published at SecurityFocus [12]. [1] http://nvd.nist.gov/ [2] http://www.securityfocus.com/news/11278 [3] http://www.securityfocus.com/news/10541 [4] http://www.securityfocus.com/news/11360 [5] http://www.securityfocus.com/news/11364 [6] http://www.securityfocus.com/news/11253 [7] http://www.osvdb.org/ [8] http://www.securityfocus.com/bid [9] http://cve.mitre.org/ [10] http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0135.html [11] http://blogs.washingtonpost.com/securityfix/2005/12/uscert_5198_sof.html [12] http://www.securityfocus.com/news/11367/2 From isn at c4i.org Tue Jan 10 01:35:29 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:35:29 -0600 (CST) Subject: [ISN] Douglas H. Bigelow, 49; Chief of Web Security at AOL Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/01/04/AR2006010402061.html By Patricia Sullivan Washington Post Staff Writer January 5, 2006 Douglas H. Bigelow, 49, who for the past decade fought e-mail spam, computer viruses, identity theft and online pornography as the leader of security for the world's largest Internet service provider, died of pancreatic cancer Dec. 24 at his home in Vienna. Mr. Bigelow, America Online's vice president of operations security, was hired in 1995 as the company's first employee responsible for protecting both customer and corporate data. Ten years later, he managed a department of more than 100 people who defended the network and its customers against cyber attacks and assisted police and federal criminal investigations. "He led the investigation of literally thousands of security issues every year," said Matt Korn, AOL's executive vice president for network and data security center operations, who hired Mr. Bigelow. "Doug would have overseen the security surrounding things like AOL member databases and password databases. He was a strong force behind everything from member privacy policies to anti-virus and anti-spyware protection in our products." He was also a popular leader, despite the fact that his employees were often called to work at inconvenient times, such as when a computer worm was released on Superbowl Sunday a few years ago. For 10 years in a row, his division reported the highest satisfaction ratings of any group in the AOL corporate structure, Korn said. "You'd think, they're dealing with a lot of cruds in the world," Korn said. "But Doug always had an amazing attitude, always a smile . . . and his team was happy. He created a great environment." Mr. Bigelow had been employed in information technology since 1980, when he went to work for Wesleyan University and helped connect that school and others to Bitnet, one of the many computer networks that preceded what is now known as the Internet. He served for eight years as a volunteer trustee of the nonprofit Corporation for Research and Educational Networking, which dissolved three years ago. He wrote a chapter in a book about how universities could get connected to the Internet, covering not just the technical requirements but also how to get the money to pay for it. In those years, when technologists worked collegially to help others solve sticky problems, Mr. Bigelow was among the tech-savvy in the academic world who made time for those who needed assistance. He was born in Manchester, Conn., grew up in nearby Glastonbury and graduated from Wesleyan. He earned a master's degree from Ohio State University in computer science in 1980. He worked at Wesleyan until joining AOL. For the past four years, Mr. Bigelow was often found in the stands at Flint Hill School of Oakton, watching his daughter, Elaine, play volleyball, basketball and softball. He was an ardent sailor and in the last seven years often piloted his sailboat, the Dawn Treader, on the Chesapeake Bay. He particularly enjoyed Patrick O'Brian's series of 19th-century British Royal Navy sailing stories. Besides his daughter, Elaine Bigelow of Vienna, survivors include his wife of 27 years, Susan Okula of Vienna; a son, David Bigelow of Vienna; and two sisters. ? 2006 The Washington Post Company From isn at c4i.org Wed Jan 11 01:49:15 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 11 Jan 2006 00:49:15 -0600 (CST) Subject: [ISN] Homeland Security helps secure open-source code Message-ID: http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-1002_3-6025579.html By Joris Evers Staff Writer, CNET News.com January 10, 2006 The U.S. Department of Homeland Security is extending the scope of its protection to open-source software. Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com. The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday. In the effort, which the government agency calls the "Vulnerability Discovery and Remediation, Open Source Hardening Project," Stanford and Coverity will build and maintain a system that does daily scans of code contributed to popular open-source projects. The automated system should be running by March, and the resulting database of bugs will be accessible to developers, they said. The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system. "We're going to make automatic checking deeper and more thorough using the latest research and apply this to the open-source infrastructure to make it more robust," said Dawson Engler, an associate professor at Stanford who is working on the project. "A lot of the nation's critical computing infrastructure is open source, and it isn't really checked in an automatic way." Symantec will provide security intelligence and test the source code analysis tool in its proprietary software environment, said Brian Witten, the director of government research at the Cupertino, Calif., security software vendor. "Our role here is to help Stanford and Coverity aim their research and development to best help commercial software developers," Witten said. "By applying the Coverity tools to both open-source and proprietary software, Coverity is getting feedback from two very different worlds of software development." Playing catch-up to commercial code The project will expand an existing Coverity initiative that already provides Linux developers with regular bug data. "We will take that to the next level and pull together dozens of major open-source projects, and do full analysis of those code bases," Coverity co-founder David Park said. Commercial software makers commonly use source code analysis tools, either bought or homegrown, to vet their code before releasing a product to market. However, such tools are often too expensive for open-source developers, experts said. Instead, open-source programmers eyeball each other's code or check their own work manually. The effort will help put open-source development on a par with commercial software efforts, Park said. "The open-source community does not have access to those kinds of tools, so we are trying to correct that to some extent," he said. The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said. This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said. At the same time, proprietary software stands to gain as well, Quandt said. "While these efforts will help secure open-source software, the improvement in Coverity's tools can be used to also improve the security of proprietary software," she said. But the real winner is Coverity, Quandt said. The company's technology is based on Stanford research, and Stanford's Engler is closely affiliated with the business. The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said. "It is regrettable that DHS has decided once more to ensure that private enterprise profits from the funding, while the open-source developers are left to beg for the scraps from the table," he said. "Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?" The Department of Homeland Security could not immediately comment. Engler defended the initiative, noting that the Department of Homeland Security is effectively paying for a commercial bug-checking tool to be applied to open-source software. "The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," he said. -=- Scrubbing for bugs List of open-source software to be analyzed in the Department of Homeland Security-sponsored project. Abiword Apache BerkeleyDB Bind Ethereal Firebird Firefox FreeBSD Gaim Gimp Gtk+ Icecast Inetutils KDE Linux Mplayer MySQL OpenBSD OpenLDAP OpenSSH OpenSSL OpenVPN Proftpd QT Samba Squid TCL TK wxGtk Xine Xmms Xpdf Source: Coverity Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed Jan 11 01:49:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 11 Jan 2006 00:49:26 -0600 (CST) Subject: [ISN] Qualys vulnerability research put in peril Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=5128 By John E. Dunn Techworld 10 January 2006 Security management vendor Qualys has denied that its innovative Laws of Vulnerability research has been jeopardised by the sudden departure of its key instigator, Gerhard Eschelbeck. The company has confirmed that no individual had been appointed to directly replicate Eschelbeck's work on the research, an analysis of real-world vulnerabilities taken from scans of Qualys's substantial enterprise customer base. The findings for 2005 were announced last November at the Black Hat conference in Las Vegas. Former company CTO and VP of engineering, Eschelbeck, announced before Christmas that he was leaving the company he'd worked at for five years to take up an identical position at anti-spyware vendor, Webroot. He is considered an authority on the topic of vulnerabilities and patching strategies. Eschelbeck was also a key figure in the Qualys's involvement in the Common Vulnerability Scoring System (CVSS) - an evolving standard for assessing security risks - and in compiling the SANS Top 20, an annual measure of security vulnerabilities. Qualys CEO Philippe Courtot was adamant that personnel would be found from within the company to maintain involvement in the SANS Top 20 - and in CVSS - a standard the company was strongly committed to. However, he confirmed that the company had not yet appointed anyone to oversee the workload, despite appointing an interim CTO in Eschlbeck's place. Longer term, the company might look outside Qualys itself for a champion for the Laws analysis. "One person can't do it all and so you will see more spokespersons," Courtot said. Eschelbeck, meanwhile, has his hands full at Webroot, as it attempts to move from a consumer business model to one orientated towards businesses. From isn at c4i.org Wed Jan 11 01:49:37 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 11 Jan 2006 00:49:37 -0600 (CST) Subject: [ISN] Microsoft Plugs 'Critical' E-Mail Server Holes Message-ID: http://www.eweek.com/article2/0,1895,1909647,00.asp By Ryan Naraine January 10, 2006 Microsoft Corp. on Tuesday released two security bulletins to fix "critical" flaws in several widely deployed products, including one that presents a remote unauthenticated attack vector that could leave corporate e-mail servers open to a destructive network worm attack. A company spokesperson flagged MS06-003 as the most serious issue, warning that a bug in the way TNEF (Transport Neutral Encapsulation Format) is decoded can allow malicious hackers to inject harmful code automatically without user interaction. Businesses running Microsoft Exchange Server 5.0, Microsoft Exchange Server 5.5 and Microsoft Exchange 2000 are at the highest risk of a network attack, according to Stephen Toulouse, program manager in the MSRC (Microsoft Security Response Center). Microsoft Office 2000, Microsoft Office XP, Microsoft Outlook 2002 and Microsoft Office 2003 are also at immediate risk, although a successful attack requires a minimum amount of user interaction. "[An attacker] can run code on the server when the server is processing an e-mail message," Toulouse said in an interview, noting that the code would be executed in the background without any user interaction. "If you're running Exchange Server 5.0, Exchange Server 5.5 or Exchange 2000 Server, you want to pay special attention to this update." Businesses running Microsoft Exchange Server 2003 are not affected. The TNEF format, which is proprietary, is used by the Microsoft Exchange Server and Outlook e-mail clients to parse RTF (Rich Text Format) messages. When Microsoft Exchange thinks that it is sending a message to another Microsoft e-mail client, it extracts all the formatting information and encodes it in a special TNEF block. It then sends the message in two parts?the text message with the formatting removed and the formatting instructions in the TNEF block. On the receiving side, a Microsoft e-mail client processes the TNEF block and reformats the message. In an attack scenario, Toulouse said, a malicious hacker could create a specially crafted TNEF message to trigger an exploit when the server is decoding the e-mail message. The second bulletin, MS06-002, also covers a remote code execution vulnerability in the way Windows handles malformed embedded Web fonts. This flaw could be exploited by attackers using specially constructed Web fonts placed on Web sites or in e-mail messages. Toulouse acknowledged that the vulnerability presented a major code execution risk but said the attack scenario requires that the victim be lured into viewing a rigged Web site or a specially crafted e-mail. "These are both high-priority updates that were privately reported. We're not aware of any exploits or attacks but we want to ensure people understand these risks and get these updates deployed on their systems," Toulouse said. From isn at c4i.org Wed Jan 11 01:49:01 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 11 Jan 2006 00:49:01 -0600 (CST) Subject: [ISN] IDs of 50,000 Bahamas resort guests stolen: Kerzner Message-ID: http://www.heraldnewsdaily.com/stories/news-00122573.html By John Marquis Jan 8, 2005 NASSAU, Bahamas - The identities of more than 50,000 customers of major Bahamas resort Atlantis have been exposed to possible identity fraud following the theft of personal information from the hotel, the owners said. Kerzner International Ltd., owner of the luxury 2,300-room Atlantis resort on Paradise Island, revealed details of the data theft in a document filed with the Bahamas Securities and Exchange Commission. Information stolen included names, addresses, credit card details, social security numbers, drivers license numbers and bank account data, the filing said. The information appears to have gone missing from the hotel's computer database and was the work of either an insider or outside hacker. The Atlantis hotel management is notifying affected customers in writing so they can take steps to protect themselves from possible identify fraud. The hotel is also providing, at no cost to customers, a credit monitoring service for a year. The filing by Kerzner said around 55,000 customers are thought to be affected. "To date, the resort has not received any evidence that the information has been used to commit identity fraud or in any other manner adverse to its customers," the statement said. Atlantis has notified Bahamian and U.S. law enforcement agencies and is co-operating with them. George Markantonis, president and managing director of the Paradise Island operation, said Atlantis took its obligation to safeguard personal information seriously. As investigations are under way, the resort said it was unable to disclose more at this time. Atlantis is one of the world's landmark resort destinations. Thousands of tourists - mainly Americans - flock there every week to enjoy its casino and beachfront attractions. It employs more than 5,000 Bahamians and is a major player in the country's economy. From isn at c4i.org Wed Jan 11 01:49:51 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 11 Jan 2006 00:49:51 -0600 (CST) Subject: [ISN] Book Review: Insider Threat Message-ID: http://books.slashdot.org/books/06/01/06/1421243.shtml [ http://www.amazon.com/exec/obidos/ASIN/1597490482/c4iorg - WK] Author: Eric Cole and Sandra Ring Pages: 397 Publisher: Syngress Rating: 9 Reviewer: Ben Rothke ISBN: 1597490482 Summary: Excellent overview of the insider threat to networks and information systems The retail and gambling sectors have long understood the danger of the insider threat and have built their security frameworks to protect against both the insider and the outsider. Shoplifters are a huge bane to the retail industry, exceeded only by thefts from internal employees behind the registers. The cameras and guards in casinos are looking at both those in front of and behind the gambling tables. Casinos understand quite well that when an employee is spending 40 hours a week at their location dealing with hundreds of thousands of dollars; over time, they will learn where the vulnerabilities and weaknesses are. For a minority of these insiders, they will commit fraud, which is invariably much worse than any activity an outsider could alone carry out. Insider Threat is mainly a book of real-life events that detail how the insider threat is a problem that affects every organization in every industry. In story after story, the book details how trusted employees will find weaknesses in systems in order to carry out financial or political attacks against their employers. It is the responsibility to the organization to ensure that their infrastructure is designed to detect these insiders and their systems resilient enough to defend against them. This is clearly not a trivial task. The authors note that the crux of the problem is that many organizations tend to think that once they hire an employee or contractor, that the person is now part of a trusted group of dedicated and loyal employees. Given that many organizations don't perform background checks on their prospective employees, they are placing a significant level of trust in people they barely know. While the vast majority of employees can be trusted and are honest, the danger of the insider threat is that it is the proverbial bad apple that can take down the entire tree. The book details numerous stories of how a single bad employee has caused a company to go out of business. Part of the problem with the insider threat is that since companies are oblivious to it, they do not have a framework in place to determine when it is happening, and to deal with it when it occurs. With that, when the insider attack does occur, which it invariably will, companies have to scramble to recover. Many times, they are simply unable to recover, as the book details in the cases of Omega Engineering and Barings Bank. The premise of Insider Threat is that companies that don't have a proactive plan to deal with insider threats will ultimately be a victim of insider threats. The 10 chapters in the book expand on this and provide analysis to each scenario described. Chapter 1 defines what exactly insider threats are and provides a number of ways to prevent insider threats. The authors note that there is no silver bullet solution or single thing that can be done to prevent and insider threat. The only way to do this is via a comprehensive program that must be developed within the framework of the information security group. Fortunately, all of these things are part of a basic information security program including fundamental topics like security awareness, separation and rotation of duties, least privilege to systems, logging and auditing, and more. The irony of all of the solutions suggested in chapter one is that not a single one of them is rocket science. All of them are security 101 and don't require any sort of expensive software or hardware. Part of this bitter irony is that companies are oblivious to these insider threats and will spend huge amounts of money to protect against the proverbial evil hacker, being oblivious to the nefarious accounts receivable clerk in the back office that is draining the coffers. One example the book provides is that many companies feel they are safe because they encrypt data. An excellent idea detailed in chapter two is to set up a sniffer and examine the traffic on the internal network to ensure that the data is indeed encrypted. The reliance on encryption will not work if it is not setup or configured correctly. The only way to know with certainty is to test it and see how it is transmitted over the wire. Many companies will be surprised that data that should be unreadable is being transmitted in the clear. Some of the suggestions that authors propose will likely ruffle some feathers. Ideas such as restricting Internet, email, IM and web access to a limited number of users may sound absurd to some. But unless there is a compelling business need for a user to have these technologies, they should be prohibited. Not only will the insider threat threshold be lowered, productivity will likely increase also. The author's also suggest prohibiting iPods or similar devices in a corporate environment. The same device that can store gigabytes of music can also be used to illicitly transfer gigabytes of corporate data. Insider Threat provides verifiable stories from every industry and sector, be it commercial or government. The challenge of dealing with the insider threat is that it requires most organizations to completely rethink the way they relate to security. It is a challenge that many organizations would prefer to remain obvious to, given the uncomfortable nature of the insider threat. But given that the threats are only getting worse, ignoring them is inviting peril. The only lacking of the book is that even though it provides a number of countermeasures and suggestions, they are someone scattered and written in an unstructured way. It is hoped that the authors will write a follow-up book that details a thorough methodology and framework for dealing with the insider threat. Overall, Insider Threat is an important work that should be required reading for every information security professional and technology manager. The issue of the insider threat is real and only getter worse. Those that choose to ignore it are only inviting disaster. Those companies that will put office supplies and coffee under double-lock and key, while doing nothing to contain the insider threat are simply misguided and putting their organization at risk. Insider Threat is a wake-up call that should revive anyone who doubts the insider threat. -=- Ben Rothke, CISSP is a New York City based security consultant and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben @ rothke.com From isn at c4i.org Thu Jan 12 04:25:47 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Jan 2006 03:25:47 -0600 (CST) Subject: [ISN] IG critical of DOD IT Message-ID: http://www.fcw.com/article91937-01-11-06-Web By Frank Tiboni Jan. 11, 2006 The Defense Department poorly tracks information technology security and investments, causing the department, the Office of Management and Budget and Congress to make uninformed IT budget and policy decisions, according to DOD inspector general reports. The military services and DOD agencies are not consistently reporting IT systems security data in two main databases. They include the IT Registry, which inventories DOD systems and provides their security status, and the IT Management Application, which contains DOD IT budget information, according to the "Security Status for Systems Reported in DOD IT Databases," The IG released the report last month. "Specifically, 120 of 148 IT systems (81 percent) reported in the fiscal year 2006 President's Budget Capital Investment Reports did not match to reports on the same systems in the IT Registry, and 87 of 148 IT Registry reports (59 percent) were not internally consistent between the system mission criticality and the mission assurance category data elements," the report states. The IG said the military services and department agencies also did not submit timely, accurate and complete IT certification and compliance statements to DOD's chief information officer. The IG recommended several steps to fix the problem, including using automatic data integrity tools in the databases and penalizing department CIOs who did not implement controls. The IG asked the DOD CIO to respond to the report by Jan. 27. This was the second report in seven months that is critical of the information in DOD databases. The IG criticized the military services and department agencies in June 2005 for not adequately reporting IT investments to OMB in support of the fiscal 2006 DOD budget. From isn at c4i.org Thu Jan 12 04:25:59 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Jan 2006 03:25:59 -0600 (CST) Subject: [ISN] Symantec provides hiding place for hackers Message-ID: http://news.com.com/Symantec+provides+hiding+place+for+hackers/2100-1002_3-6026203.html By Joris Evers Staff Writer, CNET News.com January 11, 2006 Symantec has released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans, Symantec said in an advisory released Tuesday. "This could potentially provide a location for an attacker to hide a malicious file on a computer," Symantec said. The Cupertino, Calif., security provider is not aware of any attempts by hackers to conceal malicious code in the folder. "This update is provided proactively to eliminate the possibility of that type of activity," it said. Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software. When the recovery feature was first introduced, hiding the directory helped ensure that a user would not accidentally delete the files in it, Symantec said. "In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory," the company said in its advisory. Security monitoring company Secunia rates the issue "not critical." Symantec itself deems the risk impact "low." Symantec credits Mark Russinovich, the Sysinternals researcher who also investigated the Sony rootkit, and F-Secure, a Finnish security company that has a rootkit detection product, for helping it address the SystemWorks issue. The Norton update will display the previously hidden "NProtect" directory in the Windows interface, which will allow it to be scanned by antivirus products, Symantec said. The new version is available through the Symantec LiveUpdate service. Installing the software will require a system reboot. -=- Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Jan 12 04:26:19 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Jan 2006 03:26:19 -0600 (CST) Subject: [ISN] Five mistakes of vulnerability management Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,107647,00.html Opinion by Anton Chuvakin JANUARY 11, 2006 COMPUTERWORLD Vulnerability management is viewed by some as an esoteric security management activity. Others see it as a simple process that needs to be done with Microsoft Corp.'s monthly patch update. Yet another group considers it a marketing buzzword made up by vendors. This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas. No. 1: Scanning but failing to act The first mistake is scanning for vulnerabilities, but then not acting on the results. Vulnerability scanners have become a staple at many organizations. Scanning technology has matured in recent years, and the tools' accuracy, speed and safety have improved dramatically. However, modern commercial and open-source scanners still suffer from the same disease that troubled early intrusion-detection systems (IDS): They are too noisy, since they produce too many alerts, for various reasons. In addition, they don't tell you what you should do about those vulnerability notices, just as most IDSs don't tell you whether you should care about a particular alert. Thus, vulnerability management is not scanning; it includes it, but what happens after the scan is even more important. This includes asset inventory, prioritizing and researching the remediation activities as well as the actual act of patching, hardening or reconfiguration. A detailed explanation of all the important activities goes beyond the scope of this article. No. 2. Thinking that patching is the same as vulnerability management It's true that patching is the way to repair many widespread vulnerabilities. Even some industry experts proclaim that vulnerability management is simple: Just patch all those pesky problems, and you're done. However, many vulnerabilities can't be fixed by simply updating to the latest product version. They require tweaking and reconfiguring various system parameters. Indeed, vulnerability management was born out of a need to intelligently prioritize and fix discovered vulnerabilities, whether by patching or other means. So if you are busy every second Tuesday but not doing anything to eliminate a broad range of enterprise vulnerabilities during the other 29 days in a month, you are not managing your vulnerabilities. No. 3. Believing that vulnerability management is only a technical problem If you think that vulnerability management is only a technical problem, then you're in for a surprise. To be effective, it also involves attention to policy and process improvements. In fact, focusing on process and the "softer" side of the vulnerability conundrum will often bring more benefits than a high-tech patch management system. There are many glaring weaknesses in IT policies and infrastructures. Let's not forget that policy weaknesses are vulnerabilities, too. For example, if you do not enforce a policy for a minimum password length, you have a clear policy weakness that scanners are not likely to discover and that patching will not resolve. Thus, weak passwords, lack of data-confidentiality awareness and lack of a standard, hardened, workstation configuration can do more to ruin your security posture and increase your risk than any single hole in a piece of software. According to Gartner analysts, "the vulnerability management process includes policy definition, environment baselining, prioritization, shielding, mitigation as well as maintenance and monitoring." Indeed, the vulnerability management process starts from a policy definition document that covers an organization's assets (such as systems and applications) and their users. Such a document and the accompanying security procedures should define the scope of the vulnerability management effort as well as postulate a "known good" state of those IT resources. No. 4. Assessing a vulnerability without looking at the whole picture The fourth mistake is committed by those who try to follow a proper vulnerability management process, but when they get to the critical challenge of prioritizing the vulnerabilities, they ignore the threat angle of the prioritization. Namely, they try to assess the importance of the vulnerabilities (and, thus, the urgency of their response) based only on the vulnerabilities themselves without looking at the threat profiles and business roles of the affected systems. For example, a Web server with an unpatched vulnerability deployed in the DMZ where it is subject to constant probing and attacks needs to be patched much sooner than a test system deep in the bowels of the enterprise. At the same time, a critical finance system that is not attacked frequently but contains data critical to the company's viability (something like the infamous "Coca-Cola formula") also needs to be in the first round of patching. One way to avoid this mistake is to use the risk formula Risk = Threat x Vulnerability x Value and use the results of such a formula to decide what to patch first. Using a security information management product that implements such vulnerability scoring will help to automate such a process. To intelligently prioritize vulnerabilities for remediation, you need to take into account various factors about your own IT environment as well as the outside world. They include the following: * Vulnerability severity for the environment * Related threat information and threat relevance * Business value and role information about the target systems Recently, a new standard was proposed to classify vulnerability severity and help organizations prioritize their remediation efforts. The Common Vulnerability Scoring System (CVSS) takes into account various vulnerability properties, such as priority, exploitability and impact. The CVSS plan promises to provide a uniform way of scoring vulnerabilities, as soon as it is adopted by more vulnerability information providers. However, CVSS data still needs to be enhanced with business-value and threat data. Business information is vital for vulnerability prioritization, since it ties the technical threat and vulnerability data into the business function. Every organization is different and thus has different critical assets and applications. Attacks against some of them might cripple the business; others will only cause a brief interruption in noncritical operations. In reality, however, life is not that simple, and a vulnerability in a less-critical system could be used as a stepping stone to later compromise a more-critical one. No. 5: Being unprepared for the unknown -- "zero-day exploits" The fifth mistake, zero-day exploits, gives shivers to many knowledgeable security managers. While I've noticed a lot of confusion about what constitutes a zero-day exploit, the main idea is that it is an exploit that uses a previously undisclosed vulnerability. So, even if you patch all the known software vulnerabilities, you can still be attacked and compromised by intruders who exploit undisclosed flaws. What can you do? Apart from a sensible vulnerability management program, which includes a hefty amount of hardening that might protect against zero day exploits and careful network and host security monitoring that might make you aware that you've been hit you need to make sure that the incident response plans are in order. Such cases need to be addressed by using the principle of "defense in depth" during the security infrastructure design. Get your incident management program organized and primed for a response to such attack. -=- Anton Chuvakin, GCIA, GCIH, GCFA is a security strategist with NetForensics Inc., a security information management company. He is co-author of Security Warrior (O'Reilly Media Inc., 2004) and a contributor to Know Your Enemy, Second Edition, Information Security Management Handbook and the upcoming Hacker's Challenge 3. He has published papers on a broad range of security subjects. In his spare time, he maintains his security portal and a blog at O'Reilly.com. From isn at c4i.org Thu Jan 12 04:25:35 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Jan 2006 03:25:35 -0600 (CST) Subject: [ISN] Bank tape lost with data on 90,000 customers Message-ID: http://www.networkworld.com/news/2006/011106-bank-tape.html By Stephen Lawson IDG News Service 01/12/06 A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported Wednesday. People's Bank, based in Bridgeport, Conn., is sending letters to the affected customers, it said in a press release. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. It was bound for the TransUnion credit reporting bureau, based in Woodlyn, Pa., via UPS, the release said. UPS is investigating the incident along with all involved parties, said UPS spokeswoman Heather Robinson. She would not disclose when the package was lost. The bank has not received any reports of unauthorized activity on the affected accounts and has no reason to believe the data has been improperly used, according to the People's release. The bank considers misuse of the data "highly unlikely." UPS also has no evidence that the package was compromised, stolen or received by an unauthorized person, according to Robinson. Loss and theft of personal data has taken on a high profile since the theft of data on 145,000 consumers from credit and personal information vendor ChoicePoint in February 2005. Since that time, there have been dozens of reported cases of loss or theft of personal information involving more than 52 million people, according to a chronology compiled by the Privacy Rights Clearinghouse, in San Diego. Among them was the loss of a computer backup tape from Bank of America containing information on 1.2 million customers, according to the privacy rights group. There isn't enough information on the People's Bank tape to allow anyone to get into a customer's account, according to the bank. It does not contain checking account balances, debit card numbers, personal identification numbers or birth dates, the statement said. In addition, the tape can't be read without a mainframe and software, according to the bank. The data on the tape involves customers that have a People's Bank personal credit line, an overdraft protection mechanism for checking accounts. As a safeguard, the bank will provide affected customers with a credit monitoring service for one year, at the bank's expense, to quickly alert customers to possible fraud involving their personal information. From isn at c4i.org Thu Jan 12 04:26:47 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Jan 2006 03:26:47 -0600 (CST) Subject: [ISN] EUSecWest papers and CanSecWest CFP Message-ID: Forwarded from: Dragos Ruiu url: http://eusecwest.com url: http://cansecwest.com (CanSecWest Call For Papers attached below) EUSecWest/core06 Conference --------------------------- Announcing the final selection of papers for the EUSecWest conference in London, U.K. on Feb. 20/21 at the Victoria Park Plaza Hotel. The following topics will be covered: Javier Burroni & Carlos Sarraute - Core Security Technologies Analyzing OS fingerprints using Neural Networks and Statistical Machinery van Hauser - thc Attacking the IPv6 protocol suite Yuji Ukai - eeye Exploiting Real-Time OS Based Embedded Systems Using the JTAG Emulator Nguyen Anh Quynh - Keio University XEBEK: A Next Generation Honeypot Monitoring System Fred Raynal - EADS Malicious Crypto Cesar Cerrudo - Argeniss Windows Local Shellcode Injection Andrew Cushman - Microsoft Windows Security Fundamentals Sheeraj Shahi - Net Square Advanced Web Hacking - Attacks & Defense Andy Davis - IRM PLC ColdFusion Security Tim Hurman - Pentest Ltd. ARMed combat: the fight for personal security Raffael Marty - ArcSight A Visual Approach to Security Event Management Michael Boman - KPMG Singapore Network Security Monitoring: Theory and Practice Jim DeLeskie & Danny McPherson - Teleglobe, Arbor Networks Protecting the Infrastructure Andrea Barisani - Inverse Path Lessons in Open Source Security: The Tale of a 0-Day Incident We would also like to announce the final list of Security Masters Dojo courses that will be offered on February 16th and 17th at the Victoria Park Plaza Hotel. Seats are available for all courses, but course registration is limited to only ten students each. We are considering adding additional course sessions on Feb 23/24 if demand warrants it. The hands-on courses offered will be: Gerardo Richarte - Core Security Technologies Assembly for Exploit Writing Marty Roesch - Sourcefire Advanced IDS Deployment and Optimization Maximillian Dornseif & Thorsten Holtz - Aachen University Advanced Honeypot Tactics Philippe Biondi - EADS Mastering the Network with SCAPY Renaud Deraison & Nicolas Pouvesle - Tenable Network Security Vulnerability Scanning: Advanced Nessus Usage Laurent Oudot & Nico Fischbach - rstack, COLT telecom Applied network security and advanced anomaly detection using state-of-the art honeypots and netflow/NIDS C?dric Blancher - EADS Practical 802.11 WiFi (In)Security Adam Laurie & Martin Herfurt & Marcel Holtmann - trifinite Bluetooth Technology Security Vendors Presentations for the Elevator Focus Groups will be announced shortly. Registration: --------------- Seats are available but limited for EUSecWest, and registration is open at: https://eusecwest.com/register.html Security Masters Dojo/London registration is now open at: https://eusecwest.com/courses.html Contact core06 at eusecwest.com for registration support or corporate sponsorship inquiries. ********************************************************************* CanSecWest/core06 CALL FOR PAPERS -------------------------------- VANCOUVER, Canada -- The seventh annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Mariott Renaissance Harbourside on April 3-7, 2006. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. In addition to the usual one hour tutorials, panel sessions and highly entertaining 5 minute "lightning" talks, this conference will also feature a new session called "Elevator Focus Groups". Featuring several short sessions, these commercial presentations will showcase new, significantly used, or dramatically innovative new products in the information security realm. Each selected vendor will have a short 10 minute presentation ("elevator pitch"), after which 10 minutes of audience Q&A and interactive discussion amongst the expert security practitioners attending will follow. In this session both the audience and the vendors can get valuable feedback from world leading experts and the attendees can get user evaluations and learn from sharing experiences and real world security applications about practical uses of the products - the "focus group." Hence the name: Elevator Focus Groups. The CanSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals, and elevator focus candidate products for selection by the CanSecWest technical review committee. Please make your paper proposal submissions before January 30th, 2006. Slides for the papers must be submitted by March 15th, 2006. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to core06 at cansecwest.com. Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. The CanSecWest/core06 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. 8) Will you have full text available or only slides? 9) Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to core06 at cansecwest.com to be considered for placement on the speaker roster, have your lightning talk scheduled, or submit your product for inclusion in the focus groups. Advance Registration is now available for CanSecWest at http://cansecwest.com. -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. February 20/21 2006 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp From isn at c4i.org Thu Jan 12 04:27:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Jan 2006 03:27:03 -0600 (CST) Subject: [ISN] Hackers attack ebaumsworld Message-ID: http://www.theinquirer.net/?article=28898 By Nick Farrell 11 January 2006 EBAUMSWORLD, a site which offers cash for funny content, has been walloped by a series of hacks and attacks for the last 48 hours in a row about copyright over one of the videos it published. According to an editorial published at the site, the attacks included a Distributed Denial of Service (DDoS) attack, malicious attempts at gaining access to restricted parts of the site, spamming forums and chat rooms and hacking into admin restricted accounts. There have also been numerous personal threats made against eBaum's World staff members and its offices were vandalized. The reason for all the abuse is apparently an animation that was published by the site. It was sent in by someone who claimed to be the original author. However, the "cyber-terrorists" claim the animation was created by an individual they represent and used without permission. A spokesman for the site said that if the material turns out to belong to another person they will take it down, but so far no one has come forward. In the meantime the attacks continue. More here [1]. [1] http://www.ebaumsworld.com/ From isn at c4i.org Thu Jan 12 04:27:19 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 12 Jan 2006 03:27:19 -0600 (CST) Subject: [ISN] DHS & Your Tax Dollars Message-ID: Forwarded from: security curmudgeon http://www.osvdb.org/blog/?p=83 DHS & Your Tax Dollars http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-1002_3-6025579.html Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coveritys commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com. The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday. The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said. So DHS uses $1.24 million dollars to fund a university and two commercial companies. The money will be used to develop source code auditing tools that will remain private. Coverity and Symantec will use the software on open-source software (which is good), but is arguably a huge PR move to help grease the wheels of the money flow. Coverity and Symantic will also be able to use these tools for their customers, which will pay them money for this service. Why exactly do my tax dollars pay for the commercial development of tools that are not released to the public? As Ben Laurie states, why cant he get a copy of these tax payer funded tools to run on the code his team develops? Why must they submit their code to a commercial third party for review to get any value from this software? Given the date of this announcement, coupled with the announcement of Stanfords PHP-CHECKER makes me wonder when the funds started rolling. There are obviously questions to be answered regarding Stanfords project (that I already asked). This also makes me wonder what legal and ethical questions should be asked about tax dollars being spent by the DHS, for a university to fund the development of a security tool that could potentially do great good if released for all to use. Its too bad there is more than a year long wait for FOIA requests made to the DHS. From isn at c4i.org Fri Jan 13 05:18:54 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 13 Jan 2006 04:18:54 -0600 (CST) Subject: [ISN] New face of tech security Message-ID: http://www.twincities.com/mld/pioneerpress/13604543.htm BY LESLIE BROOKS SUZUKAMO Pioneer Press Jan. 12, 2006 When 23-year-old David Luttrell gets his master's degree in information technology a couple years from now, he doesn't want to work with computers - he wants to work with the people who work with computers. "Ideally, it'll be something where I'm managing a (computer) security department or regular IT department," the Metropolitan State University student from Rush City said. "I don't want to be the guy rolling up his sleeves and up to my elbows in wires." Luttrell is not your classic geek. He has a bachelor's degree in business and discovered his affinity for computers after the trucking company where he works introduced automation not long ago. He's now interning part-time at the state Department of Revenue's security-conscious technology unit. If the state of Minnesota has its way, Luttrell and others like him may become the new face of computer security. The state has seeded a new program at the Twin Cities' Metro State to create advanced courses and curriculum in computer security. It wants to bridge the chasm between the basement server room where a company's IT workers toil and the corner suites where the executives hang out. In a world where new computer vulnerabilities are discovered weekly, the need for more technology bodyguards is no longer questioned. By 2008, the research firm IDC believes more than 800,000 new security professionals will join the 1.3 million already employed. But the real problem in security isn't finding technicians who know how to cobble together a decent firewall, according to St. Paul computer consultant Mike O'Connor. It is finding managers who can write sound security practices and help executives use technology to comply with new financial reporting and privacy laws like Sarbanes- Oxley. "It's the business stuff they need to know. Those folks are really scarce," O'Connor said. So this fall, the state awarded a $4.8 million "center of excellence" grant to Metro State to create both undergraduate and graduate programs in computer security. The state's vision is to build a center that would train a cadre of future information security managers and executives who would be closely tied to Minnesota businesses. Metro State officials have classes approved by the National Security Agency for its still-developing Center for Strategic Information Systems and Security. Classes began in September but the center doesn't expect to hire a director until February. Those courses will lead to four-year bachelor of applied science degrees in computer security or computer forensics, said Steve Creason, associate professor in the university's College of Management and one of the architects of the program. The two-year master's program in which Luttrell is enrolled combines both business and technical training. A Ph.D. program could be down the road too, Creason said. The state hopes the center could crank out not just new workers or research but maybe even spawn a mini-industry devoted to computer security and the burgeoning area of Internet telephony. Other states have the same idea, though, and this could provide some competition for the Minnesota program. Iowa State University in Ames has an advanced computing center to help develop the next generation of data security. Dakota State University in Madison, S.D., offers bachelor and master's degree programs in "information assurance" also certified by the NSA. All of these programs are so new that it's hard to assess them. It's probably safe to say, however, that the most rigorous of the new programs, announced in December, is offered by the SANS Institute in Bethesda, Md. SANS is renowned as one of the world's largest sources of information security training and certification and as the operator of the Internet Storm Center, an early warning system for viruses and worms. The Maryland Higher Education Commission has approved separate master's degree programs in security engineering and management at SANS, designed for people from around the country who have been picked to assume leadership roles by their companies, said Alan Paller, SANS director of research. "American corporations are being riddled by (computer) attacks - they are being defended very badly," Paller said. To develop its four-year program, Metro State partnered with existing two-year programs at Inver Hills Community College in Inver Grove Heights and Minneapolis Community and Technical College. The three schools are cooperating to allow graduates from the more technically oriented two-year programs at the colleges to transfer seamlessly to Metro State and finish up in only two more years. Focusing on a niche like computer security and Internet telecommunications allows universities like Metro State "to get away from being plain vanilla schools," said David Anderson, dean of the center for professional development and work force development at Inver Hills Community College. The program also could raise Minnesota's profile by letting its students test ideas in real workplaces, turning the program into a security "proving ground," added Ken Niemi, vice chancellor for information technology at the Minnesota State Colleges and Universities, which oversees Metro State. -=- Leslie Brooks Suzukamo covers telecommunications and technology and can be reached at lsuzukamo at pioneerpress.com or 651-228-5475. From isn at c4i.org Fri Jan 13 05:19:19 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 13 Jan 2006 04:19:19 -0600 (CST) Subject: [ISN] Gov't Cyber-sleuths Focusing on Linux, iPod, Xbox Message-ID: http://www.eweek.com/article2/0,1759,1910371,00.asp By Paul F. Roberts January 12, 2006 Cyber-security and computer experts from the government and law enforcement are increasingly concerned with malicious code that runs on Linux and Apple Computer Inc.'s Mac OS X operating systems and threats posed by devices such as iPods and Xboxes. Intensive courses on the Mac OS X and Linux operating systems, as well as iPods, were just a few of the offerings at a recent cyber-security conference sponsored by the U.S. Department of Defense. Network administrators and cyber-investigators say they are increasingly being called on to investigate compromises of non-Windows operating systems and to analyze portable devices such as iPods, according to interviews with attendees by eWEEK. The annual Cyber Crime Conference draws top cyber-security talent from the U.S. military, federal agencies, and federal, state and local law enforcement to hone their skills and learn about emerging cyber-security threats. Two, two-day courses at this year's conference taught attendees techniques for forensic analysis of Mac OS X and the open-source Linux operating system. John Sawyer, an IT security engineer who works for the University of Florida, took the OS X course and said it was very useful. His employer recently purchased a Mac for the IT department so that staff could become familiar with the platform, Sawyer said. IT staffers at the university are increasingly finding malicious software, such as remote control "bot" programs running on Mac OS X, though most have had much experience analyzing the operating system for security breaches, said Jordan Wiens, a network security engineer also at University of Florida. Federal, state and local law enforcement are taking a harder look at platforms such as Mac OS X and Linux because those platforms are being used more widely, said Tyler Cohen, an instructor with the DOD's DCITP (Department Computer Investigations Training Program). Innocuous devices such as the iPod Shuffle, a small, portable version of the massively popular MP3 player from Apple, are also an underappreciated threat, said Cohen, who led a session called "Hacking with iPods and Forensic Analysis" at the conference. In that class, Cohen showed attendees how Shuffles and other iPods could be outfitted with a bootable distribution of the Linux operating system and stripped-down version of the Metasploit Framework hacking tool and then used to break in to protected computers. The MP3 players can be connected directly to computers and then used to copy and store gigabytes' worth of files and other sensitive documents from those systems, Cohen told eWEEK. IPods, as well as USB storage devices, can be connected and removed without leaving a record of their actions or a footprint on the machine. That poses a challenge for computer forensic investigators who are looking into the theft of data or trying to find the origin of an attack, Cohen said. Microsoft's Xbox gaming devices pose a similar problem to investigators, said Sig Murphy an investigator in the DOD's Computer Forensic Laboratory. Murphy has been called on to analyze four Xboxes in the last year for investigations in DCFL's Major Crimes and Safety division, and the devices are turning up in more and more investigations, Murphy told eWEEK. Some of the Xbox cases involved solicitation of a minor, in which pedophiles used Microsoft's online gaming and chat features to meet and try to befriend minors. Unmodified Xboxes can be difficult to obtain information from because they have locked hard drives that require a unique password to read. Unlocking those drives has gotten easier, due to a thriving Xbox "modding" underground. Once unlocked, unmodified or "stock" Xboxes keep few records or logs of online activities, making forensic analysis of the devices challenging, Murphy said. Modified Xboxes can be outfitted with Linux or other operating systems and used for anything a traditional laptop or desktop computer can, including launching attacks or storing child pornography, Murphy said. While gaming platforms are often overlooked by police, agents at the DOD and FBI are being told to seize Xboxes as part of their information gathering, Murphy said. However, state and local law enforcement may not be aware that the devices could store information useful to a criminal investigation, he said. Murphy and others said that they believe alternative computing platforms will come to play a bigger role in cyber-crimes and criminal investigations in the years to come. Devices such as the PlayStation Portable, which has a large hard drive and wireless capability, will become more common and more capable of carrying out or being targeted in online attacks, Murphy said. Governments, as well as enterprises, worried about losing sensitive data need to institute tough policies that bar devices such as iPods from their networks. However, technology to enforce those policies, often referred to as endpoint security tools, is still not widely used, she acknowledged. From isn at c4i.org Fri Jan 13 05:19:41 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 13 Jan 2006 04:19:41 -0600 (CST) Subject: [ISN] Anti-spyware guidelines get final version Message-ID: http://news.com.com/Anti-spyware+guidelines+get+final+version/2100-7349_3-6026632.html By Alorie Gilbert Jan. 12, 2006 A coalition of software companies have agreed on standard methods for identifying and combating spyware, those unwelcome downloads that have plagued Internet users with pop-up ads and other annoyances. The Anti-Spyware Coalition, whose members include Microsoft, Symantec, Computer Associates, McAfee, AOL and Yahoo, said on Thursday that it has finalized its spyware detection guidelines. The final version takes into account public comments on a proposed version introduced in October. Spyware and adware have become widely despised for their sneaky distribution tactics, unauthorized data gathering and tying-up of computer processing power. Although adware makers say there are legitimate uses for their programs, an entire anti-spyware market has been spawned to combat the stuff. The Anti-Spyware Coalition's guidelines, or risk model description, aim to provide a common way to classify spyware, based on risks a piece of software poses to consumers. They also suggest ways to handle software, based on those risk levels. Among the behaviors the group considers high-risk are programs that replicate themselves via mass e-mails, worms and viruses. Also, programs that install themselves without a user's permission or knowledge, via a security exploit, are also deemed high-risk, as are programs that intercept e-mail or instant messages without user consent, transmit personally identifiable data, or change security settings. The coalition hopes the final guidelines, which have changed little from the proposed version, will lead to better anti-spyware products. To that end, Cybertrust, through its ICSA Labs unit, is planning to certify products that meet the guidelines. Consumers should see the first products with its anti-spyware seal of approval within the next few months, the IT security and risk management company said. The guidelines should also make it clearer when companies cross the line of what's acceptable and legal and what's not when it comes to downloads, as Sony BMG did recently with its "rootkit" programs, said Ari Schwartz, a spokesman for the Anti-Spyware Coalition. Sony recently settled a class-action lawsuit over copy-restriction software hidden on customers' computers using a rootkit, which opened those PCs up to attack. The company also recalled the CDs after a public uproar. Yet attempts to define spyware, create guidelines and certify products are controversial. Critics fear guidelines will legitimize spyware and enable distributors to dodge blocking tools while continuing bad behaviors. The Anti-Spyware Coalition group plans to conduct a public workshop on Feb. 9 in Washington, D.C., and is currently working on tips for consumers, including teens and parents, and businesses, Schwartz said. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Fri Jan 13 05:19:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 13 Jan 2006 04:19:57 -0600 (CST) Subject: [ISN] Defense lab accredited in computer forensics Message-ID: http://www.gcn.com/vol1_no1/daily-updates/37978-1.html By Patience Wait GCN Staff 01/12/06 CLEARWATER, Fla. - After years of work, the Defense Computer Forensics Laboratory - part of the DOD Cyber Crime Center (DC3) - has been accredited by the American Society of Crime Laboratory Directors/Laboratory Accreditation Board. Ralph Keaton, executive director of ASCLD/LAB, presented the certificate of accreditation to representatives of DCFL Jan. 10 during the first day of the DOD Cyber Crime Conference. The effort to become accredited began in late 1998, but "the focused campaign probably took 18 months or so," said Steven Shirley, executive director of DC3. The DCFL becomes the 10th and, with 88 employees, the largest accredited digital crime lab in the world, he said. The DCFL provides digital evidence processing, analysis and diagnostics for any Defense Department investigation that requires computer forensic support to detect, enhance or recover digital media, including audio and video. The lab's several sections provide services for criminal, counterintelligence, counterterrorism and fraud investigations of Defense criminal investigative organizations and DOD counterintelligence activities, as well as safety investigations, Inspector General-directed inquiries and commander inquiries. From isn at c4i.org Fri Jan 13 05:18:35 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 13 Jan 2006 04:18:35 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-2 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-01-05 - 2006-01-12 This week : 94 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Please refer to the referenced Secunia advisory below for complete details. Reference: http://secunia.com/SA18370 -- Microsoft has released one security bulletin ahead of their monthly patch release cycle. Additionally, two bulletins were also released as part of Microsofts normal monthly patch release cycle. All users are advised to visit Windows Update and apply available patches. For additional details about the issues corrected, please refer to the referenced Secunia advisories below. References: http://secunia.com/SA18365 http://secunia.com/SA18368 http://secunia.com/SA18255 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 2. [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow 3. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 4. [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability 5. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 6. [SA18364] Avaya Products Microsoft Windows WMF "SETABORTPROC" Vulnerability 7. [SA18328] IBM Lotus Domino/Notes Denial of Service and Unspecified Vulnerabilities 8. [SA18275] PHP "mysql_connect" Buffer Overflow Vulnerability 9. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 10. [SA18365] Microsoft Windows Embedded Web Fonts Arbitrary Code Execution Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18364] Avaya Products Microsoft Windows WMF "SETABORTPROC" Vulnerability [SA18393] BlackBerry Enterprise Server PNG File Handling Vulnerability [SA18391] Avaya Products Microsoft Windows Embedded Web Fonts Code Execution [SA18390] Apache2Triad Insecure PEAR Installer Security Issue [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability [SA18365] Microsoft Windows Embedded Web Fonts Arbitrary Code Execution Vulnerability [SA18408] AspTopSites SQL Injection Vulnerabilities [SA18369] MusicBox SQL Injection Vulnerabilities [SA18342] MegaBBS "replyid" Disclosure of Private Messages [SA18325] OnePlug CMS SQL Injection Vulnerabilities [SA18324] Timecan CMS "viewID" SQL Injection Vulnerability [SA18411] Hummingbird Collaboration Script Insertion and Information Disclosure [SA18409] Microsoft Visual Studio User Control Load Event Code Execution Vulnerability [SA18326] Aquifer CMS "Keyword" Cross-Site Scripting Vulnerability [SA18402] Symantec Norton SystemWorks Protected Recycle Bin Weakness UNIX/Linux: [SA18405] Red Hat update for auth_ldap [SA18403] Gentoo update for mod_auth_pgsql [SA18399] MyPHPim Multiple Vulnerabilities [SA18397] Debian update for libapache2-mod-auth-pgsql [SA18381] Debian update for pound [SA18376] SCO OpenServer update for lynx [SA18350] Fedora update for mod_auth_pgsql [SA18348] Ubuntu update for libapache2-mod-auth-pgsql [SA18347] Mandriva update for apache2-mod_auth_pgsql [SA18321] Red Hat update for mod_auth_pgsql [SA18426] Red Hat update for ethereal [SA18425] Red Hat update for cups [SA18423] Red Hat update for gpdf [SA18416] SUSE updates for xpdf / kpdf / gpdf / kword [SA18414] Fedora update for gpdf [SA18407] Debian update for libextractor [SA18406] HP-UX Secure Shell Denial of Service Vulnerability [SA18400] Gentoo update for xine-lib / ffmpeg [SA18398] libextractor Multiple Xpdf Vulnerabilities [SA18389] Debian update for kpdf [SA18387] Mandriva update for cups [SA18385] Debian update for xpdf [SA18380] Mandriva update for tetex [SA18379] ClamAV Unspecified UPX File Handling Vulnerability [SA18378] FreeBSD ipfw IP Fragment Denial of Service Vulnerability [SA18377] SCO OpenServer update for zlib [SA18375] GNOME gpdf Xpdf Multiple Integer Overflow Vulnerabilities [SA18373] Fedora update for poppler [SA18366] Debian update for hylafax [SA18356] Eudora Internet Mail Server NTLM Authentication Denial of Service [SA18355] SysCP WebFTP Module "webftp_language" Local File Inclusion Vulnerability [SA18352] Bogofilter Two Denial of Service Vulnerabilities [SA18349] Mandriva update for xpdf [SA18338] Ubuntu update for kpdf / kword [SA18337] Gentoo update for hylafax [SA18336] Trustix update for cups / curl [SA18335] Fedora update for cups [SA18334] Ubuntu updates for cupsys / libpoppler0c2 / tetex-bin / xpdf-reader / xpdf-utils [SA18333] Red Hat update for httpd [SA18332] CUPS xpdf Multiple Integer Overflow Vulnerabilities [SA18331] Fedora update for ethereal [SA18330] Fedora update for netpbm [SA18329] teTeX Xpdf Multiple Integer Overflow Vulnerabilities [SA18323] Wine Potential WMF "SETABORTPROC" Vulnerability [SA18344] Gentoo update for vmware [SA18395] FreeBSD update for cpio [SA18367] Pound HTTP Request Smuggling Vulnerability [SA18340] Trustix update for apache [SA18339] Mandriva update for apache2 [SA18404] FreeBSD ee Insecure Temporary File Creation Vulnerability [SA18401] FreeBSD update for texindex [SA18388] NetBSD Kernfs Kernel Memory Disclosure Vulnerability [SA18363] Ubuntu update for sudo [SA18358] Sudo Python Environment Cleaning Privilege Escalation Vulnerability [SA18357] Debian update for smstools [SA18351] Fedora update for kernel [SA18343] SMS Server Tools Logging Format String Vulnerability [SA18384] Debian update for petris [SA18371] Sun Solaris uucp / uustat Arbitrary Command Execution Vulnerability [SA18362] Petris Buffer Overflow Vulnerability Other: Cross Platform: [SA18382] Apache auth_ldap Module "auth_ldap_log_reason()" Format String Vulnerability [SA18370] QuickTime Multiple Image/Media File Handling Vulnerabilities [SA18346] Phgstats "phgdir" File Inclusion Vulnerability [SA18417] CaLogic "title" New Event Script Insertion Vulnerability [SA18394] PHPNuke EV "query" SQL Injection Vulnerability [SA18392] TheWebForum Script Insertion and SQL Injection Vulnerabilities [SA18386] foxrum "url" bbcode Script Insertion Vulnerability [SA18383] VenomBoard SQL Injection Vulnerabilities [SA18374] PHP-Nuke News "Story Text" Script Insertion Vulnerability [SA18361] Joomla! vCard Email Address Disclosure and TinyMCE Compressor Vulnerabilities [SA18354] 427BB Multiple Vulnerabilities [SA18328] IBM Lotus Domino/Notes Denial of Service and Unspecified Vulnerabilities [SA18327] Foro Domus "email" SQL Injection and Script Insertion Vulnerability [SA18372] WebGUI Form Module Script Insertion Vulnerability [SA18360] phpChamber "needle" Cross-Site Scripting Vulnerability [SA18359] Andromeda "s" Cross-Site Scripting Vulnerability [SA18345] NavBoard Potential BBcode Script Insertion Vulnerability [SA18320] Modular Merchant Shopping Cart "cat" Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18364] Avaya Products Microsoft Windows WMF "SETABORTPROC" Vulnerability Critical: Extremely critical Where: From remote Impact: System access Released: 2006-01-09 Avaya has acknowledged a vulnerability in various products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18364/ -- [SA18393] BlackBerry Enterprise Server PNG File Handling Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-10 FX has been reported a vulnerability in BlackBerry Enterprise Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18393/ -- [SA18391] Avaya Products Microsoft Windows Embedded Web Fonts Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-11 Avaya has acknowledged a vulnerability in various products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18391/ -- [SA18390] Apache2Triad Insecure PEAR Installer Security Issue Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-11 Gammarays has reported a security issue in Apache2Triad, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18390/ -- [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-10 A vulnerability has been reported in Microsoft Outlook / Exchange, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18368/ -- [SA18365] Microsoft Windows Embedded Web Fonts Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-10 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18365/ -- [SA18408] AspTopSites SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-11 Donnie Werner has reported some vulnerabilities in AspTopSites, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18408/ -- [SA18369] MusicBox SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-10 Medo HaCKer has reported some vulnerabilities in MusicBox, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18369/ -- [SA18342] MegaBBS "replyid" Disclosure of Private Messages Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-09 Hamid Ebadi has reported a vulnerability in MegaBBS, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18342/ -- [SA18325] OnePlug CMS SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-06 Preddy has reported some vulnerabilities in OnePlug CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18325/ -- [SA18324] Timecan CMS "viewID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-06 Preddy has reported a vulnerability in Timecan CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18324/ -- [SA18411] Hummingbird Collaboration Script Insertion and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Spoofing, Exposure of system information Released: 2006-01-11 Secure Network has reported a vulnerability and a weakness in Hummingbird Collaboration, which can be exploited by malicious users to disclose system information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18411/ -- [SA18409] Microsoft Visual Studio User Control Load Event Code Execution Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-01-11 priestmaster has discovered a vulnerability in Microsoft Visual Studio, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18409/ -- [SA18326] Aquifer CMS "Keyword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-06 Preddy has reported a vulnerability in Aquifer CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18326/ -- [SA18402] Symantec Norton SystemWorks Protected Recycle Bin Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2006-01-11 A weakness has been reported in Norton SystemWorks, which can be exploited by malicious, local users, or by malware, to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18402/ UNIX/Linux:-- [SA18405] Red Hat update for auth_ldap Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-11 Red Hat has issued an update for auth_ldap. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18405/ -- [SA18403] Gentoo update for mod_auth_pgsql Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-11 Gentoo has issued an update for mod_auth_pgsql. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18403/ -- [SA18399] MyPHPim Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, System access Released: 2006-01-11 Aliaksandr Hartsuyeu has reported some vulnerabilities in MyPHPim, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18399/ -- [SA18397] Debian update for libapache2-mod-auth-pgsql Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-11 Debian has issued an update for libapache2-mod-auth-pgsql. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18397/ -- [SA18381] Debian update for pound Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS, System access Released: 2006-01-10 Debian has issued an update for pound. This fixes two vulnerabilities, which potentially can be exploited by malicious people to conduct HTTP request smuggling attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18381/ -- [SA18376] SCO OpenServer update for lynx Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-11 SCO has issued an update for lynx. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18376/ -- [SA18350] Fedora update for mod_auth_pgsql Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-09 Fedora has issued an update for mod_auth_pgsql. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18350/ -- [SA18348] Ubuntu update for libapache2-mod-auth-pgsql Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-09 Ubuntu has issued an update for libapache2-mod-auth-pgsql. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18348/ -- [SA18347] Mandriva update for apache2-mod_auth_pgsql Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-09 Mandriva has issued an update for apache2-mod_auth_pgsql. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18347/ -- [SA18321] Red Hat update for mod_auth_pgsql Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-06 Red Hat has issued an update for mod_auth_pgsql. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18321/ -- [SA18426] Red Hat update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-12 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18426/ -- [SA18425] Red Hat update for cups Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-12 Red Hat has issued an update for cups. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18425/ -- [SA18423] Red Hat update for gpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-12 Red Hat has issued an update for gpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18423/ -- [SA18416] SUSE updates for xpdf / kpdf / gpdf / kword Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 SUSE has issued updates for xpdf / kpdf / gpdf / kword. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18416/ -- [SA18414] Fedora update for gpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Fedora has issued an update for gpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18414/ -- [SA18407] Debian update for libextractor Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-12 Debian has issued an update for libextractor. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18407/ -- [SA18406] HP-UX Secure Shell Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS Released: 2006-01-11 HP has acknowledged a security issue and a vulnerability in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service) or by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18406/ -- [SA18400] Gentoo update for xine-lib / ffmpeg Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Gentoo has issued an update for xine-lib / ffmpeg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18400/ -- [SA18398] libextractor Multiple Xpdf Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Some vulnerabilities have been reported in libextractor, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18398/ -- [SA18389] Debian update for kpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-10 Debian has issued an update for kpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18389/ -- [SA18387] Mandriva update for cups Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Mandriva has issued an update for cups. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18387/ -- [SA18385] Debian update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-10 Debian has issued an update for xpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18385/ -- [SA18380] Mandriva update for tetex Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Mandriva has issued an update for tetex. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18380/ -- [SA18379] ClamAV Unspecified UPX File Handling Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-01-10 A vulnerability has been reported in ClamAV, which potentially can be exploited by malicious people with an unknown impact. Full Advisory: http://secunia.com/advisories/18379/ -- [SA18378] FreeBSD ipfw IP Fragment Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-11 A vulnerability has been reported in FreeBSD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18378/ -- [SA18377] SCO OpenServer update for zlib Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 SCO has issued an update for zlib. This fixes some vulnerabilities, which can be exploited by malicious people to conduct a DoS (Denial of Service) against a vulnerable application or potentially execute arbitrary code. Full Advisory: http://secunia.com/advisories/18377/ -- [SA18375] GNOME gpdf Xpdf Multiple Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Some vulnerabilities have been reported in GNOME gpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18375/ -- [SA18373] Fedora update for poppler Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Fedora has issued an update for poppler. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18373/ -- [SA18366] Debian update for hylafax Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-10 Debian has issued an update for hylafax. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18366/ -- [SA18356] Eudora Internet Mail Server NTLM Authentication Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-09 A vulnerability has been reported in Eudora Internet Mail Server (EIMS), which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18356/ -- [SA18355] SysCP WebFTP Module "webftp_language" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-09 Thomas Henlich has reported a vulnerability in the WebFTP module for SysCP, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18355/ -- [SA18352] Bogofilter Two Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-09 Some vulnerabilities have been reported in Bogofilter, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18352/ -- [SA18349] Mandriva update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-09 Mandriva has issued an update for xpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18349/ -- [SA18338] Ubuntu update for kpdf / kword Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-09 Ubuntu has issued updates for kpdf / kword. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18338/ -- [SA18337] Gentoo update for hylafax Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2006-01-06 Gentoo has issued an update for hylafax. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18337/ -- [SA18336] Trustix update for cups / curl Critical: Moderately critical Where: From remote Impact: System access, DoS, Unknown Released: 2006-01-06 Trustix has issued updates for cups / curl. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), potentially to compromise a user's system, and with an unknown impact. Full Advisory: http://secunia.com/advisories/18336/ -- [SA18335] Fedora update for cups Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-06 Fedora has issued an update for cups. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18335/ -- [SA18334] Ubuntu updates for cupsys / libpoppler0c2 / tetex-bin / xpdf-reader / xpdf-utils Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-06 Ubuntu has issued updates for cupsys / libpoppler0c2 / tetex-bin / xpdf-reader / xpdf-utils. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18334/ -- [SA18333] Red Hat update for httpd Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-01-06 Red Hat has issued an update for httpd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18333/ -- [SA18332] CUPS xpdf Multiple Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-06 Some vulnerabilities have been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18332/ -- [SA18331] Fedora update for ethereal Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-06 Fedora has issued an update for Ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18331/ -- [SA18330] Fedora update for netpbm Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-06 Fedora has issued an update for netpbm. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18330/ -- [SA18329] teTeX Xpdf Multiple Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-06 Some vulnerabilities have been reported in teTeX, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18329/ -- [SA18323] Wine Potential WMF "SETABORTPROC" Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-09 H D Moore has reported a vulnerability in wine, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18323/ -- [SA18344] Gentoo update for vmware Critical: Moderately critical Where: From local network Impact: System access Released: 2006-01-09 Gentoo has issued an update for vmware. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18344/ -- [SA18395] FreeBSD update for cpio Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data, DoS Released: 2006-01-11 FreeBSD has issued an update for cpio. This fixes a vulnerability, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/18395/ -- [SA18367] Pound HTTP Request Smuggling Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-01-10 A vulnerability has been reported in Pound, which potentially can be exploited by malicious people to conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/18367/ -- [SA18340] Trustix update for apache Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-01-06 Trustix has issued an update for apache. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18340/ -- [SA18339] Mandriva update for apache2 Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-01-06 Mandriva has issued an update for apache2. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18339/ -- [SA18404] FreeBSD ee Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-11 A vulnerability has been reported in FreeBSD, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18404/ -- [SA18401] FreeBSD update for texindex Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-11 FreeBSD has issued an update for texindex. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18401/ -- [SA18388] NetBSD Kernfs Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-01-10 A vulnerability has been reported in NetBSD, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18388/ -- [SA18363] Ubuntu update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-09 Ubuntu has issued an update for sudo. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18363/ -- [SA18358] Sudo Python Environment Cleaning Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-09 Tavis Ormandy has reported a vulnerability in Sudo, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18358/ -- [SA18357] Debian update for smstools Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-01-09 Debian has issued an update for smstools. This fixes a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18357/ -- [SA18351] Fedora update for kernel Critical: Less critical Where: Local system Impact: Unknown, Exposure of sensitive information Released: 2006-01-09 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain knowledge of potentially sensitive information and with unknown impact. Full Advisory: http://secunia.com/advisories/18351/ -- [SA18343] SMS Server Tools Logging Format String Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-01-09 Ulf Harnhammar has reported a vulnerability in SMS Server Tools, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18343/ -- [SA18384] Debian update for petris Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-10 Debian has issued an update for petris. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18384/ -- [SA18371] Sun Solaris uucp / uustat Arbitrary Command Execution Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-10 Angelo Rosiello has reported a vulnerability in Solaris, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18371/ -- [SA18362] Petris Buffer Overflow Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-10 Steve Kemp has reported a vulnerability in Petris, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18362/ Other: Cross Platform:-- [SA18382] Apache auth_ldap Module "auth_ldap_log_reason()" Format String Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-10 Seregorn has reported a vulnerability in the auth_ldap module for Apache, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18382/ -- [SA18370] QuickTime Multiple Image/Media File Handling Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-11 Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18370/ -- [SA18346] Phgstats "phgdir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-10 A vulnerability has been reported in Phgstats, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18346/ -- [SA18417] CaLogic "title" New Event Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-11 Aliaksandr Hartsuyeu has reported a vulnerability in CaLogic, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18417/ -- [SA18394] PHPNuke EV "query" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-10 A vulnerability has been discovered in PHPNuke EV, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18394/ -- [SA18392] TheWebForum Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-01-10 Aliaksandr Hartsuyeu has discovered two vulnerabilities in TheWebForum, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18392/ -- [SA18386] foxrum "url" bbcode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-10 Aliaksandr Hartsuyeu has discovered a vulnerability in foxrum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18386/ -- [SA18383] VenomBoard SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-10 Aliaksandr Hartsuyeu has reported some vulnerabilities in VenomBoard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18383/ -- [SA18374] PHP-Nuke News "Story Text" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-10 night_warrior771 has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18374/ -- [SA18361] Joomla! vCard Email Address Disclosure and TinyMCE Compressor Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2006-01-09 Two vulnerabilities have been reported in Joomla!, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/18361/ -- [SA18354] 427BB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-01-09 Aliaksandr Hartsuyeu has discovered some vulnerabilities in 427BB, which can be exploited by malicious people to conduct script insertion and SQL injection attacks, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18354/ -- [SA18328] IBM Lotus Domino/Notes Denial of Service and Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2006-01-06 Some vulnerabilities have been reported in Lotus Domino / Notes, which potentially can be exploited by malicious users to cause a DoS (Denial of Service), or with unknown impact. Full Advisory: http://secunia.com/advisories/18328/ -- [SA18327] Foro Domus "email" SQL Injection and Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-01-06 Aliaksandr Hartsuyeu has reported a vulnerability in Foro Domus, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18327/ -- [SA18372] WebGUI Form Module Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-10 Hans Wolters has reported a vulnerability in WebGUI, which potentially can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18372/ -- [SA18360] phpChamber "needle" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-09 Preddy has reported a vulnerability in phpChamber, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18360/ -- [SA18359] Andromeda "s" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-09 Preddy has discovered a vulnerability in Andromeda, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18359/ -- [SA18345] NavBoard Potential BBcode Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-09 Aliaksandr Hartsuyeu has discovered a vulnerability in NavBoard, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18345/ -- [SA18320] Modular Merchant Shopping Cart "cat" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-06 Preddy has reported a vulnerability in Modular Merchant Shopping Cart, which can be exploited can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18320/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jan 13 05:20:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 13 Jan 2006 04:20:14 -0600 (CST) Subject: [ISN] Hacker arrested for illegal ticket sales Message-ID: http://english.www.gov.tw/TaiwanHeadlines/index.jsp?categid=10&recordid=90518 Taiwan News 2006/01/13 A civil servant was arrested on Thursday after he was found to have used a self-designed computer program to assist people buying train tickets on the Internet for the coming Chinese New Year holiday. The 31-year-old suspect, identified by his last name as Lin, denied that he had profiteered from helping other people buy train tickets. Lin, however, did admit that he collected an undisclosed amount for providing this service, but said that the money was used to maintain his Web site "As U Wish." Black-market prices have doubled since tickets for the holiday period were bought up in only a few hours after the Taiwan Railway Administration began selling tickets a few weeks ago. With the help of the TRA and Chunghwa Telecom Co., agents from the Bureau of Criminal Investigation found Lin at his residence in Taipei City and asked him to come in for questioning at the BCI. Lin took advantage of a "virtual cash" mechanism set up by Internet banks to charge people for his service. Lin used his own program, which could repeatedly reload applications into the TRA's computer system until they accepted, to help people who wished to buy tickets intercept tickets returned by passengers who had canceled their reservations. A BCI spokesman said Lin was not the first one who has been arrested for taking advantage of the TRA's automatic reservation system for personal gain. Three other computer programmers were arrested and indicted on similar charges last year. Lin may be fined and sentenced to a prison term of up to five years for interfering with other people's use of their computers and for misusing his own computer to the degree of damaging public interests, which constitute being an offense of Article 360 and 361 of the Criminal Code. The TRA set up a new reservation system several years ago to allow passengers to make reservations through the Internet, so they did not have to line up before ticket booths for a few days as they had to do in the past in order to buy tickets. Still, train tickets for long holidays are still difficult to get hold of because scalpers often buy up tickets and then sell them for much higher prices. While investigating the case, BCI agents were surprised by the fact that many Internet banks did not even try to verify the identities of those who use their "virtual cash" mechanisms in transferring money into Lin's bank account. The BCI spokesman warned that criminals may take advantage of this loophole in Internet banking operations to commit crimes. He urged the authorities concerned to contact local banks in order to find ways to resolve problems related to Internet banking services. From isn at c4i.org Mon Jan 16 01:25:29 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:25:29 -0600 (CST) Subject: [ISN] Linux Advisory Watch - January 13th 2005 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 13th, 2005 Volume 7, Number 2a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, perhaps the most interesting articles include hylafax, hal, poppler, pdftohtml, libpaperl, xpdf, gpdf, and apache2. The distributors include Gentoo and Mandriva. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- IPv6 approach for TCP SYN Flood attack over VoIP, Part IV By: Suhas Desai 6. IPv6 Approaches Service Providers are scrambling to offer voice, video, data and innovative services such as gaming, interactive TV and messaging, on a single pipe. At the same time, network equipment is being upgraded to IPV6.But some Real-Time IPV6 Security overwhelms performance due to the application intelligence which is the rapid inspection of VoIP signaling SIP, H.323 and audio packets, and the prompt opening and shutting of .pinholes. to allow the passage of valid voice traffic over wireless networks. A firewall enabled for application filtering and IPv6 can drop application performance by a staggering 90 % or more compared to best case IPV4 results. Given methods are used to IPv6 Application performance: - Emulate real application traffic .data, voice, video over tens of thousands of clients and/or servers. - Measure performance and Quality of Experience with Web pages/s, VoIP call set-up time, FTP file transfer rate and instant message passing with TCP SYN handshaking signals. Multiply services over IPv4/v6 must address three additional challenges that will impact network performance must be handled following DoS attacks. IPv6 approaches can handle these with Network tester configurations. 6.2 DoS Attacks * Must be filtered, including traditional layer 3-4 attacks such as TCP SYN Flood which is ported to IPv6. * ICMPv6 attacks * Application layer attacks (such as SIP setup/teardown flood and RTP stream Insertion). * Application attacks are particularly effective because they degrade the CPU performance. 6.3 VoIP Attack Vulnerability VoIP attack vulnerability simulates DoS attacks to measure impact on VoIP with - Traditional DoS attacks (TCP SYN flood, ping of Death) - VoIP voice insertion-simulate rogue RTP streams. - VoIP DoS simulates bursts of call setups and teardowns on the same addresses 6.4 Performance Challenges 6.4.1 Longer IPv6 addresses: Firewall rule sets and ACL must work IPv6 addresses. It can degrade performance. 6.4.2 IPv6 variable-length headers: Parsing more complex encryption and authentication header sections must be parsed and filtered and it may also need to perform encryption/decryption or calculation of message authentication codes to be filter on application-layer headers and content. 6.4.3 IPv6 DoS attacks IPv6/v4 and IPv4/v6 tunneling can hide application-layer attacks within complex handcrafted TCP SYN packets. 6.5 Triple-Play Methodology It is a new approach needed to ensure that application aware devices do not become bottlenecks: 6.5.1 Real-Time Application Performance. 6.5.2 Add DoS attacks over IPv6 including SIP setup-teardown attacks. Quantify the reduction in application performance. Read Entire Article: http://www.linuxsecurity.com/content/view/121205/49/ ---------------------- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: HylaFAX Multiple vulnerabilities 6th, January, 2006 HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities. http://www.linuxsecurity.com/content/view/121181 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated HAL packages fixes card reader bug 5th, January, 2006 HAL in Mandriva 2006 doesn't correctly handle card readers advertising themselves as SCSI removable disk, which was preventing HAL from correctly creating entries in fstab when the user inserts a memory card. Updated packages have been patched to address this issue. http://www.linuxsecurity.com/content/view/121171 * Mandriva: Updated poppler packages fix several vulnerabilities 5th, January, 2006 Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.01 allows remote attackers to execute arbitrary code via a PDF file with an out-of-range numComps (number of components) field. (CVE-2005-3192) Heap-based buffer overflow in the JPXStream::readCodestream function in the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier allows user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with large size values that cause insufficient memory to be allocated. http://www.linuxsecurity.com/content/view/121172 * Mandriva: Updated pdftohtml packages fix several vulnerabilities 5th, January, 2006 Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.01 allows remote attackers to execute arbitrary code via a PDF file with an out-of-range numComps (number of components) field. (CVE-2005-3192) Heap-based buffer overflow in the JPXStream::readCodestream function in the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier allows user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with large size values that cause insufficient memory to be allocated. http://www.linuxsecurity.com/content/view/121173 * Mandriva: New libpaper1 packages provide libpaper1 to x86_64 platform 5th, January, 2006 Corporte Desktop 3.0/x86_64 did not ship with the libpaper1 library which prevented the included gpdf and kpdf programs from working. This update provides libpaper1. http://www.linuxsecurity.com/content/view/121174 * Mandriva: Updated xpdf packages fix several vulnerabilities 5th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121175 * Mandriva: Updated gpdf packages fix several vulnerabilities 5th, January, 2006 Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) http://www.linuxsecurity.com/content/view/121176 * Mandriva: Updated apache2 packages fix vulnerabilities 5th, January, 2006 A flaw was discovered in mod_imap when using the Referer directive with image maps that could be used by a remote attacker to perform a cross- site scripting attack, in certain site configurations, if a victim could be forced to visit a malicious URL using certain web browsers(CVE-2005-3352). http://www.linuxsecurity.com/content/view/121177 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jan 16 01:25:46 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:25:46 -0600 (CST) Subject: [ISN] Million dollar homepage brought down by DDoS attack Message-ID: http://www.vnunet.com/vnunet/news/2148578/million-dollar-homepage-felled William Eazel vnunet.com 14 Jan 2006 The final 1,000 pixels on the Million Dollar Homepage sold for $38,100 earlier this week, netting 21 year old UK student Alex Tew the final amount needed to cross the US$1 million target barrier. However, disaster struck early yesterday when the site was targeted by electronic attackers and knocked off the web for some extended period of time by a DDoS attack. The Million Dollar Homepage, found at milliondollarhomepage.com, had been online since September last year, and is one of those "wish I'd thought of that ideas" initially dreamt up by Tew as a way of paying his university expenses. The idea was simple. Tew launched a website, which he promised to keep online for at least five years, he then divided the homepage into a million pixels and sold each pixel for US$1 as advertising space. Many advertisers are understood to have bought pixels as a joke, but the idea soon took off, and on the back of a wave of publicity Tew's site was soon receiving 500,000 unique visitors per day, with much of that traffic clicking through to advertisers. Indeed, the site's total earnings actually netted Tew US$1,037,100 - a figure which has been the catalyst for the appearance of a number of other copycat sites. Tew may be the newest internet-made millionaire, but armed with only a basic web hosting package, the extra fees charged for protection against mounting DDoS attacks, will soon be eating into his cash pile. From isn at c4i.org Mon Jan 16 01:24:50 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:24:50 -0600 (CST) Subject: [ISN] Web Site of Agency Is Called Insecure Message-ID: http://www.nytimes.com/2006/01/13/technology/13secure.html By JOHN MARKOFF January 13, 2006 The General Services Administration has shut a Web site for government contractors after a computer industry consultant reported that he was able to view and modify corporate and financial information submitted by vendors. The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. "This is the government entity responsible for letting contracts for security," said Mark Rasch, chief security counsel for Solutionary, a security firm. "Clearly the people who log in would know about security." The agency said it believed that the flaw had not been exploited by intruders or by authorized users. It is not clear how long the problem existed. The Web site, called eOffer, was introduced in May 2004 to let companies respond electronically to requests for proposals for computer technology services and products. Computer security consultants said the flaws could have had consequences ranging from corporate espionage to bid tampering. They also said the agency now faced the challenge of verifying the accuracy of contracting data. The site remained inoperative yesterday evening with a posted message stating: "The eOffer system is down for maintenance. Please pardon the inconvenience, thank you." The security flaws were discovered by Aaron Greenspan, president of Think Computer, a computer security firm based in Dallas, when he tried to register his company as a government contractor last month. While entering data on the site, he said, he discovered that it was possible to call up documents at random and to take over the accounts of other companies by simply entering a publicly available business identification number once he had validated his own account with the system. "Theoretically, one could have started a bidding war between Boeing and Lockheed Martin, or Dell and Gateway, or changed the terms of their existing contracts," he said. According to Mr. Greenspan, the contract data on the Web site stretched back at least nine years. When the system was introduced last year, the agency said it was intended to meet President Bush's mandate "to improve effectiveness and efficiency in government." It was intended to save time and money by bypassing the paper-based process for negotiating contracts. A spokeswoman for the agency said yesterday that it had begun an "intensive search" to identify "possible irregularities within the electronic tools G.S.A. provides to its customers." The spokeswoman, Jennifer E. Millikin, deputy director of communications, said the agency acknowledged that the flaw compromised the integrity of the Web tool but that it "believes the problem was brought to the agency's attention before it became a hazard to other users." She said the 20-day interval before the site's shutdown reflected the processing of the inspector general's report within the agency. The site, used by about 1,200 of the agency's tens of thousands of contractors, should be online again by the middle of next week, she said. An independent computer security consultant who examined Mr. Greenspan's written presentation to the agency said that the designers of the eOffer site had made a series of bad design decisions. "The system relies, rather stupidly, on making it difficult to get in in the first place, by forcing you to get a client certificate for your browser," a mechanism for establishing the user's identity, said Mark Seiden, a security consultant who perform tests for corporations. "Well, the 9/11 hijackers also had authentic drivers' licenses. Perhaps they believe that it's good enough to know who to go after if they misbehave once they're in the club." In filing an electronic application to become a government contractor, Mr. Greenspan was forced to repeat the process several times. After doing so, he noticed that the file's identifying number had been changed to a number one digit higher. He then copied the old number into his browser and discovered that his original file was still stored on the eOffer Web site. Wondering whether he had stumbled on a security flaw, he changed the number again, and the system sent him another document - a price list that had been submitted by another company. Further investigation led Mr. Greenspan to discover that it was possible to view and then change other companies' electronic offers. Because each offer's electronic first page yielded the given company's business identifier, it was possible to paste that identifier into the eOffer sign-in page and adopt the identity of any company. All that was necessary was to have a valid security certificate for the eOffer system masquerade as any other company using the system, he said. He said he had been able to log in using the identity of some major aerospace and electronics companies, including Boeing and Gateway. "My reaction was everything but surprised," he said. "It's a very common problem." This is not the first time that Mr. Greenspan has ferreted out security flaws in commercial computer systems. A year ago, he notified businesses at South Station in Boston that a wireless Internet system made it possible to see confidential information. The flaws were corrected. In February he discovered a software flaw in systems operated by PayMaxx Inc., a payroll processor in Franklin, Tenn.; the flaw revealed financial information on tens of thousands of employees. The company minimized the extent of the disclosure and corrected the deficiency. From isn at c4i.org Mon Jan 16 01:25:01 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:25:01 -0600 (CST) Subject: [ISN] 'Technical glitch' takes down NSA website Message-ID: http://www.int.iol.co.za/index.php?set_id=1&click_id=22&art_id=qw1137220746521R131 January 14 2006 Washington - The website of the National Security Agency, which has been under scrutiny because of domestic wiretaps it conducted without warrants, was inaccessible for more than seven hours. A spokesperson, Don Weber, would not say whether the site suffered an attack by hackers or a technical glitch caused Friday's outage. Speaking shortly after the site went back online, he said only that employees had worked to restore access. Internet experts at Keynote Systems, which monitors web traffic around the world, said access to the NSA's website by visitors across the United States was severely limited. "This condition would indicate to me that either the site is being overwhelmed with legitimate users or a (denial of service) attack," said Shawn White, the director for Keynote's external operations. The NSA, known for eavesdropping and code-breaking, also helps protect computer systems deemed vital to the nation's security, such as those involved in intelligence, cryptography and weapons. "This illustrates that even technologically savvy people have a hard time fighting off denial of service attacks," said Alan Paller, research director for the SANS Institute in Bethesda, Maryland, a computer security organization. Internet records indicate the NSA's website is contracted to Lingual Information System Technologies of Columbia, Maryland. An operator there said no executives were available to comment on the outage because they had left for the weekend. - Sapa-AP From isn at c4i.org Mon Jan 16 01:25:58 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:25:58 -0600 (CST) Subject: [ISN] Korea No More Source of Cyber Terrorism Message-ID: http://times.hankooki.com/lpage/200601/kt2006011517173410220.htm By Cho Jin-seo Staff Reporter 01-15-2006 Foreigners do not see South Korea as an axis of cyber terrorism anymore as its efforts to contain computer hackers are taking effect. The Ministry of Information and Communication said the number of hacking attempts to penetrate computer servers of foreign firms or governments has been falling since 2002. South Korea was ranked ninth in the list of source countries of cyber attacks last year, much improved from 2002 when it ranked second after the United States, the ministry said citing a report from U.S-based Internet security firm Symantec. It was ranked seventh in 2003 and has stayed at the ninth spot since 2004. ``South Korea has been working to wipe out its disgraceful image as the source of cyber terrorism, since the government opened a cyber crime watching system in 2003 which monitors the Internet network 24 hours a day,???? the Ministry said in a statement. Even Bill Gates praised South Korea??s efforts to uproot cyber terrorists. Last Wednesday, a group of Microsoft??s executives from its Asian headquarters visited the Seoul Metropolitan Police and presented a plaque signed by Gates to the counter-cyber crime unit. Gates, founder of the world??s largest software maker, has expressed his gratitude to the Korean cyber- detectives for busting three gangs of international hackers last year. The gangs, including eight Chinese nationals, hacked online games sites and some 50,000 PCs to steal game items and then resell them. Police said the hackers made some 500 million won that way. The victims reported to Microsoft the damage they suffered through their Windows and e-mail services, and the firm cooperated with South Korean police in tracking down the hackers in China, the police said. ``At the time, Microsoft highly evaluated the South Korean police in their dealing with cyber crimes,???? Kim Jae-kyu, head of the cyber crime investigation team, told reporters. ``They said that they have had troubles when working with police from other countries because they usually lack technical understanding. As South Korea is a leader of the information technology, it will lead the world in the cyber crime investigation, too.???? The number of the computer hacking incidents in South Korea decreased from 26,179 in 2003 to 24,297 in 2004, according to the Ministry of Information and Communication. It is expected to bounce back in 2005 to around 30,000, but many of the crimes are less-serious phishing cases, where hackers try to lure Internet users to fake Web sites to steal private information such as bank account numbers, rather than breaking into computer systems. Spam mail circulation also decreased. The average South Korean received 50 spam mails a day in 2003, but the number dropped to 16.8 after major portal sites started to charge users for sending massive mails. From isn at c4i.org Mon Jan 16 01:26:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:26:11 -0600 (CST) Subject: [ISN] DHS & Your Tax Dollars Message-ID: Forwarded from: Marjorie Simmons FOIA requires records disclosure unless the records fall within one of the nine exemptions to the Act. Two of those enumerated exemptions are: 1) Those specifically authorized under criteria established by an Executive Order to be kept secret in the interest of national defense or foreign policy, and are classified as such; and 2) Records or information compiled for law enforcement purposes. Therefore, I do not find it surprising at all that FOIA requests are taking a year and longer and that some are never granted at all. Executive Orders for such secrecy are themselves not always disclosed. Related legality investigations are being consistently waylaid and stymied by some dubious claims of executive privilege and national security, and have been since this President first took the office. Consider that the present state of any helpful information coming from this administration will continue as long as those persons who make up this particular administration and its milieu are persons of power in DC and Virginia, and for as long as Henry Kissinger's' "useless eaters" believe in the inherent integrity of the holder of the Office of the President, no matter how baldfaced its lies. "Let the people know the truth and the country is safe." -- Abraham Lincoln Marjorie Simmons -----Original Message----- Forwarded from: security curmudgeon http://www.osvdb.org/blog/?p=83 Why exactly do my tax dollars pay for the commercial development of tools that are not released to the public? This also makes me wonder what legal and ethical questions should be asked about tax dollars being spent by the DHS, for a university to fund the development of a security tool that could potentially do great good if released for all to use. Its too bad there is more than a year long wait for FOIA requests made to the DHS. From isn at c4i.org Mon Jan 16 01:26:29 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:26:29 -0600 (CST) Subject: [ISN] Vandals post fake stories on Lawrence paper's site Message-ID: http://business.bostonherald.com/technologyNews/view.bg?articleid=121125 By Dave Wedge and O'Ryan Johnson January 13, 2006 A cyber vandal broke into a Lawrence newspaper's Web site yesterday, posting sexist phony news stories about a former female employee. The articles about the ex-reporter appeared in the business section of the Eagle-Tribune's site but were taken down after they were discovered. The Eagle-Tribune Publishing Co. issued a brief statement last night regarding the flap but declined to answer questions. "The site was compromised," the statement read. "We took it down immediately and are investigating." The Web site breach comes just days after an attempt by workers to join a national newspaper union failed in an employee vote. Management bitterly opposed the bid by workers to make the privately-owned paper a union shop. The ex-reporter involved said last night that she was aware the material was posted and that she was seeking answers from the newspaper. From isn at c4i.org Mon Jan 16 01:27:35 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 16 Jan 2006 00:27:35 -0600 (CST) Subject: [ISN] It's Just the Key to Your Room Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,107701,00.html By Robert L. Mitchell JANUARY 16, 2006 COMPUTERWORLD Warning: Hotel card keys may contain personally identifiable data on the magnetic stripe. Is it fact -- or fiction? "It's an urban legend. It doesn't work," says Joe McInerney, president of the American Hotel and Lodging Association (AHLA). Nonetheless, unsubstantiated reports keep surfacing every six months or so, he acknowledges. For example, last fall, an IT director at a travel club in Wyomissing, Pa., told Computerworld that he had found personal information on magnetic hotel key cards when visiting three major hotel chains. The IT professional said he read the cards using a commonly available ISO-standard swipe-card reader that plugs into any USB port. At one resort, he said, his card key contained credit card information, his address and his name. He said the hotel expressed surprise when he showed it the results. His comments, which appeared in a Computerworld blog in September, created a furor. He subsequently declined to comment for this story. As part of a Computerworld investigation into the allegations, reporters and other staff members who traveled last fall brought back 52 hotel card keys over a six-week period. The cards came from a wide range of hotels and resorts, from Motel 6 to Hyatt Regency and Disney World. We scanned them using an ISO-standard card reader from MagTek Inc. in Carson, Calif. -- the type anyone could buy online. We then sent the cards to Terry Benson, engineering group leader at MagTek, for a more in-depth examination using specialized equipment. MagTek also gathered cards from its own staff. In all, 100 cards were tested. Most cards were completely unreadable with an off-the-shelf card reader. Neither Benson nor Computerworld found any personally identifiable information on them. Based on these results, we think it's unlikely that hotel guests in the U.S. will find any personal information on their hotel card keys. There is, however, some debate among industry experts over whether some older systems could have been configured to store personal information under specific scenarios. To understand why personal information is unlikely to appear on hotel card keys, you must first understand how the technology works. Electronic locks that use magnetic cards were developed to address petty-theft problems associated with traditional keys. "Those problems have virtually gone away," says Brian Garavuso, CIO at Hilton Grand Vacations Co. in Orlando and chairman of the AHLA's technology committee. Most keys contain only a room number, a departure date and a "folio," or guest account code -- although other data may be stored on them as well. The door locks, which are stand-alone, battery-powered devices, each contain a sequence of lock codes. The sequence advances when an expired card is swiped or a new card inserted. The lock also logs when a guest, maid or other hotel employee has entered the room. Hotel door locks aren't wired back to the systems at the front desk. Therefore, if a card is lost and a new card is issued, the room remains unprotected until the new card is inserted into the lock and it resets. Hotels use card-key locks because they are relatively inexpensive, make rekeying easy, include a time limit and provide an audit trail of room access. Most card keys aren't readable because electronic lock systems use proprietary encoders and readers. While ISO-standard cards store data on three tracks on the magnetic strip, hotel lock systems use a proprietary encoding pattern and encrypt room-key data on Track 3, says Mark Goldberg, executive vice president and chief operating officer at magnetic card maker Plasticard-Locktech International LLP in Asheville, N.C. PLI's name appeared on many of the card keys Computerworld tested. Only 15% of the cards tested yielded any data using the USB card reader. The alphanumeric strings did not match any of the users' credit card numbers, nor was any intelligible text found. At MagTek, Benson was able to pull up strings of binary data from the cards but could not decode it. A specialized reader would be needed to decipher it, but "you won't be able to grab one of those off eBay very easily," he says. Even then, the data would be unreadable because it is encrypted, says Mike Scott, new products manager at Saflok, an electronic lock maker in Troy, Mich. On the Right Track? Most electronic lock systems include a card encoder, a user workstation and server software. That system interoperates with the property management system (PMS), the software that handles functions such as reservations, registration and guest billing. The PMS communicates with the electronic lock system to generate new card keys and sends billing data to the back-end systems. A point-of-sale system may also tie back into the PMS to allow the guest account code on the card key to be used to add charges for meals or other items to the room bill. In this situation, the account code exists within Track 2 on the card. This can be linked to the back-end billing system, where the customer's name, address and credit card information reside, allowing the guest to charge meals or bar tabs to the card as though it were a credit card. Resorts such as Universal Studios use Track 1 as an amusement park pass and Track 2 for other charges, according to Saflok. While neither track is encrypted, it typically includes only the folio code. On some cards, the guest name and folio code may also be printed on the front of the card itself. Could credit card data be embedded directly onto the card? "Technically it's possible, but why would you? It's not needed," says Garavuso. Individual hotel-chain properties are often franchised to other owners that may outsource management to a third party -- and may use a variety of back-end systems. However, although the back-end systems may vary, all hotel chains require that franchisees use their property management systems, Garavuso says. In some resorts or hotels, the systems used in the bar, restaurant or other concessions may not be tied back to the PMS that contains the customer billing data. In that scenario, the hotel could choose to encode credit card data directly onto the hotel key to allow credit charges to be made, rather than going to the trouble of modifying both systems. That type of arrangement could explain the experience the IT director reported to Computerworld. But is it likely? "If it were an older system, it's possible," acknowledges Louise Casamento, director of marketing at PMS vendor Micros Systems Inc. in Columbia, Md. In the past, people weren't as conscious of security, and ISO card readers weren't readily available on the Web, she says. But Saflok's Scott says it's not likely. "I've been doing this for 15 years, and I've never seen it," he says, adding that Saflok's system doesn't even have an option to allow the encoding of credit card data onto its key cards. "I would have to say that it [would have to be] a very old system -- and they are still out there -- that may still allow this," says Jocelynn Lane, vice president at VingCard AS, a vendor of electronic lock systems based in Norway. But, she adds, "we've never seen them compromised." Certainly no system would do it today, she adds. The only situation where Lane says travelers might find sensitive personal information on card keys is when they're abroad. "There are locking systems in Europe that, when you check in, let you enter a credit card, guest name, everything [on the card]. But never in the States," she says. "There are probably 60,000 hotels in the U.S. right now. To say no one has done it would be presumptuous on my part," says PLI's Goldberg. But the chances of guests running across the problem, if it exists at all, are slim. "I would never check into a Holiday Inn and worry about it," Goldberg says. -=- Sidebar: Testing the Card Keys http://www.computerworld.com/securitytopics/security/story/0,10801,107703,00.html Sidebar: Spraying for Data http://www.computerworld.com/securitytopics/security/story/0,10801,107702,00.html Sidebar: The Search for the Perfect Electronic Key http://www.computerworld.com/securitytopics/security/story/0,10801,107737,00.html Blog: What's not on your hotel card key http://www.computerworld.com/blogs/node/1577 Blog: Swipe here to steal ID http://www.computerworld.com/blogs/node/1016 From isn at c4i.org Tue Jan 17 01:31:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 17 Jan 2006 00:31:30 -0600 (CST) Subject: [ISN] 'Hacker' held over U.S. Navy breach Message-ID: http://edition.cnn.com/2006/WORLD/europe/01/16/spain.us/ CNN Madrid Bureau Chief Al Goodman January 16, 2006 MADRID, Spain (CNN) -- An 18-year-old suspected Spanish hacker who allegedly breached the top-secret computer security of a U.S. Navy base in San Diego has been arrested, according to the Spanish Civil Guard. The alleged hacker "seriously compromised the correct operations and security of a maintenance dry dock for nuclear submarines" a statement said on Monday. U.S. Navy computer security specialists started an investigation when they detected illegal access to a U.S. Department of Defense computer at Naval Base Point Loma in San Diego. They later determined the cyber incident had originated in Spain, the statement said. The Spanish suspect was arrested last week in the southern provincial capital of Malaga, on the Mediterranean coast, where he lives. The Civil Guard searched his home and seized a computer and other items that were being analyzed, a Civil Guard spokeswoman told CNN on Monday. The U.S. notified Spanish authorities, and the paramilitary Civil Guard's cyber-terrorism unit got involved. The Spanish suspect is a resident of the southern provincial capital of Malaga, on the Mediterranean coast. A U.S. Embassy spokesman in Madrid said there was no immediate U.S. reaction. The embassy, like most U.S. government offices, is closed due to observance of the Martin Luther King Jr. national holiday. The alleged hacker was part of a group that aimed to breach computer security systems connected to the Internet for illegal means, the Civil Guard's statement said, adding that the group allegedly had breached more than a hundred computer systems, causing damages of more than $500,000. The Civil Guard was able to locate the suspected hacker in part through the testimony of four witnesses in other parts of Spain, the statement said. The other four were not arrested. From isn at c4i.org Tue Jan 17 01:32:05 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 17 Jan 2006 00:32:05 -0600 (CST) Subject: [ISN] Anatomy Of A Break-In Message-ID: Forwarded from: William Knowles http://www.informationweek.com/hardware/showArticle.jhtml?articleID=177100115 By Ira Winkler Internet Security Advisors Group InformationWeek Jan 16, 2006 A large multinational company was about to undergo a full security audit, and the CIO didn't want any surprises. He was looking for advance warning of any problems that might be discovered in the formal audit so he could be ready with a remediation plan. The company, which employs more than 10,000 people, is responsible for critical elements of physical infrastructures around the world and is regularly targeted by a wide variety of bad guys, including terrorists and foreign governments. The CIO believed the company had some problems with physical security and end-user systems but thought he had the servers and network locked down. To get a true picture of the company's overall security, the CIO hired my team to do a preassessment without informing the majority of employees. For political reasons, he had to let several people know the test would be performed. And just to make my job more of a challenge, the director of the network operations center vowed my team wouldn't break into his systems or facilities. Most of the company's assessment funds had been allocated to the formal audit, so the preassessment budget was tight. We had an advantage in that I'd been at the facility before for an unrelated reason, so I knew the makeup of the main facility and some of its physical weaknesses, which would save us a day or so of reconnaissance. Open-Source Intelligence We typically begin an espionage simulation by gathering intelligence on the company's physical, technical, and operational infrastructures, and on its personnel. Our search revealed a variety of information about the contracts the company was pursuing, as well as details on its facilities. Most troubling, we found maps of some facilities in high-risk areas, which could help malicious parties target the company and its people. We also found a corporate phone directory intended for internal use. This would have immense value for the social-engineering attacks we were planning. We uncovered information about the company's generic technical architecture by looking at trade Web sites and postings the company's IT staff had made to newsgroups. We knew the company had a Windows infrastructure with Sun Microsystems computers handling most of the server duties. Knowing the hardware and software let us predict technical vulnerabilities and helped us prepare to target the systems, both internally and externally. We also found a variety of corporate domains to target. Later we learned that the people responsible for managing the company's Internet presence didn't know about some of these domains, which provided back doors into the company. Along the same lines, our search turned up more than 100 Web servers, though the IT staff had figured there were fewer than a dozen. We learned of the discrepancy when we informed someone from the CIO's staff of our findings at a breakfast meeting our first day on-site. As happens in about half our reconnaissance efforts, we found evidence of illicit employee activities. For example, one employee was using his company E-mail account to sell information on how to perform criminal activities. After a day and a half of this preliminary investigation, we ventured on-site. Three of us were involved in the internal test: Kevin, a technician familiar with attacks on Unix and Windows (the company's typical environments); Jeff, who would focus on social engineering and could assist on the technical side; and me. My focus was on the "black bag" aspects of the test--physically going into a high-risk environment to steal information or perform other high-risk tasks to support the espionage operations. Our first job was to get into the building complex, which housed multiple tenants sharing a common entrance. An outside firm handled the facilities management and physical security. The reception desk was in the center of the main lobby, roughly 20 feet from the door. The lobby was wide open, so when we arrived I told my accomplices to act as if we were talking about something important and ignore the receptionist as we walked through the lobby toward the main building. The receptionist tried to get our attention, but we proceeded without being stopped. There was a proximity-card sensor on the door to the offices, and the door was locked, so we waited for someone to come out and walked on in. We found the office our breakfast contact had assigned to us. Our team had its own gear--hubs, Ethernet cables, and so on--and we set up a small LAN inside the office off the room's Ethernet port. At this point, I thought we should get company badges. I called the company operator and asked to talk to the people responsible for issuing badges. She connected me to the reception desk. I told the person who answered that I was the CIO and I had subcontractors who needed to be issued badges. She told me, "Just send them down now." Jeff and I went back downstairs, at which point the receptionist recognized us and said she had tried to talk to us when we came in. We apologized, saying we didn't know we had to stop and were there to make everything right. A uniformed guard, who'd been standing next to the desk, led us to a room with a machine. There, we filled out a form requesting name, company, and contact information, which the guard didn't verify, and had our pictures taken. We made small talk with the guard, who asked what type of work we were doing. I told her it was computer work, and she asked, "Will you need access to the computer room?" "Definitely," I replied. She then made sure our badges were authorized to open computer-room locks. When the badges were finished, the guard handed them to us and told us the access privileges might not take effect for a couple of hours. Back in our office, Kevin told us he'd identified more than 250 Web servers through network scanning. The preponderance of Web servers indicated that the company had lost control of the internal architecture and was wasting resources. Most important, these systems were poorly maintained. These and the end-user PCs were vulnerable to viruses, worms, and other attacks. The file and mail servers were generally secure but still had some vulnerabilities. Easy Access Next we decided to scope out the computer room. The three of us headed to the basement, where we spotted a door in a back corner labeled "Computer Room." Duh. We entered the server room, which was unattended. We walked around, looking at the monitors, most of which were labeled. Kevin noticed that one was labeled "PDC," likely for primary domain controller. Kevin found that the system was logged on as the administrator. He quickly opened the User Administration tool and added a new user to the system, then added the user to the Administrator group. Then we left, quite unnoticed. Back to our office, Kevin logged on to the PDC and had control of the company's entire Windows infrastructure. He downloaded the password file and proceeded to crack passwords. Jeff started calling people he'd identified in his research and used several ruses to get them to disclose their passwords. He claimed to be an administrator investigating a security incident in which an outsider had called the help desk to change people's passwords. Of course, the employees then had to tell him their passwords. Jeff then pulled up the names of key employees and started to focus on the cracked passwords. Because the company's user IDs were predictable, Jeff and Kevin identified the CEO's and pulled up his password. They logged on to his account. They also learned the CEO's secretary's name and pulled up her account. We acquired information critical to the company's success, such as financial information, key project status, multibillion-dollar proposals, and other insider information. We also accessed information that could have compromised the CEO's personal safety, such as the tail number of the private jet he uses to fly into high-risk areas. We got to the CEO's information through other means as well. Our espionage simulation included physical walkthroughs, and we specifically targeted the information-systems and human-resources departments and the executive offices. Again, the card-access systems gave us access to all the necessary facilities. Although some people didn't leave anything that could give us access to sensitive information, more than enough people had their passwords hidden in plain sight--taped to monitors or under keyboards--that we could access their accounts and, therefore, other people's information. In the executive offices, keys and passwords, while not universally available, often were easy to find. For example, the CEO's secretary had the CEO's password written on a piece of paper inside her desk, even though the password was his first name. We gained access to the secretary's desk by finding a set of keys in another desk in the executive area. Also inside the secretary's desk was a key to the CEO's office. We had similar success getting data from the offices of the CFO and general counsel. Then there were the Unix systems. By the second day, the CIO thought we could take some chances that I advised him we wouldn't take in real life because we already had the ability to control all the systems remotely. He specifically wanted me to get physical access to the network operations center. Jeff found out the name of a technical support person who was away for a week. Sporting our headquarters access badges, we drove over to the network operations center, walked up to this building's receptionist, and told her we were there to see the person we knew was away. She told us he was out for the week. I replied that we were with the audit staff and needed to make sure we had all the systems cataloged in advance for the upcoming audit. I said we'd been told that person would show us around the center so we could count the systems. She volunteered to show us the facility. We had planned how the attack would go. Jeff was to stay near the woman, and I would wander out of sight. As in most such operations centers, system names and IP addresses were taped to the system boxes. We recorded the names and addresses. While Jeff was distracting our escort and I was out of sight behind an equipment rack, I pulled something out of my bag and put it in the racks as if it were a network tap. After a couple of minutes, we told the woman we had everything we needed, and we left. Spyware Installed >From a technical perspective, Kevin had found critical vulnerabilities in the network operations center's main servers before our visit. The systems appeared to be well-patched. However, staff members didn't check the servers regularly for vulnerabilities and missed reinstalling all patches when they reloaded operating systems. Because of the nature of the vulnerabilities found, we would have had to reboot the systems to finish the compromise and get root privileges on the critical servers. We didn't want to bring down the system, so Kevin came up with an alternative attack. Thanks to the password-cracking Kevin had performed, he compromised the Sun admin's desktop system, which was actually a Windows system. He installed spyware that let him watch the administrator's activities and control the system. We waited for the admin to perform a remote logon to the Unix systems, which would let us capture the admin accounts and passwords. Although we didn't need to do this because Kevin had identified vulnerabilities on the servers, it was a way to get root access without bringing down the systems. We eventually got the admin accounts for the Unix network. This, of course, provided an immense amount of engineering and project data. All in all, this was a busy two days--yes, two days. Generally, all company information was available to us. We didn't have any information that a malicious party couldn't have found independently and with minimal effort. Although some might say we were just lucky, my teams consistently have this level of success in this time frame. The people who will cause you the most harm are the professional and malic-ious criminals who want to access your information or cause you damage without being detected. Although these criminals might not get the same results as we did in two days, they very well may have more funding and time than we did and could use those to their advantage. -=- Lessons Learned Our simulated espionage yielded the following recommendations: Demand authorization and verification from a company employee or sponsor for a person to receive a facility access card. Require special approval of the manager responsible for a facility for extra access privileges and notify that manager when such access has been granted. Establish security-awareness programs that include both physical and technical issues. Perform regular vulnerability scans on all network systems. Maintain audit logs for critical systems and review them regularly. Log out of critical systems when not in use and activate screen savers with passwords, even when they're in supposedly secured areas. Never assume you can hide keys or passwords. There are just so many places they can be hidden, and people will find them. Perform regular walkthroughs to find obvious vulnerabilities. -=- Ira Winkler, CISSP, is president of the Internet Security Advisors Group and the author of Spies Among Us (Wiley, 2005). This article originally appeared inSecure Enterprise, an InformationWeek sister publication. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Jan 17 01:30:33 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 17 Jan 2006 00:30:33 -0600 (CST) Subject: [ISN] Attempt to Steal Vital Korean LCD Technology Foiled Message-ID: http://english.chosun.com/w21data/html/news/200601/200601160018.html Jan. 16, 2006 A former employee with Samsung Electronics has been arrested on charges of industrial espionage in the attempt to set up on his own in China using cutting-edge liquid crystal display technology stolen from his former employer. Besides spiriting away thin-film transistor LCD technology used to produce computer monitors and cell phone and TV screens, the man identified as Park is also charged with trying to poach Samsung research staff. Prosecutors applied for an arrest warrant on Monday against Park on suspicion of trying to set up a TFT-LCD color filter factory in Shenzhen, China. They also booked another former Samsung employee identified as Bae and a current researcher with the firm on related charges without detention. Park is accused of conspiring with Bae in March 2004 to obtain nine confidential documents about production of TFT-LCDs and receiving another document from the researcher in September last year, prosecutors said. They are also investigating suspicions that Park tried to lure 10 former and current Samsung R&D staff with the promise of high salaries. Samsung Electronics spent some W260 billion (US$260 million) on R&D for the TFT-LCD core technology, and its theft could have caused it some W5 trillion ($5 billion) in losses over the next five years, the National Intelligence Service said. The agency says it prevented losses of W35.5 trillion by uncovering 29 cases of industrial espionage in 2005 alone. From isn at c4i.org Tue Jan 17 01:31:09 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 17 Jan 2006 00:31:09 -0600 (CST) Subject: [ISN] Linux Security Week - January 16th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 16th, 2006 Volume 7, Number 3n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Advancing Firewall Protection," "Five mistakes of vulnerability management," and "A Step-By-Step Guide to Computer Attacks and Effective Defenses." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- LINUX ADVISORY WATCH This week, perhaps the most interesting articles include hylafax, hal, poppler, pdftohtml, libpaperl, xpdf, gpdf, and apache2. The distributors include Gentoo and Mandriva. http://www.linuxsecurity.com/content/view/121206/150/ --- * EnGarde Secure Community 3.0.3 Released 6th, December, 2005 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Review: Advancing Firewall Protection 9th, January, 2006 With more than one million users, U.K.-based SmoothWall's Firewall may just be the most popular software firewall that has yet to become a household name. Test Center engineers recently took at look at products from SmoothWall to see what all the buzz is about and to see exactly why one million users have chosen the product. http://www.linuxsecurity.com/content/view/121188 * A better VNC with FreeNX for remote desktop control 9th, January, 2006 VNC is well-known for allowing the remote control of another desktop machine via your own computer. For instance, using VNC you can easily control your home PC from work, and vice versa. The problem with VNC is that it's not overly secure and it can be quite slow, particularly if you have a lot of fancy graphics or backgrounds on the remote computer. Other solutions also exist for remote control of a GUI, such as running X over ssh, proprietary tools like Apple's Remote Desktop, etc., but they all tend to have the same drawbacks; they are either insecure or tend to be slow. http://www.linuxsecurity.com/content/view/121185 * Hackers are ready for IPv6=E2..are you? 10th, January, 2006 One of the arguments for moving to version 6 of the Internet Protocols is that it will offer more security. This may well be true in the long run. But for the time being, IPv6 is likely to introduce more complexity and create more problems than it solves. http://www.linuxsecurity.com/content/view/121190 * It's time to take IPS seriously 13th, January, 2006 Fear unites us. We used to be afraid of network problems, such as bandwidth and broken switches. Now we're afraid of the bad guys. Our networks must be connected to the Internet, yet the Internet is a cesspool of attackers constantly hammering on our defences, looking for that chink in the armour. It's not just the Internet: we fear our own users, lest their indispensable laptops acquire some vagrant affliction while driving by a Starbucks Wi-Fi hot spot. http://www.linuxsecurity.com/content/view/121210 * Security flaws on the rise, questions remain 11th, January, 2006 After three years of modest or no gains, the number of publicly reported vulnerabilities jumped in 2005, boosted by easy-to-find bugs in web applications. Yet, questions remain about the value of analyzing current databases, whose data rarely correlates easily. A survey of four major vulnerability databases found that the number of flaws counted by each in the past five years differed significantly. However, three of the four databases exhibited a relative plateau in the number of flaws publicly disclosed in 2002 through 2004. And, every database saw a significant increase in their count of the flaws disclosed in 2005. http://www.linuxsecurity.com/content/view/121198 * Five mistakes of vulnerability management 12th, January, 2006 Vulnerability management is viewed by some as an esoteric security management activity. Others see it as a simple process that needs to be done with Microsoft Corp.'s monthly patch update. Yet another group considers it a marketing buzzword made up by vendors. This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas. http://www.linuxsecurity.com/content/view/121203 * Linux Command Reference: Linux Shortcuts and Commands 13th, January, 2006 This is a practical selection of the commands we use most often. Press to see the listing of all available command (on your PATH). On my small home system, it says there are 2595 executables on my PATH. Many of these "commands" can be accessed from your favourite GUI front-end (probably KDE or Gnome) by clicking on the right menu or button. They can all be run from the command line. Programs that require GUI have to be run from a terminal opened under a GUI. http://www.linuxsecurity.com/content/view/121207 * Apache shot with security holes 9th, January, 2006 Companies running Apache and a PostgreSQL database are at risk from serious Internet intrusion. Red Hat warned of a flaw late last week in mod_auth_pgsql, an Apache module that allows authentication against information in popular open-source database PostgreSQL. http://www.linuxsecurity.com/content/view/121187 * Novell delivers security shield for Linux computers 10th, January, 2006 Novell plans to release software on Tuesday that is designed to make it harder for new attacks to compromise existing Linux-based computers. The software, called AppArmor, is one of several products in the security realm based on the idea of mandatory access controls. The technology limits a running software program's privileges only to those absolutely necessary. http://www.linuxsecurity.com/content/view/121193 * A Step-By-Step Guide to Computer Attacks and Effective Defenses 9th, January, 2006 Five years after writing one of the original books in the hack attack and countermeasures genre of books, Ed Skoudis has teamed up with Tom Liston to create a revised and updated version. Counter Hack Reloaded brings Counter Hack up to date with new technologies and attack types as well as providing the informaion you need to protect your computer and network from being targeted by these attacks. http://www.linuxsecurity.com/content/view/121184 * Information Security Salaries Rise 10th, January, 2006 A new study released today confirms that there is indeed a growing market for IS expertise. Alan Paller, director of research at The SANS Institute, a respected IT research and education organization, suggests that people "are waking up to the fact that there's a shortage of security talent." http://www.linuxsecurity.com/content/view/121191 * Rising to a Higher Standard Isn't Easy 10th, January, 2006 Some employees are held to a higher standard of behavior than most. Anyone in a position with broad powers or influence falls into this group, including accountants, managers, systems administrators -- and information security professionals. Like systems administrators, information security professionals generally have access to a great deal of data and information. Even if they don't have direct access, they generally know how to obtain it by exploiting a weakness (like hackers, but with the opposite intent) or by simply giving themselves elevated privileges. http://www.linuxsecurity.com/content/view/121192 * Debate Looms for GPL 3 Draft 10th, January, 2006 The first draft of GNU General Public License Version 3 will be unveiled next week at the Massachusetts Institute of Technology in Cambridge, Mass., but that milestone is likely to be more of a beginning than an ending. http://www.linuxsecurity.com/content/view/121195 * Feds to banks: Put security policies in writing 11th, January, 2006 Even if federal law doesn't explicitly say so, all companies that handle personal information for their customers should have written security policies, a computer security attorney said Tuesday. Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle. http://www.linuxsecurity.com/content/view/121196 * Establishing Information Security Standards 11th, January, 2006 This Small-Entity Compliance Guide1 is intended to help financial institutions2 comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines).3 The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs. http://www.linuxsecurity.com/content/view/121197 * Homeland Security Extends Scope To Open Source Software 11th, January, 2006 Through its Science and Technology Directorate, the Homeland Security Department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis. http://www.linuxsecurity.com/content/view/121199 * FBI says attacks succeeding despite security investments 11th, January, 2006 Despite investing in a variety of security technologies, enterprises continue to suffer network attacks at the hands of malware writers and inside operatives, according to an annual FBI report released today. Many security incidents continue to go unreported. http://www.linuxsecurity.com/content/view/121200 * Linux Security: A Good Thing Keeps Getting Better 12th, January, 2006 A tech expert explains why Linux has remained a bright spot in an increasingly grim IT security picture, and how businesses can ensure effective, reliable security for their own Linux-based systems. Linux has never had to face the challenges that Microsoft Windows faces now (and in the past) in those areas of security that we are most familiar with today. Specifically those relating to client use of an OS. http://www.linuxsecurity.com/content/view/121202 * Linux Security HOWTO Updated 12th, January, 2006 The Linux Security HOWTO has been revised and updated. The HOWTO provides a great overview of all issues involved in securing a Linux system, with links to software and other great sources of information on practical methods of enhancing the security of any Linux-based system. http://www.linuxsecurity.com/content/view/121204 * Mozilla Releases Thunderbird 1.5 13th, January, 2006 Mozilla Corp. on Thursday released the 1.5 version of its Thunderbird e-mail client, building and improving on automated spam and security control as well as offering easy access to podcasts. Based on a year of feedback from its user base, Thunderbird said it has improved its updating procedures in the release for automatic downloading of some updates in background mode while prompting users when the updates are ready for installation. http://www.linuxsecurity.com/content/view/121209 * RSS malware plague predicted for 2006 13th, January, 2006 The fast growing popularity of RSS (really simple syndication) means that the technology will pose increasingly significant problems for IT security professionals this year, new research has warned. ScanSafe's latest web security report notes an explosive growth in the use of RSS feeds to pull updated content via HTTP and XML rather than having it being pushed to them by SMTP. http://www.linuxsecurity.com/content/view/121211 * Three more states add laws on data breaches 9th, January, 2006 Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as new security-breach notification laws went into effect in Illinois, Louisiana and New Jersey on Jan. 1. Like existing statutes in more than 20 other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers. http://www.linuxsecurity.com/content/view/121186 * Nine city hotspots will offer wireless internet use 12th, January, 2006 From=20March, residents in nine urban centres across Britain will be able to access the internet from their laptops outdoors, without cables, and use their mobile phones to make calls over the web after a small technology firm launches the first part of a nationwide WiFi network. The move to roll out wireless internet technology will threaten the revenues of Britain's mobile phone operators. http://www.linuxsecurity.com/content/view/121201 * Preventing Buffer Overflow Exploits Using the Linux Distributed Security Module 13th, January, 2006 The sad thing about buffer overflow exploits is that good programming practices could wipe out even potential exploits, however, that simply has not happened. The own defence against such exploits should revolve around controlling access to sensitive systems, installing software updates that replace exploitable software, and being aware of what a buffer overflow exploit looks like when your system is the intended victim. http://www.linuxsecurity.com/content/view/121208 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jan 17 01:32:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 17 Jan 2006 00:32:28 -0600 (CST) Subject: [ISN] Windows Wi-Fi vulnerability discovered Message-ID: http://news.com.com/Windows+Wi-Fi+vulnerability+discovered/2100-1029_3-6027399.html By Tom Espiner Special to CNET News.com January 16, 2006 A Windows feature that automatically searches for Wi-Fi connections can be exploited by hackers, a security researcher has warned. The feature is part of Windows XP and 2000 and was exposed as being vulnerable at hacker conference ShmooCon on Saturday by vulnerability researcher Mark Loveless. Loveless claimed that hackers can take advantage of the feature to include a user's PC in a peer-to-peer network, giving them access to information on its hard drive. When a PC running Windows XP or Windows 2000 boots up, it will automatically try to connect to a wireless network. If the computer can't set up a wireless connection, it will establish an ad hoc connection to a local address. This is assigned with an IP address and Windows associates this address with the SSID of the last wireless network it connected to. The machine will then broadcast this SSID, looking to connect with other computers in the immediate area. The danger arises if an attacker listens for computers that are broadcasting in this way, and creates a network connection of their own with that same SSID. This would allow the two machines to associate together, potentially giving the attacker access to files on the victim's PC. Security experts contacted by ZDNet UK on Monday confirmed that the flaw exists, but said that it should not be a problem for those using firewalls. Paul Wood, security analyst at MessageLabs indicated that users will probably be unaware that their computers have connected to the peer-to-peer network in such a way. MessageLabs believes that users running Windows XP Service Pack 2 (SP2) are not at risk. "This yet again is a wake-up call for those who haven't installed SP2. Any machines running a copy of XP without SP2 are saying 'Come and get me', as there are so many gaping threats," said Mark Sunner, chief technology officer at MessageLabs. Get some protection Experts recommended companies deploy a security policy, if one isn't already in place: "Any organization deploying a Wi-Fi network needs to implement a company security policy," said Sunner. "The potential victims are the road-warrior community. Does the in-house security department have a mechanism to check the visibility of remote machines?" MessageLabs also recommended that individual telecommuters be given personal firewalls. Individuals can also protect themselves by disabling Wi-Fi when not using it, said Greg Day, security analyst at McAfee. MessageLabs advised the following: "Users with Wi-Fi can disable the peer-to-peer facility by going to "Wireless Network Properties | Advanced | Network Access Point | Choose Infrastructure Networks Only," said Wood. "We recommend people only connect to infrastructure points, although some users may want to use peer-to-peer for head-to-head gaming and file sharing." MessageLabs pointed out that system administrators can also mitigate the problem by blocking ports 135, 137, 138 and 139--which in Sunner's words "should be nailed shut already"--from accepting NetBIOS connections. Day downplayed the potential of the attack: "Hackers are trying to class this as virus-like. You become part of the problem because your machine is now broadcasting on a peer-to-peer network. However, all this gives hackers is the ability to see other machines--they still have to write exploits. But if the user is patched or has a firewall, they are protected." Sunner echoed those feelings: "I'm a purist, and for me the (virus) analogy is not rooted in reality. Could it be self-replicating? It's not really within the realms of possibility," said Sunner. Criminal gangs were unlikely to target this flaw as it would be too labor-intensive to exploit, predicted MessageLabs, saying that it was "really a threat from script kiddies". Microsoft did not immediately respond to a request for comment. From isn at c4i.org Tue Jan 17 01:32:52 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 17 Jan 2006 00:32:52 -0600 (CST) Subject: [ISN] Suit filed against unknown computer hacker Message-ID: http://www.ecnnews.com/cgi-bin/15/etstory.pl?-sec-News+fn-computersuit.0115 By Stephanie Akin Staff Writer January 16, 2006 NORTH ANDOVER - A North Andover businessman is suing someone he says hacked into his e-mail account and sent defamatory messages to his personal and business associates. John Schroeder, president of the North Andover software company Ontar Corp., says in the suit that the e-mails held up a contract with the U.S. Navy and prompted his daughter's middle school teacher to report him to North Andover police. But the only clue he has on the identity of the hacker is the number the hacker's computer left behind when he or she sent the e-mails. Since Schroeder does not know the identity of the defendant, the case is filed against "John or Jane Doe." Experts on computer crimes said the case draws into focus a growing legal and academic debate about how far the legal system can go to investigate computer fraud and how well a computer can protect a person's privacy. Schroeder declined comment on the suit. But in documents filed at Essex County Superior Court, his lawyers called the e-mails "extreme and outrageous, beyond all possible bounds of decency, and utterly intolerable in a civilized community." Schroeder's first indication that someone was breaking into his accounts came last summer when two employees asked about e-mails he had not sent to them. About three months later, Schroeder was considering two candidates for the same job. When Schroeder sent an e-mail to offer the position to one of them, the hacker sent an identical e-mail to the other, court documents say. The e-mails then became more malicious. In December, a representative from the Naval Warfare Center called and e-mailed Schroeder to tell him Ontar, based at 9 Village Way, had won a contract to provide software to train Navy pilots. The next day, Sam Napier, a representative from the center, e-mailed Schroeder in response to an e-mail sent from Schroeder's business account. "I'm not sure what to make of this," he wrote. "Is someone in your computer messing around?" Napier attached a copy of the e-mail signed by Schroeder. "We are still in shock that you would select us for Phase II award," the e-mail read in part, "considering how much we lie, cheat and try to steal from the government." The same day Schroeder received the e-mail about the Navy contract, North Andover police told him they were investigating an e-mail sent from his America Online account to his daughter's teacher at North Andover Middle School. North Andover police Detective Lt. Paul J. Gallagher said the case was originally assigned to an investigator in charge of sexual assault before it was moved to the computer crimes unit. Schroeder's suit asks the defendant to pay for unspecified losses he and Ontar suffered because of the e-mails, including the costs of a lost or delayed contract from the Naval Warfare Center, which has asked Ontar to secure its computer system before finalizing the deal. Experts in computer law say lawsuits against anonymous Internet users can also force Internet service providers to cooperate with an investigation. Police told Schroeder that all the suspect e-mails sent from his accounts came from the same computer, a computer registered with the Internet service provider Comcast that left the same 10-digit Internet address behind every time it hacked into Schroeder's accounts. The computer's user breached Ontar's system throughout 2005, opening and sometimes deleting, and replying to and forwarding Schroeder's messages. Gallagher said North Andover police are still investigating and he could not comment on the case. John Palfrey, professor of Internet law at Harvard Law School and executive director of the Berkman Center for Internet & Society at Harvard, a think tank that studies Internet law, said lawsuits against anonymous or pseudonymous Internet users became popular about 2002 when the entertainment industry started using them to try to prosecute people pirating music and videos online. Palfrey said the cases have become so common that lawyers refer to them as "John Doe" lawsuits. Palfrey said Schroeder's suit sounds like one of the more straightforward John Doe cases because the person Schroeder said hacked into his account clearly defamed him. From isn at c4i.org Wed Jan 18 04:06:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 18 Jan 2006 03:06:26 -0600 (CST) Subject: [ISN] Hackers blackmail milliondollar site Message-ID: http://news.ft.com/cms/s/cd05a42c-87c6-11da-8762-0000779e2340.html By James Fontanella in London January 18 2006 The FBI is investigating the hijacking of milliondollar-homepage.com - the website that earned $1m (?566,000) for its British creator Alex Tew by hosting micro-advertisements - by hackers who demanded a ransom to restore the site. Mr Tew was sent a demand for $50,000 by e-mail by a hacker, believed to be Russian. When he refused, the website crashed. The e-mail, which was made available exclusively to the Financial Times, read: "Hello u website is under us atack to stop the DDoS send us 50000$." Graham Cluley, a senior technology consultant, said: "DDoS (Distributed Denial of Service) attack is a common way to block internet users accessing a site by flooding the website with traffic. "In August 2005 a US teenager was sentenced to five years juvenile detention for launching DDoS attacks against online sportswear retailers costing the company over $1.5m." Several gambling websites, as well as companies such as Microsoft, Ebay, Yahoo and CNN have also been victims of such attacks. Mr Tew first received a threat on January 7 from a body calling itself The Dark Group, demanding $5,000. He thought the blackmail was a hoax and took little notice. However, on Friday, Russell Weiss, president of InfoRelay,the internet server ofmilliondollarhomepage.com, told Mr Tew that the website was experiencing very high traffic and there was a risk that it could break down. On Wednesday when Mr Tew sold the final 1000 pixels on his site for $38,100 on Ebay, reaching his goal of earning $1m, the hackers intensified their attack and hijacked the website. The website should be up and running today after InfoRelay upgraded the security system. From isn at c4i.org Wed Jan 18 04:06:44 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 18 Jan 2006 03:06:44 -0600 (CST) Subject: [ISN] Oracle fixes pile of bugs Message-ID: http://news.com.com/Oracle+fixes+pile+of+bugs/2100-1002_3-6027847.html By Joris Evers Staff Writer, CNET News.com January 17, 2006 As part of its quarterly patch cycle, Oracle released on Tuesday fixes for a long list of security vulnerabilities in many of its products. The "Critical Patch Update" delivers remedies for 37 flaws related to Oracle's Database products, 17 related to Application Server, 20 to the Collaboration Suite, 27 to E-Business Suite and Applications, one to PeopleSoft's Enterprise Portal and one in JD Edwards software. Some of the flaws carry Oracle's most serious rating, which means they're easy to exploit and an attack can have a wide impact, according to the alert. "Several of these vulnerabilities are significant, and should be patched as soon as possible," security provider Symantec said in an alert to users of its DeepSight intelligence service. While there are a lot of fixes, the vulnerabilities are clearly marked, which could make them easier to deal with, Pete Finnigan, a security specialist in York, England, wrote on his blog. "This seems like a good mixed bag of fixes, quite a lot in total," he said. "This time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands." In addition to the security fixes, Oracle also released a tool to check for default accounts and passwords. It's meant to help businesses defend their systems against the "Oracle voyager" database worm, which takes advantage of those default items. In response to the Oracle patch release, Symantec raised its ThreatCon global threat index to Level 2, which means an outbreak is expected. It typically does that after a patch release because malicious hackers might use the fixes as a blueprint for attacks. Oracle has been criticized for being slow to fix security flaws and being unresponsive to researchers who find bugs. Oracle's chief security officer, Mary Ann Davidson, has responded in turn by saying bug hunters themselves can be a problem when it comes to product security. The company recently said it was adding more automation to its bug-checking process. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed Jan 18 04:06:59 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 18 Jan 2006 03:06:59 -0600 (CST) Subject: [ISN] Microsoft Refutes Windows 'Back Door' Claim Message-ID: http://www.informationweek.com/story/showArticle.jhtml?articleID=177100970 By Gregg Keizer TechWeb News Jan 17, 2006 Microsoft has denied allegations that the Windows Metafile (WMF) bug is actually a "back door" planted by the company's developers so they could secretly access users' PCs. The charges were raised last week by Steve Gibson, security researcher best known for his ShieldsUp Web site, in a podcast. A transcript of that podcast is available here. Although Gibson presented no proof of the indictment -- he said that without access to Windows' source code, it would be impossible to prove, or disprove, his charge -- he said that any other explanation just didn't make sense. "This was not a mistake. This is not buggy code. This was put into Windows by someone," Gibson said in the podcast Thursday. Gibson went on to hypothesize that Microsoft created this back door as a way to add code to users' machines whenever it wanted to. "For example, if Microsoft was worried that for some reason in the future they might have cause to get visitors to their website [sic] to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on, basically if Microsoft wanted a short circuit, a means to get code run in a Windows machine by visiting their website [sic], they have had that ability, and this code gave it to them," Gibson said. "I don't see any way that this was not something that someone in Microsoft deliberately put into Windows," he concluded. A Microsoft official denied the allegation in an entry on the Microsoft Security Response Center blog written late Friday. Program manager Stephen Toulouse wrote a detailed explanation of the "SetAbortProc" function's vulnerability, and said that the flaw was an inadvertent bug, not coding by design. "There's been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts," wrote Toulouse. Gibson said that one reason he began thinking that the WMF vulnerability was a back door was because he could exploit the flaw only with a metafile record of an incorrect size. But Toulouse rejected that claim. "The vulnerability can be triggered with correct or incorrect size values," said Toulouse, who said that Gibson's experience likely resulted from putting the SetAbortProc record as the last record in the metafile. Toulouse also acknowledged that the bug was introduced into Windows during a time when the security situation didn't include hackers using malicious image files to exploit vulnerabilities. "This was a different time in the security landscape and these metafile records were all completely trusted by the OS," he said. "When it was introduced, the SetAbortProc functionality served an important function." SetAbortProc, the vulnerable function in the graphics rendering engine (GDI), preceded the Windows Metafile format, said Toulouse, another reason why Gibson's charges don't add up. (SetAbortProc's duty is to allow for print jobs to be canceled.) Most other security experts rejected Gibson's back-door theory. "[There's] lots of old code hanging around Windows," said Richard Stiennon, director of threat research for Boulder, Colo.-based anti-spyware vendor Webroot. "Mr. Gibson is being spooked by ghosts of the past." From isn at c4i.org Wed Jan 18 04:06:14 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 18 Jan 2006 03:06:14 -0600 (CST) Subject: [ISN] EXCLUSIVE: TOP SECRET NAVY FILE FOUND IN PUB Message-ID: http://www.mirror.co.uk/news/tm_objectid=16592931&method=full&siteid=94762&headline=ship-shame--name_page.html By Greig Box And Chris Hughes Security Correspondent 17 January 2006 A SENSITIVE Royal Navy document detailing a warship's top-secret Middle East tour of duty has been found lying on a pub table. Student Michael Blown, 22, spotted the papers showing the movements of the frigate HMS St Albans as he played pool with his friends. The lapse could have left British Royal Marines and sailors open to an attack similar to the suicide bombing of USS Cole in Yemen in 2000 which killed 17 sailors. Mr Blown said: "If this had been found by a terrorist sympathiser God knows what could have happened. It's very serious. It's incredibly sloppy." The two-page document lists every planned movement of HMS St Albans until the end of 2007. Marked "restricted", it warns servicemen that the information must not be "divulged to anyone" outside their immediate family. The document, titled "HMS St Albans Longcast", includes the times and dates of operations in Iraq, Beirut, Bahrain, Qatar, Dubai, the Persian Gulf and Suez. The ship's patrols in the Middle East are codenamed as part of Operation Iraqi Freedom and Operation Enduring Freedom. Last night, Ministry of Defence officials thanked the Mirror for returning the document. The Navy may now be forced to change the ship's schedule. HMS St Albans is a Type 23 Frigate, the mainstay of the Navy's modern surface fleet. She has two missile launchers, a Sea Wolf anti-missile system, anti-submarine torpedoes, depth-charges, machine guns and decoy launchers. There is also an anti-submarine helicopter on board. Mr Blown found the ship's timetable near a pool table in The Albany, a pub popular with sailors in Portsmouth. Minutes earlier five men in their 30s, had been playing pool. When Mr Blown realised the importance of his discovery he gave the document to the Mirror and we handed in to the MoD. It was dated December 1 and was signed by GC Atkinson, Lt Cdr RN. At the end of the two-year operational timetable, he warns: "This Longcast is classified Restricted and the information contained within it should not be divulged to anyone outside your immediate family." The brief is a full timetable for marines and sailors for the next two years. The Mirror will not publish the exact dates and details for security reasons. Mr Blown, said: "I was playing pool with my mates when I spotted it on view. It was on a small table. "I wondered what it was and as I read it I couldn't believe my eyes. "It didn't click at first. But when it did and I realised sensitive information had just been left lying around for anyone to pick up I thought 'bloody hell'. "Whoever is responsible for losing it needs to be severely spoken to." He went on: "A group of five men had been playing pool and drinking at the table before we played. "It must have belonged to one of them. "They clearly had drank a few and just left it next to their empties. "The document is clearly operational. It's frightening in this day and age of security worries that it could be left in a boozer. Anyone could have found it." A spokesman for the Royal Navy said: "We are very grateful to the Daily Mirror. "It is important that our families know what may be happening in the future and we provide this initial planning document as an indication. "It is not classified but it is sensitive and we make it clear that those given copies should look after them. "That this information has entered the public domain is disappointing. "We will need to take this into account when we make the risk assessments for the port visits and in finalising the ship's programme over the next year. We will be reminding our people of the importance of looking after this document in the future. "We do of course conduct a rigorous risk assessment before any port visit is finalised." HMS St Albans was launched on the Clyde five years ago. After a brief stay in Portsmouth in November 2000, she patrolled waters for six months around the Horn of Africa to the northern Gulf, intercepting suspect vessels in the hunt for terrorists. HMS St Albans, which is the last of 16 Type 23 frigates built for the Navy, has taken over duties from her sister ship HMS Kent. The vessel has one of the Navy's newest anti-submarine helicopters on board - a Merlin - to help hunt down suspicious vessels. In 2004 HMS St Albans was deployed on Operation Oracle, patrolling the Arabian Sea looking out for terror suspects. She is currently in dock in Portsmouth. From isn at c4i.org Wed Jan 18 04:07:11 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 18 Jan 2006 03:07:11 -0600 (CST) Subject: [ISN] Banks to face no charges over India data theft incident Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,107808,00.html By James Niccolai JANUARY 17, 2006 IDG NEWS SERVICE The U.K. banks whose customer data was allegedly stolen from an Indian call center and sold to an undercover reporter last year will face no charges, a spokesman for the U.K. Information Commissioner's Office said. The office, which helps enforce the U.K.'s 1998 Data Protection Act, has received no complaints about the alleged data theft since it was reported by the Sun newspaper last June, and has also not seen evidence that the incident took place, the spokesman said. "We haven't been able to get [evidence] from the Sun," the spokesman said Monday. "Without any further information, there's really no case." The Commissioner's Office concluded from its investigations that security policies at the Indian call centers were sufficient, the spokesman said. According to the Sun story last year, the undercover reporter bought information relating to 1,000 bank accounts from a seller who said he had gathered the data from contacts at call centers in Delhi. The data pertained to accounts held in British banks that had outsourced work to call center companies in and around Delhi, the tabloid newspaper said. The seller, identified by the Sun as Kkaran Bahree, told the reporter that he could provide 200,000 more account details per month, the Sun reported. Police in Delhi have said they could not arrest Bahree because they received no formal complaint from the call-center companies, the banks or their customers. India's National Association of Software and Service Companies has also said it never received a complaint, and Bahree was never charged See (See "No complaints filed over data theft in India" [1]). Bahree has claimed that he gave the Sun reporter a CD at the insistence of a friend without knowing that it held classified contents. One NASSCOM official has accused the newspaper of conducting a "sting operation" in order to tarnish the reputation of India's outsourcing industry. The Sun has said it turned over information about the incident, including the names of the banks involved, to the City of London Police. However, the City of London Police has said it had no jurisdiction to bring prosecution in the U.K. and that it passed the information on to the Indian authorities. The spokesman for the Information Commissioner said the case could be reopened if complaints or evidence relating to the data theft turn up. [1] http://www.computerworld.com/industrytopics/financial/story/0,10801,104003,00.html From isn at c4i.org Wed Jan 18 04:07:31 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 18 Jan 2006 03:07:31 -0600 (CST) Subject: [ISN] Web Attack Crashes TippingPoint IPS Message-ID: http://www.eweek.com/article2/0,1895,1912048,00.asp By Paul F. Roberts January 17, 2006 Mysterious Web attack traffic caused some of 3Com Corp.'s TippingPoint IPS devices to crash last week, requiring a hasty patch by the company. Some TippingPoint customers had their IPS (intrusion prevention system) appliances crash while trying to process a specific kind of Internet attack traffic last week. The company learned of the problem on Friday and issued an update for the TOS (TippingPoint OS) software within hours, said Laura Craddick, TippingPoint's public relations manager. At York University in Toronto, TippingPoint IPS devices began crashing repeatedly on Friday, Jan. 13, prompting a call to the vendor, said Ramon Kagan of the University's Computing and Network Services department. The crashes were caused by malicious HTTP traffic that attempted to trigger a known security vulnerability in another product. The HTTP attack traffic eventually caused the TOS software, which runs the IPS company's appliances, to crash, bringing down the whole device, he said. Reports of the crashes were sporadic, because only a very specific type of attack traffic triggered the hole, Kagan said. He declined to provide details about the malicious traffic that crashed the IPS devices. Complaints about the problem reached the Austin, Texas, company on Friday; about one day after TippingPoint shipped updated attack signatures to its clients. 3Com released new versions of the TOS software to address the issue, Craddick said. Customers who were affected by the crashes speculated in an online discussion group that they may have been caused by a conflict with new attack signatures distributed the day before. However, TippingPoint contends that the behavior was caused by a flaw in the TOS software, not by a bad signature, Craddick said. The university has been using TippingPoint's IPS technology for two years, Kagan said. With the TippingPoint appliance offline, staff at York University had to deal with a mild increase in traffic, and used IDS (intrusion detection system) software to filter out some attacks. However, Kagan expressed satisfaction that 3Com responded within five hours with a software patch that fixed the problem. Customers who have not done so should upgrade their TippingPoint appliances to version 2.1.4.6324 or 2.2.1.6506 of TOS, Craddick said. From isn at c4i.org Wed Jan 18 04:07:53 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 18 Jan 2006 03:07:53 -0600 (CST) Subject: [ISN] Mac users 'too smug' over security Message-ID: http://news.bbc.co.uk/1/hi/technology/4609968.stm Bill Thompson BBC World Service 16 January 2006 The first known computer virus, the Elk Cloner, is 25 years old. Since its appearance we have seen hundreds of thousands of malicious programs and their impact on our computer use has been immense. Millions of people have lost work, had their private information stolen or simply had to waste precious hours cleaning up their computers after infection. A small number of companies have grown rich on the sales of anti-virus software, while organised crime is believed to commission many of today's viruses as a money-making venture, selling services to spammers or using them to blackmail websites. That first virus was specific to the Apple II computer and spread by inserting itself into the operating system files that were installed on every boot floppy, since this was in the days before hard drives in personal computers and few of us had network connections. Slipped disk Those halcyon days when you only had to remember to scan every floppy disk for infection are long gone, of course. Now the broadband internet connection that keeps me always online leaves me always vulnerable, and regular virus scans are the order of the day. And viruses are only one of the ways that malicious software spreads. Worms and Trojans are just as dangerous, and often harder to protect against. These days Apple users are almost unbearably smug when the subject turns to malware. I was invited to appear on Radio Four's You and Yours this week to talk about viruses and other malware and our focus was on issues with Windows since it is the most commonly used operating system. After the show we got dozens of e-mails from complacent Mac users pointing out that they were safe and suggesting that people simply abandon Windows if they want to be secure. It would certainly be wonderful if the Macintosh computer and its operating system were immune to attack but this is just wishful thinking. Mac OS is certainly a lot better than Windows, but being better isn't nearly enough. Mac OS may not have the gaping holes that let viruses spread, but worms, spyware and even keyloggers are out there. They can't spread as easily, and most would only be installed by a careless user clicking "Accept" on a dodgy install dialog, but the regular stream of security fixes from Apple's software update service makes it clear that there are real dangers. After all, Mac OS is built on top of the Unix operating system and it, like its close relative Linux, has many well-known security problems that can allow it to be compromised. Owner occupier Sometimes Apple make things worse. For example, widgets, small programs that can do things like search online dictionaries or let you listen to streamed BBC programs, can be installed without your permission when you visit a website using the Safari browser, just like Windows does with ActiveX controls. It took Apple weeks to fix this. And though Microsoft's tribulations over the recently-discovered vulnerability in the way Windows Meta File images are handled made the papers, accompanied by howls of protest from those who wanted the company to rush out an untested fix, a similar flaw in Apple's own QuickTime received very little publicity. Any Mac user who believes they are totally safe is being reckless with their files and personal information. What's worse, they are also being reckless with mine. One reason why there aren't many malicious Mac programs is that there are fewer Mac users out there, but the fact that some have been written shows that they are possible in principle. If the millions of internet-connected Macs are left open to attack then this increases the chance that an effective Trojan or piece of spyware will reach critical mass and spread rapidly, and it also increases the incentive for a bright programmer to write Mac-specific malware that could affect me. It's exactly like the spread of infectious diseases, and one of the reasons why we vaccinate our children against many illnesses that are now uncommon. If we maintain what is called "herd immunity", then even if there is an outbreak, it will not spread and become an epidemic. There may not be any Mac viruses at the moment, and the way the system handles user accounts and security means that they are unlikely, but we need to take steps to safeguard ourselves against other malicious software. As things stand, the Mac community has no herd immunity because most users seem to assume that they don't need to take preventive action. Although the risk of a malicious Mac program spreading as quickly as any Windows one is very low, it should not be ruled out. After all, the very first internet worm, back in 1988, affected Unix systems with a security model very similar to Mac OS. The Mac ships with a good firewall, and it should be used. There are tools to scan your system for known malicious programs or to check whether it has been hacked into, and they should be used too. Mac users demonstrate an indefensible smugness when it comes to the dangers of having their systems compromised by malicious software and opened up to exploitation by others. It's time they started behaving a bit more responsibly. From isn at c4i.org Fri Jan 20 01:13:53 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:13:53 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-3 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-01-12 - 2006-01-19 This week : 92 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: 82 vulnerabilities and security issues have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of certain information, overwrite arbitrary files, and to conduct SQL injection attacks. Additional details about the vulnerabilities can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA18493 -- A vulnerability has been reported in AOL, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Fixes are available from the vendor, please refer to the referenced Secunia advisory for details. Reference: http://secunia.com/SA18521 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 2. [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability 3. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 4. [SA18521] AOL You've Got Pictures ActiveX Control Buffer Overflow 5. [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow 6. [SA18370] QuickTime Multiple Image/Media File Handling Vulnerabilities 7. [SA18493] Oracle Products Multiple Vulnerabilities and Security Issues 8. [SA15907] Mozilla Thunderbird Attachment Spoofing Vulnerability 9. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 10. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18521] AOL You've Got Pictures ActiveX Control Buffer Overflow [SA18522] BitComet Client URI Handling Buffer Overflow Vulnerability [SA18508] Farmers WIFE FTP Directory Traversal Vulnerability [SA18488] SimpleBlog Script Insertion and SQL Injection Vulnerabilities [SA18439] Mini-NUKE SQL Injection and Unauthenticated Password Change [SA18492] Helm Web Hosting Control Panel "txtEmailAddress" Cross-Site Scripting [SA18466] AmbiCom Blue Neighbors Object Push Service Buffer Overflow [SA18443] FogBugz "dest" Cross-Site Scripting Vulnerability [SA18531] CA DM Deployment Common Component Denial of Service [SA18494] Cisco CallManager Connection Handling Denial of Service [SA18437] Toshiba Bluetooth Stack File Upload Directory Traversal Vulnerability UNIX/Linux: [SA18517] SGI Advanced Linux Environment Multiple Updates [SA18503] SUSE update for multiple packages [SA18484] Novell Open Enterprise Server Remote Manager Buffer Overflow [SA18478] Mandriva update for clamav [SA18463] Trustix update for multiple packages [SA18453] Gentoo update for clamav [SA18435] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre [SA18520] Fedora update for kdegraphics [SA18509] OpenServer update for gdk-pixbuf [SA18507] Avaya PDS HP-UX SecureShell Denial of Service Vulnerability [SA18496] Debian update for albatross [SA18491] Avaya Products xloadimage NIFF Image Handling Buffer Overflow [SA18489] Mandriva update for hylafax [SA18482] Linux Kernel Multiple Denial of Service Vulnerabilities [SA18481] Debian update for mantis [SA18457] Albatross Arbitrary Command Execution Vulnerability [SA18456] Ubuntu update for mailman [SA18452] Gentoo update for blender [SA18451] Gentoo update for wine [SA18449] Mailman Dates Denial of Service Vulnerability [SA18448] Fedora update for tetex [SA18436] Debian update for gpdf [SA18525] CMU SNMP snmptrapd Format String Vulnerability [SA18495] EMC NetWorker Denial of Service and Buffer Overflow Vulnerabilities [SA18526] Red Hat update for apache [SA18510] Red Hat update for kernel [SA18472] Widexl Download Tracker "ID" Parameter Cross-Site Scripting [SA18468] Faq-O-Matic Cross-Site Scripting Vulnerabilities [SA18530] Debian update for antiword [SA18527] Ubuntu update for kernel [SA18502] Avaya Products util-linux / mount Security Issue and Vulnerability [SA18498] Sun Solaris lpsched Unspecified Vulnerability [SA18497] Serial Line Sniffer "HOME" Environment Variable Buffer Overflow [SA18487] Linux Kernel dm-crypt Driver Information Disclosure [SA18476] Debian update for tuxpaint [SA18475] Tux Paint Insecure Temporary File Creation Vulnerability [SA18474] Ubuntu update for tuxpaint [SA18438] Kolab Server Secure SMTP Message Logging Security Issue [SA18433] Debian update for fetchmail [SA18458] grsecurity RBAC Admin Role Dropping Security Issue Other: [SA18483] Intracom JetSpeed ADSL Modem Information Disclosure [SA18528] Cisco IOS CDP Status Page Script Insertion Vulnerability [SA18514] ACT WLAN Phone P202S Multiple Security Issues [SA18505] Clipcomm CWP-100/CP-100E Debug Service Unauthenticated Access [SA18490] Cisco IOS Stack Group Bidding Protocol Denial of Service [SA18479] Cisco IP Phones SYN Flood Device Reload Vulnerability [SA18461] Linksys BEFVP41 IP Option Length Denial of Service [SA18512] MPN HP-180W Wireless IP Phone Information Disclosure [SA18511] ZyXEL P-2000W_v2 VoIP Wi-Fi Phone Information Disclosure Cross Platform: [SA18450] Light Weight Calendar "date" PHP Code Execution Vulnerability [SA18432] ACal "ACalAuthenticate" Authentication Bypass Vulnerability [SA18518] phpXplorer "sShare" Local File Inclusion Vulnerability [SA18513] Joomla! Multiple Unspecified Vulnerabilities [SA18504] geoBlog "cat" Parameter SQL Injection Vulnerability [SA18499] WB News "name" Script Insertion Vulnerability [SA18493] Oracle Products Multiple Vulnerabilities and Security Issues [SA18485] Apache Geronimo Web-Access-Log Viewer Script Insertion [SA18471] WP-Stats WordPress Plug-in "author" SQL Injection Vulnerability [SA18467] BlogPHP "username" SQL Injection Vulnerability [SA18465] Trac HTML WikiProcessor Script Insertion Vulnerability [SA18464] Bit 5 Blog Script Insertion and SQL Injection Vulnerabilities [SA18460] WhiteAlbum "dir" SQL Injection Vulnerability [SA18459] PDFdirectory SQL Injection Vulnerabilities [SA18455] 123 Flash Chat Server Username Directory Traversal Vulnerability [SA18446] Fortinet Products ISAKMP IKE Message Processing Vulnerabilities [SA18444] PHP Toolkit for PayPal Payment Bypass and Exposure of Transactions [SA18442] microBlog "month" and "year" SQL Injection Vulnerabilities [SA18441] TankLogger "tank_id" SQL Injection Vulnerability [SA18440] wordcircle Script Insertion and SQL Injection Vulnerabilities [SA18486] Dual DHCP DNS Server DHCP Options Buffer Overflow [SA18519] CubeCart Cross-Site Scripting Vulnerabilities [SA18477] Ultimate Auction Cross-Site Scripting Vulnerabilities [SA18473] RedKernel Referrer Tracker "rkrt_stats.php" Cross-Site Scripting [SA18470] GTP iCommerce Cross-Site Scripting Vulnerabilities [SA18469] Netbula Anyboard "tK" Cross-Site Scripting Vulnerability [SA18462] Benders Calendar Multiple SQL Injection Vulnerabilities [SA18454] SMBCMS Site Search Cross-Site Scripting Vulnerability [SA18447] H-Sphere "login" Cross-Site Scripting Vulnerability [SA18445] Interspire TrackPoint NX "username" Cross-Site Scripting Vulnerability [SA18434] Mantis Multiple Cross-Site Scripting Vulnerabilities [SA18506] Avaya gdb Integer Overflow and Insecure Initialisation File Handling ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18521] AOL You've Got Pictures ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-17 A vulnerability has been reported in AOL, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18521/ -- [SA18522] BitComet Client URI Handling Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-19 Dejun Meng has reported a vulnerability in BitComet Client, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18522/ -- [SA18508] Farmers WIFE FTP Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, System access Released: 2006-01-17 Knud Erik H?jgaard has discovered a vulnerability in Farmers WIFE, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18508/ -- [SA18488] SimpleBlog Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-01-16 Zinho has discovered two vulnerabilities in SimpleBlog, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18488/ -- [SA18439] Mini-NUKE SQL Injection and Unauthenticated Password Change Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-13 Mustafa Can Bjorn has reported a vulnerability and a security issue in Mini-NUKE, which can be exploited by malicious people to bypass certain security restrictions and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18439/ -- [SA18492] Helm Web Hosting Control Panel "txtEmailAddress" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 M.Neset KABAKLI has reported a vulnerability in Helm Web Hosting Control Panel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18492/ -- [SA18466] AmbiCom Blue Neighbors Object Push Service Buffer Overflow Critical: Less critical Where: From remote Impact: DoS, System access Released: 2006-01-16 Kevin Finisterre has reported a vulnerability in AmbiCom Blue Neighbors, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18466/ -- [SA18443] FogBugz "dest" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-13 M.Neset KABAKLI has reported a vulnerability in FogBugz, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18443/ -- [SA18531] CA DM Deployment Common Component Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-01-18 Two vulnerabilities have been reported in various CA products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18531/ -- [SA18494] Cisco CallManager Connection Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-01-19 Some vulnerabilities has been reported in Cisco CallManager, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18494/ -- [SA18437] Toshiba Bluetooth Stack File Upload Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-01-13 Kevin Finisterre has reported a vulnerability in Toshiba Bluetooth Stack, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18437/ UNIX/Linux:-- [SA18517] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Privilege escalation, DoS, System access Released: 2006-01-19 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, where the most critical ones can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18517/ -- [SA18503] SUSE update for multiple packages Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-16 SUSE has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable or a user's system. Full Advisory: http://secunia.com/advisories/18503/ -- [SA18484] Novell Open Enterprise Server Remote Manager Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-16 A vulnerability has been reported in Novell Open Enterprise Server Remote Manager, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18484/ -- [SA18478] Mandriva update for clamav Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-17 Mandriva has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18478/ -- [SA18463] Trustix update for multiple packages Critical: Highly critical Where: From remote Impact: System access, DoS, Privilege escalation Released: 2006-01-16 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, and by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18463/ -- [SA18453] Gentoo update for clamav Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-13 Gentoo has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18453/ -- [SA18435] Gentoo update for sun-jdk/sun-jre-bin/blackdown-jdk/blackdown-jre Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-16 Gentoo has issued updates for sun-jdk, sun-jre-bin, blackdown-jdk, and blackdown-jre. These fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18435/ -- [SA18520] Fedora update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-17 Fedora has issued an update for kdegraphics. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18520/ -- [SA18509] OpenServer update for gdk-pixbuf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-16 SCO has issued an update for gdk-pixbuf. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18509/ -- [SA18507] Avaya PDS HP-UX SecureShell Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS Released: 2006-01-18 Avaya has acknowledged a security issue and a vulnerability in Predictive Dialer System (PDS), which can be exploited by malicious people to cause a DoS (Denial of Service) or by malicious users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18507/ -- [SA18496] Debian update for albatross Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-16 Debian has issued an update for albatross. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18496/ -- [SA18491] Avaya Products xloadimage NIFF Image Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-17 Avaya has acknowledged a vulnerability in various products, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18491/ -- [SA18489] Mandriva update for hylafax Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2006-01-17 Mandrake has issued an update for hylafax. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18489/ -- [SA18482] Linux Kernel Multiple Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-16 Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18482/ -- [SA18481] Debian update for mantis Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2006-01-18 Debian has issued an update for mantis. This fixes some vulnerabilities, where some have unknown impacts and others potentially can be exploited by malicious people to conduct cross-site scripting, HTTP response splitting, and SQL injection attacks, and disclose sensitive information. Full Advisory: http://secunia.com/advisories/18481/ -- [SA18457] Albatross Arbitrary Command Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-16 A vulnerability has been reported in Albatross, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18457/ -- [SA18456] Ubuntu update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-16 Ubuntu has issued an update for mailman. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18456/ -- [SA18452] Gentoo update for blender Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-13 Gentoo has issued an update for blender. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/18452/ -- [SA18451] Gentoo update for wine Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-13 Gentoo has issued an update for wine. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18451/ -- [SA18449] Mailman Dates Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-16 A vulnerability has been reported in Mailman, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18449/ -- [SA18448] Fedora update for tetex Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-13 Fedora has issued an update for tetex. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18448/ -- [SA18436] Debian update for gpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-13 Debian has issued an update for gpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18436/ -- [SA18525] CMU SNMP snmptrapd Format String Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-01-17 Seregorn has reported a vulnerability in CMU SNMP, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18525/ -- [SA18495] EMC NetWorker Denial of Service and Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-01-17 Jo Goossens has reported some vulnerabilities in EMC NetWorker, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18495/ -- [SA18526] Red Hat update for apache Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-17 Red Hat has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18526/ -- [SA18510] Red Hat update for kernel Critical: Less critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2006-01-17 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited malicious, local users to cause a DoS (Denial of Service) and gain knowledge of potentially sensitive information, and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18510/ -- [SA18472] Widexl Download Tracker "ID" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 Preddy has reported a vulnerability in Widexl Download Tracker, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18472/ -- [SA18468] Faq-O-Matic Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 Preddy has reported some vulnerabilities in Faq-O-Matic, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18468/ -- [SA18530] Debian update for antiword Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-18 Debian has issued an update for antiword. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18530/ -- [SA18527] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2006-01-18 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to gain knowledge of potentially sensitive information and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18527/ -- [SA18502] Avaya Products util-linux / mount Security Issue and Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-17 Avaya has acknowledged a security issue and a vulnerability in various products, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18502/ -- [SA18498] Sun Solaris lpsched Unspecified Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-01-16 A vulnerability has been reported in lpsched, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18498/ -- [SA18497] Serial Line Sniffer "HOME" Environment Variable Buffer Overflow Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-16 Sintigan has discovered a vulnerability in Serial Line Sniffer (slsnif), which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18497/ -- [SA18487] Linux Kernel dm-crypt Driver Information Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-01-17 Stefan Rompf has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18487/ -- [SA18476] Debian update for tuxpaint Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-16 Debian has issued an update for tuxpaint. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18476/ -- [SA18475] Tux Paint Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-16 Javier Fernandez-Sanguino Pena has reported a vulnerability in Tux Paint (tuxpaint), which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18475/ -- [SA18474] Ubuntu update for tuxpaint Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-16 Ubuntu has issued an update for tuxpaint. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18474/ -- [SA18438] Kolab Server Secure SMTP Message Logging Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-01-13 A security issue has been reported in Kolab Server, which potentially can be exploited by malicious, local users to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18438/ -- [SA18433] Debian update for fetchmail Critical: Not critical Where: From remote Impact: DoS Released: 2006-01-13 Debian has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18433/ -- [SA18458] grsecurity RBAC Admin Role Dropping Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-16 A security issue has been reported in grsecurity, which can cause certain services to run with escalated privileges. Full Advisory: http://secunia.com/advisories/18458/ Other:-- [SA18483] Intracom JetSpeed ADSL Modem Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-16 Dinos has reported a security issue in Intracom JetSpeed ADSL Modem, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/18483/ -- [SA18528] Cisco IOS CDP Status Page Script Insertion Vulnerability Critical: Less critical Where: From local network Impact: Cross Site Scripting Released: 2006-01-18 Digitalmunitions.com has reported a vulnerability in Cisco IOS, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18528/ -- [SA18514] ACT WLAN Phone P202S Multiple Security Issues Critical: Less critical Where: From local network Impact: Unknown, Security Bypass, Exposure of system information, DoS Released: 2006-01-17 Shawn Merdinger has reported some security issues in ACT WLAN Phone P202S, which can be exploited by malicious people to potentially disclose system information, potentially cause a DoS (Denial of Service), and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18514/ -- [SA18505] Clipcomm CWP-100/CP-100E Debug Service Unauthenticated Access Critical: Less critical Where: From local network Impact: Hijacking, Security Bypass, Manipulation of data, Exposure of system information Released: 2006-01-18 Shawn Merdinger has reported a security issue in Clipcomm CWP-100 and Clipcomm CP-100E, which can be exploited by malicious people to disclose system information, manipulate certain information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18505/ -- [SA18490] Cisco IOS Stack Group Bidding Protocol Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-01-19 A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18490/ -- [SA18479] Cisco IP Phones SYN Flood Device Reload Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-01-16 A vulnerability has been reported in Cisco 7940 and 7960 IP Phones, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18479/ -- [SA18461] Linksys BEFVP41 IP Option Length Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-01-18 Paul has reported a vulnerability in Linksys BEFVP41, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18461/ -- [SA18512] MPN HP-180W Wireless IP Phone Information Disclosure Critical: Not critical Where: From local network Impact: Exposure of system information, DoS Released: 2006-01-17 Shawn Merdinger has reported a weakness in MPN HP-180W Wireless IP Phone, which can be exploited by malicious people to disclose system information and potentially cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18512/ -- [SA18511] ZyXEL P-2000W_v2 VoIP Wi-Fi Phone Information Disclosure Critical: Not critical Where: From local network Impact: Exposure of system information, DoS Released: 2006-01-17 Shawn Merdinger has reported a weakness in ZyXEL P-2000W_v2 VoIP Wi-Fi Phone, which can be exploited by malicious people to disclose system information and potentially cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18511/ Cross Platform:-- [SA18450] Light Weight Calendar "date" PHP Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-13 Aliaksandr Hartsuyeu has reported a vulnerability in Light Weight Calendar, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18450/ -- [SA18432] ACal "ACalAuthenticate" Authentication Bypass Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2006-01-12 Aliaksandr Hartsuyeu has discovered a vulnerability in ACal, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18432/ -- [SA18518] phpXplorer "sShare" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-17 Oriol Torrent Santiago has discovered a vulnerability in phpXplorer, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18518/ -- [SA18513] Joomla! Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-01-18 Multiple vulnerabilities with unknown impacts have been reported in Joomla!. Full Advisory: http://secunia.com/advisories/18513/ -- [SA18504] geoBlog "cat" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-01-16 Aliaksandr Hartsuyeu has discovered a vulnerability in geoBlog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18504/ -- [SA18499] WB News "name" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-18 DragoN has discovered a vulnerability in WB News, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18499/ -- [SA18493] Oracle Products Multiple Vulnerabilities and Security Issues Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2006-01-18 82 vulnerabilities and security issues have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of certain information, overwrite arbitrary files, and to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18493/ -- [SA18485] Apache Geronimo Web-Access-Log Viewer Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 Oliver Karow has reported a vulnerability in Apache Geronimo, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18485/ -- [SA18471] WP-Stats WordPress Plug-in "author" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-16 Preddy has discovered a vulnerability in WP-Stats, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18471/ -- [SA18467] BlogPHP "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-17 Aliaksandr Hartsuyeu has reported a vulnerability in BlogPHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18467/ -- [SA18465] Trac HTML WikiProcessor Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-17 A vulnerability has been reported in Trac, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18465/ -- [SA18464] Bit 5 Blog Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-01-16 Aliaksandr Hartsuyeu has reported some vulnerabilities in Bit 5 Blog, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18464/ -- [SA18460] WhiteAlbum "dir" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-18 Liz0ziM has discovered a vulnerability in WhiteAlbum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18460/ -- [SA18459] PDFdirectory SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-17 Some vulnerabilities have been reported in PDFdirectory, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18459/ -- [SA18455] 123 Flash Chat Server Username Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-01-16 Jesus Olmos Gonzalez has reported a vulnerability in 123 Flash Chat (123FlashChat) Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18455/ -- [SA18446] Fortinet Products ISAKMP IKE Message Processing Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-13 Some vulnerabilities have been reported in Fortinet Products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18446/ -- [SA18444] PHP Toolkit for PayPal Payment Bypass and Exposure of Transactions Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-01-13 .cens has reported two security issues in PHP Toolkit for PayPal, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/18444/ -- [SA18442] microBlog "month" and "year" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-18 Aliaksandr Hartsuyeu has discovered two vulnerabilities in microBlog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18442/ -- [SA18441] TankLogger "tank_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-13 Aliaksandr Hartsuyeu has discovered a vulnerability in TankLogger, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18441/ -- [SA18440] wordcircle Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-01-13 Aliaksandr Hartsuyeu has discovered two vulnerabilities in wordcircle, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18440/ -- [SA18486] Dual DHCP DNS Server DHCP Options Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-01-18 Luigi Auriemma has reported a vulnerability in Dual DHCP DNS Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18486/ -- [SA18519] CubeCart Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-17 Lostmon has discovered some vulnerabilities in CubeCart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18519/ -- [SA18477] Ultimate Auction Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 Querkopf has reported two vulnerabilities in Ultimate Auction, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18477/ -- [SA18473] RedKernel Referrer Tracker "rkrt_stats.php" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 Preddy has discovered a vulnerability in RedKernel Referrer Tracker, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18473/ -- [SA18470] GTP iCommerce Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 Preddy has reported two vulnerabilities in GTP iCommerce, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18470/ -- [SA18469] Netbula Anyboard "tK" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-16 Preddy has reported a vulnerability in Netbula Anyboard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18469/ -- [SA18462] Benders Calendar Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-01-16 Aliaksandr Hartsuyeu has discovered some vulnerabilities in Benders Calendar, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18462/ -- [SA18454] SMBCMS Site Search Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-17 $um$id has reported a vulnerability in SMBCMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18454/ -- [SA18447] H-Sphere "login" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-13 M.Neset KABAKLI has reported a vulnerability in H-Sphere, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18447/ -- [SA18445] Interspire TrackPoint NX "username" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-13 M.Neset KABAKLI has reported a vulnerability in Interspire TrackPoint NX, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18445/ -- [SA18434] Mantis Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-17 Some vulnerabilities have been reported in Mantis, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18434/ -- [SA18506] Avaya gdb Integer Overflow and Insecure Initialisation File Handling Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-18 Avaya has acknowledged two vulnerabilities in various products, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18506/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jan 20 01:14:26 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:14:26 -0600 (CST) Subject: [ISN] In the interest of helping journalists cover Oracle.. Message-ID: Forwarded from: security curmudgeon http://www.osvdb.org/blog/?p=86 In the interest of helping journalists cover Oracle.. perhaps they should just move to a templated form to save time? --- By [YOUR_NAME] [YOUR TITLE], [YOUR PUBLICATION] [DATE] Oracle released on [DAY_OF_WEEK] fixes for a [LONG/HUGE/MONSTROUS] list of security vulnerabilities in [ONE/MANY/ALL] of its products. The quarterly patch contained patches for [NUMBER] vulnerabilities. Titled "Critical Patch Update", the patch provides [FIXES/REMEDIES/MITIGATION] for [NUMBER] flaws in the Database products, [NUMBER] flaws in the Application Server, [NUMBER] flaws in the COllaboration Suite, [NUMBER] of flaws in the E-Business Suite, [NUMBER] of flaws in the PeopleSoft Enterprise Portal, and [NUMBER] of flaws in the [NEW_TECHNOLOGY_OR_ACQUISITION]. Many of the flaws have been deemed critical by Oracle, meaning they are trivial to exploit, were likely discovered around 880 days ago, and are trivially abused by low to moderately skilled [HACKERS/ATTACKERS/CRACKERS]. "[DULL_QUOTE_FROM_COMPANY_WHO_DISCOVERED_NONE_OF_THE_FLAWS]" security company [COMPANY] said yesterday as they upped their internet risk warning system number (IRWSN) to [ARBITRARY_NUMBER]. "This is another example of why our products will help protect customers who chose to deploy Oracle software" [ARBITRARY_CSO_NAME] stated. "[COMPLETELY_BULLSHIT_QUOTE_ABOUT_PROACTIVE_SECURITY_FROM_ORACLE" countered Mary Ann Davidson, CSO at Oracle. "These hackers providing us with free security testing and showing their impatience after 880 days are what causes problems. If these jackass criminals would stop being hackers, our products would not be broken into and our customers would stay safe!" Oracle has been criticized for being slow to fix security flaws by everyone ranging from L0rD D1cKw4v3R to US-CERT to the Pope. From isn at c4i.org Fri Jan 20 01:14:43 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:14:43 -0600 (CST) Subject: [ISN] Cisco product flaws affect VoIP gear, routers Message-ID: http://www.networkworld.com/news/2006/011906-cisco-voip-flaw.html By Phil Hochmuth NetworkWorld.com 01/19/06 A triad of Cisco product vulnerabilities could cause problems for users of the company's IP PBXs and certain routers, Cisco warned this week. One vulnerability affecting Cisco CallManagers could leave the IP PBX servers open to denial-of-service attacks, potentially shutting down phone service inside an organization using Cisco CallManagers. Cisco says the DoS vulnerability exists because CallManager servers do not time out TCP connections on certain ports fast enough. This could cause overuse of CPU and memory resources on the server and lead to a crash or reboot and IP phones not responding with dial tone, the company says. Vulnerable versions of CallManager are 3.2, 3.3, 4.0 and 4.1. Theses versions "do not manage TCP connections and Windows messages aggressively," says a Cisco bulletin warning of the vulnerabilities. Since such an attack would require network access to CallManagers, which are typically deployed behind a firewall, an external DoS attack on the IP PBX is less likely. Another vulnerability warning sent to customers this week involves the Multi Level Administrator service on CallManager servers. Administrative users without read-write administrator-level access to the CallManager could bump up their privileges by sending a "crafted URL" to the CallManager administrator Web page on the server. This vulnerability affects the same CallManager versions as the DoS issue, Cisco says. Software fixes for both CallManager vulnerabilities are available. The third bulletin from Cisco this week warns of a problem in the vendor's IOS router software that could result in a remotely executed DoS attack on Cisco gear. The problem is with the Cisco IOS Stack Group Bidding Protocol (SGBP), which is used on routers that aggregate multiple Point-to-Point Protocol (PPP) connections. When aggregating multiple PPP links, known as Multilink PPP, the SGBP is used by devices connected via Multilink PPP to identify each other. Cisco says that if a specially crafted UDP packet is sent to port 9900 on an affected router (i.e., a device running Multilink PPP and SGBP) the device could freeze. Cisco has issued a software fix for the problem. Short of upgrading IOS software, users can also set up an access control list to block untrusted access to a router via SGBP, Cisco says. From isn at c4i.org Fri Jan 20 01:12:35 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:12:35 -0600 (CST) Subject: [ISN] The Backhoe: A Real Cyberthreat Message-ID: http://www.wired.com/news/technology/0,70040-0.html By Kevin Poulsen Jan 19, 2006 At half-past noon on Jan. 9, cable TV contractors sinking a half-mile of cable near Interstate 10 in rural Arizona pulled up something unexpected in the bucket of their backhoe: an unmarked fiber-optic cable. "It started pulling the fiber out of the pipe," says Scott Johansson, project manager for JK Communications and Construction. "Obviously, we said, 'Oop, we've hit something.'" As the fiber came spooling out of the desert soil like a fishing line, long-distance service for millions of Sprint PCS and Nextel wireless customers west of the Rockies blinked off. Transcontinental internet traffic routed over Sprint slowed to a crawl, and some corporations that relied on the carrier to link office networks found themselves electronically isolated. In the end, a hole dug out of a dirt road outside a town called Buckeye triggered a three-and-a-half hour outage with national impact. It wasn't even a very deep hole. "We ran into their line right away," says Johansson. Experts say last week's Sprint outage is a reminder that with all the attention paid to computer viruses and the latest Windows security holes, the most vulnerable threads in America's critical infrastructures lie literally beneath our feet. "No one wants something like this to happen," says Sprint spokesman John Taylor. "The fact is we are absolutely focused on restoring service to our customers ... and in this case we did so in record time." A study issued last month by the Common Ground Alliance, or CGA -- an industry group comprised of utilities and construction companies -- calculated that there were more than 675,000 excavation accidents in 2004 in which underground cables or pipelines were damaged. And an October report from the Alliance for Telecommunications Industry Solutions found that cable dig-ups were the single most common cause of telecom outages over a 12-year period ending in 2004, with the number of incidents dropping in recent years but the severity and duration of the outages increasing. In 2004, Department of Homeland Security officials became fearful that terrorists might start using accidental dig-ups as a road map for deliberate attacks, and convinced the FCC to begin locking up previously public data on outages. In a commission filing, DHS argued successfully that revealing the details of "even a single event may present a grave risk to the infrastructure." "We see people talking about the digital Pearl Harbor from the worms and Trojans and viruses," says Howard Schmidt, former White House cybersecurity adviser. "But in all probability, there's more likelihood of what we call the 'backhoe attack' that would have more impact on a region then a Code Red, or anything we've seen so far." Sprint claims it's still investigating who was at fault in Buckeye, but Johansson says that's a settled issue: Before his crew members disturbed so much as a pebble, they submitted their plans to Arizona's "call-before-you-dig" One Call center, then waited for each utility to mark off their buried facilities, if any. Contacted by Wired News, the center confirmed the call. According to Johansson, Sprint responded by giving the contractors the all-clear. "We had a no-conflict ticket from them, indicating that they had no line there," he says. Even that apparent gaffe wouldn't have been enough to cause an outage on its own. The Arizona fiber cut was on a transmission line that loops across the county in a solid ring -- a "self-healing" topology that guarantees a single break won't stop service, because traffic can always circle back in the other direction. But a few days earlier, another section of the same line buried in a railroad culvert near Reno Junction, California, suffered damage in a stormy mudslide. Sprint workers had to cut the waterlogged section of cable to make repairs. So when the contractor's backhoe ripped up the cable in Buckeye, the two cuts together effectively sawed off the entire westernmost section of the ring. But that conspiracy of bad timing and wet weather pales against the impact that deliberate saboteurs or terrorists could make with some rented backhoes and careful target selection. In 2003, then-Ph.D. candidate Sean Gorman famously mapped America's fiber-optic paths for his dissertation at George Mason University, and found it was easy to locate critical choke points from public records and data. Today, Gorman serves as CTO of FortiusOne, a startup that's helping financial companies diversify their electronic infrastructures, and consulting with the DHS. He says the vulnerabilities remain. "We've looked at scenarios where we (could) have multiple fiber cuts that effectively disconnect the West Coast from the East Coast," says Gorman. "It's not very difficult to figure out." Gorman blames this fragility in large part on the recent spate of telecom mergers and acquisitions -- with each one, he says, more and more of the nation's critical communications merge into fewer and fewer fiber-optic cables. Witness the Sprint outage, which affected customers of Nextel, which Sprint finished acquiring last month. Meanwhile, carriers don't want to spend the money to run redundant fiber-optic lines. A 2003 research paper (.pdf) from Sprint notes the company sought alternatives to "physically diverse protection paths" for its backbone network after confronting the "substantial capital investment" of running new cables, as well as challenges posed by geographic obstacles like mountains and bridges. Those geographic limitations have spawned another dangerous trend, says Gorman: Different companies tend to install their cables alongside the same limited number of roads and railways, often unknowingly. "The vast majority of providers are on just two routes" across the country, he says. (Presumably, one of them runs under Buckeye.) If there's widespread agreement on the danger, there's less of a consensus on the solution. Gorman argues that regulators should start taking into account the effect on national security when considering proposals to merge telecoms. "How many fiber paths are they planning on collapsing? How much diversity is the nation losing in the process? It's probably something that should be examined," he says. But former White House cybersecurity adviser Schmidt disagrees. "We built the infrastructure using facilities that were already there, because they were most effective," he says. "You have physical limitations, like bridging the Mississippi River.... Can you imagine they tell you tomorrow, 'We have to build redundancy in the system, so we're going to double your phone bill?'" Instead, Schmidt would like to see the government fund more research into network survivability. "Let's look at the R&D, let's start building this stuff so you can have alternative means of communications -- wireless, satellite. Because you're never going to be able to have 100 percent redundancy." For its part, Sprint insists that its network is diverse enough. "We do put a premium on redundancy," says Taylor. "In this particular case we had events simultaneously happen that are beyond our control." In the end, there's no simple way to prevent sabotage to critical communications lines, should the United States' enemies ever decide on that tact. So far, they haven't. But progress is being made on curtailing accidental damage, in particular by bolstering the system of regional One Call centers dedicated to preventing incidents like the Sprint outage, and the sometimes-fatal accidents that occur when an excavator digs into a buried natural gas or petroleum pipeline. Under state laws, anyone who's breaking ground generally needs to contact the local One Call center first. The center then sends out notices to all the utilities in the area, which are obliged to respond, generally within two days. If anything is buried in the dig zone, the utility dispatches a worker to mark off the location, usually by spray painting a kind of infrastructure hobo's code on the ground: A red line indicates buried cable, yellow is a gas pipe, green a sewer line, etc. Any digging conducted close to the marked facilities has to be conducted by hand, or using special equipment like a vacuum pump. The December CGA report -- the first comprehensive look at digging accidents -- found that nearly half of the 675,000 incidents in 2004 resulted from the excavator failing to contact the local One Call center. The most common facilities damaged as a result were gas pipelines, representing 51.6 percent of the damage. Telecommunications facilities came in second at 27.5 percent. Backhoes, trenchers and shovels tended to hit gas lines, while augers, borers and drills had it in for telecom cables. Most of the incidents only affect local facilities -- it takes bad luck to hit a major communications artery or pipeline. "But when they're hit, the damage is significant," says CGA executive director Bob Kipp. In one of the 2004 incidents, a construction crew in Walnut Creek, California, struck a buried petroleum pipeline, sparking an explosion that killed three people and injured six others. But utilities are hopeful for change. In 2002, Congress passed, and President Bush signed, a law mandating the creation of a national call-before-you-dig three-digit phone number that, like 911, would route automatically to the caller's local center. Last year the FCC decided on 811 as the magic number, and the CGA says it's on the verge of selecting a marketing firm to design a national Smokey the Bear-style campaign to promote the code when it goes live on April 10, 2007. "So instead of having 50 state campaigns with 50 different numbers, we'll get one campaign with one easily recognizable number," says Kipp. "If dad's going to go in the backyard and plant a tree, the kid may say, 'Dad, if you're going to dig, you might blow up something, or we might be without phone service.'" From isn at c4i.org Fri Jan 20 01:15:02 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:15:02 -0600 (CST) Subject: [ISN] Computer crime costs $67 billion, FBI says Message-ID: http://news.com.com/Computer+crime+costs+67+billion%2C+FBI+says/2100-7349_3-6028946.html By Joris Evers Staff Writer, CNET News.com January 19, 2006 Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "This would be 2.8 million U.S. organizations experiencing at least one computer security incident," according to the 2005 FBI Computer Crime Survey. "With each of these 2.8 million organizations incurring a $24,000 average loss, this would total $67.2 billion per year." By comparison, telecommunication fraud losses are about only $1 billion a year, according to the U.S. Secret Service. Also, the overall cost to Americans of identity fraud reached $52.6 billion in 2004, according to Javelin Strategy & Research. Other surveys have attempted to put a dollar amount on cybersecurity damages in the past, but the FBI believes its estimate is the most accurate because of the large number of respondents, said Bruce Verduyn, the special agent who managed the survey project. "The data set is three or four times larger than in past surveys," he said. "It is obviously a staggering number, but that is the reality of what we see." Responding to worms, viruses and Trojan horses was most costly, followed by computer theft, financial fraud and network intrusion, according to the survey. Respondents spent nearly $12 million to deal with virus-type incidents, $3.2 million on theft, $2.8 million on financial fraud and $2.7 million on network intrusions. These figures do not include much of the staff, technology, time and software employed to prevent security incidents, Verduyn said. Also, losses to individuals who are victims of computer crime or victims in other countries are not included, he said. The FBI's next fiscal year, for which budgets must be reviewed and approved, begins Oct. 1. Protecting the U.S. against high technology crimes is third on the agency's list of priorities. Defenses in place Survey respondents use a variety of security products for protection. Antivirus software is almost universally used, with 98.2 percent of respondents stating they use it. Firewalls follow in second place, with 90.7 percent, and anti-spyware and antispam are each used by about three-quarters of respondents, according to the survey. The results mean that close to one in 10 organizations does not have a hardware or software firewall. Or perhaps they don't know they have one--the Windows Firewall in Windows XP, for example. "Some are very small businesses that should have that technology, but they don't," Verduyn explained. Biometrics and smart cards--both relatively new security technologies--were used only by 4 percent and 7 percent of survey respondents, respectively. Intrusion prevention or detection systems were used by 23 percent and VPNs, or virtual private networks, by 46 percent. Organizations were attacked despite use of security products, with nine out of 10 respondents saying they experienced a security incident. In fact, the most common attacks aligned with the most commonly used defenses. Computer viruses, worms or Trojan horses plagued 84 percent of respondents, 80 percent reported spyware trouble, and 32.9 percent said attackers were probing their systems using network port scans. Not all threats came from outside the organization. More than 44 percent of the survey respondents reported intrusions from within the company. "Companies may be unaware of the internal potential for computer security incidents," Verduyn said. He recommends applying policies and procedures to thwart attacks from the inside. The FBI surveyed companies in Iowa, Nebraska, New York and Texas. Companies older than three years, with more than five employees and with more than $1 million in revenue were asked to participate. Survey participants were asked to provide their responses by the end of July 2005, with their answers covering the previous 12-month period. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Fri Jan 20 01:15:15 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:15:15 -0600 (CST) Subject: [ISN] ETrade offers online transaction safety guarantee Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,107865,00.html By Todd R. Weiss JANUARY 19, 2006 COMPUTERWORLD ETrade Financial Corp. is now offering wide-ranging fraud and bill payment protection to customers that use its online brokerage and banking services to guard against user losses and bolster the safety and reputation of its services. In an announcement Tuesday, the New York-based company said its new ETrade Complete Protection Guarantee will provide full coverage against cybertheft losses for its online brokerage, banking and lending customers, effective immediately. The guarantee is in addition to the company's existing Web site security and procedural safeguards for online transactions. Under the policy, ETrade Securities LLC or ETrade Bank will cover the full amount of any customer account losses that occur through unauthorized online activity. In addition, if a customer's brokerage, banking or loan payment is not sent as instructed, all related fees, penalties or finance charges will be refunded. The company also said it will not sell a customer's personal information to third-party marketers for any purpose. "Consumers should feel that their money is safe," said spokeswoman Pam Erickson. "Whatever we can do [to encourage that safety] ... we're going to do." According to an ETrade-commissioned study of 507 adult ETrade customers by research company Insight Express, 84% of the respondents see online fraud as a serious problem, while 77% believe the primary responsibility for online safeguards is with financial institutions. For ETrade, however, the actual losses from online cybertheft have been relatively small in recent years, Erickson said. In 2000, the company lost an amount in the tens of thousands of dollars from fraud, she said. Losses in 2005 were less than $2 million. Consumers think the problem is much larger, however, so the company is working to bolster consumer confidence with the new program. "If consumers see it as a problem, it may preclude them from putting their money into online accounts," Erickson said. "We want to preclude that conclusion." Brokerage accounts, unlike bank accounts, aren't protected by federal banking insurance programs under current law. The move by ETrade makes sense, according to several analysts. "I think that as word gets out, it will definitely help them acquire new customers," said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. "It is a bold move -- consumers don't realize that they?re not protected" under current law if someone steals money from their online brokerage account. "This is the kind of protection that people are looking for. Consumers are very nervous." Previously, if fraud occurred, consumers could only hope that their brokerage firm would reimburse them for any losses, even though it would not be required legally to do so, she said. Dan Keldsen, an analyst at Boston-based Delphi Group, a Perot Systems Co., called it a "fantastic" step for ETrade. "I just hope that this means that the other online brokerages will follow suit. It's neat to see that they're taking a proactive stance, at least protecting the users." From isn at c4i.org Fri Jan 20 01:15:26 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:15:26 -0600 (CST) Subject: [ISN] Secret Service probes prank e-mail Message-ID: http://www.upi.com/NewsTrack/view.php?StoryID=20060119-041238-9321r 1/19/2006 WASHINGTON, Jan. 19 (UPI) -- A prestigious private school in Washington brought in the Secret Service to solve a computer caper. The Smoking Gun, also known as thesmokinggun.com, obtained a search warrant affidavit and other documents involving the instance of apparent computer hacking at the Georgetown Day School. The school's students include the children of high government officials and prominent members of the media. The investigation began when school officials learned that someone had used a teacher's school e-mail account to send messages to three male students. One was reportedly obscene while the other two included realistic details of poor classroom work by the recipients. The Secret Service and Justice Department investigators found that the account had been accessed through speakeasy.com and traced the its origins to a computer owned by a developer's wife well-known on the social scene. The agents raided the woman's home with a search warrant and seized two computers, an iPod and an external hard drive. No one has been arrested in connection with the e-mail. -=- http://www.thesmokinggun.com/archive/0119062gds1.html Feds Probe D.C. School Prank Georgetown landmark raided after e-mail hack at tony institution JANUARY 19 -- Wow, you know your high school principal's strict when he sics the U.S. Secret Service on your teenage, prank-playing ass. That's what just happened at Georgetown Day School, a prestigious Washington, D.C. private school whose student body has included the offspring of politicians, White House officials, media heavyweights, and a Supreme Court justice. According to a January 6 search warrant application filed in U.S. District Court, a copy of which you can find below, principal Kevin Barr called in the feds after a teacher's e-mail account was "compromised and used to send e-mails to three students." [...] From isn at c4i.org Fri Jan 20 01:15:44 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 20 Jan 2006 00:15:44 -0600 (CST) Subject: [ISN] Smash and grab, the hi-tech way Message-ID: http://politics.guardian.co.uk/foreignaffairs/story/0,,1689183,00.html Peter Warren Thursday January 19, 2006 The Guardian As they packed their briefcases for the Christmas break, MPs in Westminster were unaware they had been the targets of one of the most audacious hacking attempts ever mounted. The Guardian has learned that the oldest modern democracy came under a sustained attack aimed at stealing sensitive information. It was launched by cyber criminals almost certainly operating in the world's next superpower, China. The hi-tech industrial espionage involved a series of innocuous-looking emails targeted at secretaries, researchers, parliamentary staff and even MPs themselves. Each one was specifically tailored to the individual who would receive it. Once opened, these emails tried to download sophisticated spyware that hunts through the recipient's computer and network for potentially valuable documents, which would be automatically sent back to the hackers without the user's knowledge. Fortunately, the attack, which took place earlier in 2005, was thwarted by parliament's sophisticated internet security system; no sensitive data is thought to have been lost. Instead, the Commons' IT security staff immediately alerted the UK's National Infrastructure Security Co-ordination Centre (NISCC), a powerful organisation linked to MI5 that is responsible for protecting the UK's critical information systems. Security experts set up an exercise to monitor the attacks, and immediately realised the hackers were well resourced. "These were not normal hackers," said a source close to the NISCC. "The degree of sophistication was extremely high. They were very clever programmers." A spokesman for the Home Office would only say: "We do not comment on security matters, but have had discussions with many governments and computer emergency response teams from around the world on this problem." According to research by US investigators, the hackers are thought to have been based in the Guangdong province in southern China. British and US security experts believe the hackers are working with the tacit approval - or possibly even direct support - of authorities in the People's Republic of China and are attempting to acquire western technology in a massive hit and run raid on the world's intellectual property to aid their booming economic growth. A spokesman for the Chinese government said: "If there are such allegations then it is subject to further investigation." A wakeup call Commodore Patrick Tyrrell, the UK's first director of information warfare, warned about the likelihood of such an attack nearly 10 years ago. He believes the attack is a wakeup call to the government. "This could certainly be seen as a provocative act. Up until now, governments have not set much store by information," says Commodore Tyrrell, now managing director of the computer company Vale Atlantic. "The government has to take seriously the way [this kind of attack] is developing." The attack on the Commons may be the most eye-catching attack from Chinese-based hackers, but is certainly not unique. According to a spokesman for MessageLabs, the company responsible for filtering malicious email from government networks, similar spy emails - called "targeted Trojans' - were noticed about 18 months ago. "There were not very many, maybe one every two months, but now they are coming in at the rate of one to two a week," said Maksym Schipka, MessageLab's senior anti-virus researcher. Last June, the government sent out a warning in which Roger Cummings, the head of NISCC, spoke about the threat of attacks from far eastern gangs on the UK critical national infrastructure (CNI) - the key network of transport, energy, financial, telecommunication and government organisations. At the end of November, Cummings warned that targeted Trojans from foreign powers were a significant threat. In mid-December, the Cabinet Office - which has overall responsibility for ministries - joined in the chorus at a conference at Glamorgan University. Senior civil servant Harvey Mattison, the head of accreditation for the Cabinet Office's Central Sponsor of Information Assurance, the unit responsible for protecting communications between government departments, gave a keynote address on the threat from the far east. "We were given the impression it was coming from one ISP in Guangdong," said a delegate. Mattison declined to comment except to say that his address was based on details from the NISCC alert. Britain is not the only country targeted. Key parts of the US have been targeted by far eastern hackers for up to five years. Some of the attacks - codenamed Titan Rain - have been traced to just 20 workstations and three routers in Guangdong. Alan Paller, head of the Sans Institute, the US's top computer crime fighting organisation, has stated categorically that the attacks emanate from the People's Republic. He points to attacks in November 2004, during which hackers grabbed thousands of sensitive documents. The hackers stashed the stolen files in zombie servers in South Korea, before sending them back to Guangdong. In one, a researcher found a stockpile of aerospace documents with hundreds of detailed schematics about propulsion systems, solar paneling and fuel tanks for the Mars Reconnaissance Orbiter, the Nasa probe launched in August. On one night alone they copied a huge collection of files that had been stolen from the Redstone Arsenal, home to the US army's Aviation and Missile Command in Alabama. The attackers had grabbed specifications for the aviation mission-planning system for army helicopters, as well as Falconview 3.2, the flight-planning software used by the army and air force. For six hours the gang skipped through the computers of Redstone, the army's Information Systems Engineering Command in Arizona, the Defense Information Systems Agency, Naval Ocean System Center in San Diego and the Space and Missile Defense Acquisition Center in Alabama. "Of course it's the [Chinese] government [that receives this information]. Governments will pay anything for control of other governments' computers," said Paller. Other clues - such as the focus on economic espionage - suggest the attacks are not the work of run-of-the-mill hackers. Computer criminals usually seek a quick turnaround of funds and an easy escape route. But economic secrets do not always have a ready cash market. Sources involved in tracking down the gang say the Chinese group is just one of a number of organised groups around the world that are involved in a hi-tech crime wave, some working for governments, others highly organised criminal gangs. "We have seen three attacks a day from this group in the past week and there are a lot of other groups out there," said the source. "You could say that the iceberg is now in view." Privately, UK civil servants familiar with NISCC's investigation agree that the attacks on the UK and US are coming from China. This almost certainly means some state sanction or involvement - perhaps even a "shopping list" of requirements. Some of the attacks have been aimed at parts of the UK government dealing with human rights issues - "a very odd target", according to one UK security source. There is another, more compelling reason. "Hacking in China carries the death penalty," says Professor Neil Barrett, of the Royal Military College at Shrivenham. "You also have to sign on with the police if you want to use the internet. And then there is the Great Firewall of China, which lets very little through - and lets [the Chinese government] know exactly what is happening." The internet traffic to the UK, and its origin, would all be visible to the Chinese government. Finding the culprits would, in theory, be a simple process. Sophisticated attacks While the Chinese embassy confirmed that hacking carries the death penalty, a spokesman denied that registration with the police was necessary: "The same permission as for a telephone relates to the internet. You simply have to apply to a service provider." Another clue is the sophistication and cost of organising the attacks. MessageLab's Schipka thinks such a scale required the resources of a very large company. "Either that, or a lot of small organisations are cooperating to help someone but the way these are done is spotless." "Whoever is doing this is well-funded," said Dr Andrew Blyth, head of computer forensics at Glamorgan University. "They are not only able to develop sophisticated software but have also been able to develop websites that people are directed to by emails. These sites then corrupt their web browsers - it is very sophisticated stuff and it costs money to be able to mount an operation of this complexity." In the attacks, each individual receiving the emails and the organisation's IT structure are meticulously researched. The Trojan emails are designed to appeal uniquely to victims. "One email was targeted at one company in aviation. It was a Word document that had a Math/cad component. If you did not have math/cad on your computer it would not open," says Schipka. "The point was to find documents that had been written in that particular program and then send them back." Meanwhile, the Sans Institute has raised the idea that the Titan Rain attacks might even have a military origin. In the two-and-a-half years of investigation, the hackers never made a mistake. "It was like being against a master chess player except he was running around between different terminals in different locations," said Alan Paller, of Sans. "There was a level of care and consistency behind this that has to indicate a military operation." Intriguingly, the Pentagon in its annual report of the military power of the People's Republic of China, published on July 28 last year, noted the development of computer attack systems by China's military, adding that the People's Liberation army (PLA) regards computer network operations as being "critical to seize the initiative" in establishing "electromagnetic dominance" at the start of a battle. The report added: "Although initial training efforts [by the PLA] focused on increasing the PLA's proficiency in defensive measures, recent exercises have incorporated offensive operations, primarily as first strikes against enemy networks." Industrial espionage via computers is not new. In 1989, for example, German hackers from the Chaos Computer Club stole secrets from western defence companies and sold them to the KGB. However, the sheer scale of the recent attacks have set alarm bells ringing in security circles around the western world; at the very least they ought to give MPs something to think about when they switch on their computers each morning. -=- If you'd like to comment on any aspect of Technology Guardian, send your emails to tech at guardian.co.uk From isn at c4i.org Mon Jan 23 02:17:40 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:17:40 -0600 (CST) Subject: [ISN] Linux Advisory Watch - January 20th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 20th, 2006 Volume 7, Number 3a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were realeased for httpd, mod_auth_pgsql, auth_ldap, ethereal, struts, cups, gpdf, apache, and the kernel. The distributor for this week is Red Hat. ---- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec ---- IPv6 approach for TCP SYN Flood attack over VoIP, Part V By: Suhas Desai In this paper, we describe and analyze a network based DoS attack for IP based networks. It is known as SYN flooding. It works by an attacker sending many TCP connection requests with spoofed source addresses to a victim's machine. Each request causes the targeted host to instantiate data structures out of a limited pool of resources to deny further legitimate access. Part I http://www.linuxsecurity.com/content/view/121083/49/ Part II http://www.linuxsecurity.com/content/view/121124/49/ Part III http://www.linuxsecurity.com/content/view/121169/49/ Part IV http://www.linuxsecurity.com/content/view/121205/49/ Part V: 7. Result Analysis 7.1 Most powerful and flexible L4-7 security and content networking test solution proven for: - Firewalls, edge routers, session controllers, proxies, IDS/IPS, VPN concentrators. - Servers, content switches/caches, load balancers, SSL accelerators 7.2 Mix real VoIP calls (H.323 & SIP) over integrated DHCP, IPSec, PPPoE and 802.1 xs - Realistic testing, faster set-up, no need for scripting 7.3 Integrated IPv6, IPsecv6, VLAN, and SNMP support -Rapidly test next-generation dual-stack devices and Stress the management plane at the same time 7.4 Create a realistic mix of application traffic with H.323, SIP, RTSP, SNMP, messaging on each test interface, DoS. /spam /virus attacks with over 150 measurements. 8. Conclusion This paper has described and analyzed a network based denial of service attack, called SYN flooding. It has contributed a detailed analysis for practical approach to application Performance validation for VoIP application with IPv6/IPv4 configurations and TCP SYN Flooding attacks over connection oriented networks. To protect from DoS attacks for secure, scalable, high-availability IPV6 services over VoIP performance above methods proven better results. It has proved working also for spam and virus attacks over TCP connections with network tester methods of MoonV6. 9. Acknowledgement We would like to thank Zlata Trhulj for design documentation of IPv6 services and Network tester methods presented at North American IPv6 Coalition Meeting-Reston, VA, 25 May, 2005. Read Entire Article: http://www.linuxsecurity.com/content/view/121241/49/ ---------------------- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: httpd security update 17th, January, 2006 Updated Apache httpd packages that correct three security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121220 * RedHat: Critical: mod_auth_pgsql security update 17th, January, 2006 Updated mod_auth_pgsql packages that fix format string security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121221 * RedHat: Critical: auth_ldap security update 17th, January, 2006 An updated auth_ldap packages that fixes a format string security issue is now available for Red Hat Enterprise Linux 2.1. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121222 * RedHat: Moderate: ethereal security update 17th, January, 2006 Updated Ethereal packages that fix various security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121223 * RedHat: Low: struts security update for Red Hat Application Server 17th, January, 2006 Updated Red Hat Application Server components are now available including a security update for Struts. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121224 * RedHat: Important: cups security update 17th, January, 2006 Updated CUPS packages that fix multiple security issues are now available for Red Hat Enterprise Linux. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121225 * RedHat: Important: gpdf security update 17th, January, 2006 An updated gpdf package that fixes several security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121226 * RedHat: Moderate: apache security update 17th, January, 2006 Updated Apache httpd packages that correct a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121227 * RedHat: Important: kernel security update 17th, January, 2006 Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121228 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jan 23 02:19:07 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:19:07 -0600 (CST) Subject: [ISN] CodeCon program announced, early registration deadline nearing Message-ID: Forwarded from: Len Sassaman The program for CodeCon 2006 has been announced. http://www.codecon.org/2006/program.html CodeCon is the premier showcase of innovative software projects. It is a workshop for developers of real-world applications with working code and active development projects. All presentations will given by one of the lead developers, and accompanied by a functional demo. Highlights of CodeCon 2006 include: iGlance - Open source push-to-talk videoconferencing and screen-sharing Monotone - Low stress, high functionality version control Query By Example - Data mining operations within PostgreSQL Djinni - Efficient approximations to NP-complete problems Elsa/Oink/Cqual++ - A static-time whole-program dataflow analysis for C and C++ Truman - An open-source behavioral malware analysis sandnet VidTorrent/Peers - A scalable real-time p2p streaming protocol The fifth annual CodeCon takes place February 10 - 12, 11:30 - 18:00, at StudioZ (314 11th Street) in San Francisco. Early registration is $63, available online until February 1st, 2006. Registration will be available at the door for $85. Supporting Attendee tickets are also available, and include a one-year membership to the USENIX Association. Please see the CodeCon registration page for details: http://www.codecon.org/2006/registration.html From isn at c4i.org Mon Jan 23 02:19:39 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:19:39 -0600 (CST) Subject: [ISN] No snoozing as mids battle hackers' plot to take out system Message-ID: http://www.dcmilitary.com/navy/trident/10_48/local_news/39232-1.html By Martha Thorn Trident Managing Editor January 20, 2006 When Tom Hendricks, National Security Agency visiting professor in the computer science department, talks about red cells and white cells, he's not talking about blood. The white cells are referees and the red cells are hackers in an inter-service academy competition sponsored by the National Security Agency. During the four-day competition that is held in April, midshipmen and cadets set up a computer network between the five service academies and sometimes other schools such as the Naval Postgraduate School and the Air Force Institute of Technology. This calls for a coalition, a cooperative effort between the academies. Then, the red cells or hackers from the National Security Agency and other information assurance groups begin attacking the data sharing network. The academy that best withstands the onslaught wins the competition. Last year, the Naval Academy team won the competition for the first time. In 2002, the first year that the Naval Academy entered the competition, it placed second. With the beginning of the spring semester, the Naval Academy is beginning to form its team and prepare for this year's competition. Any computer science and information technology major is eligible to join the team and plebes planning to major in one of these areas may also be considered. "In the past, only firsties could join the team," said Assistant Professor Lori DeLooze of the computer science department, "but once they were trained, they graduated. "That's why last year we opened it up to the other classes. This year we have 16 returning cadre who can teach the next group and continue the learning process." The midshipmen must do all the work. They can ask questions about topics that have not been covered in class, but it's up to them to set up working groups and a chain of command. Hendricks and DeLooze serve as primary advisers for the team, along with Marine Maj. William "Clay" James and Adjunct Professor Paul Derdul, both of the computer science department. While these faculty members serve as the first line of defense in answering the team's questions, Hendricks stresses, "The midshipmen can use anyone at the academy as a resource." Hendricks says that the midshipmen frequently consult with the Information Technology Services Division about programs like Microsoft Exchange and equipment like Cisco. In the past, the midshipmen have set up as many as 10 or more teams to handle diverse tasks. "No one person can do everything that needs to be done, so you need people to specialize in firewalls, mail, Web sites, encryption, backups, intrusion detection, administration, technical and morale," Hendricks says. "You also need back-up people because the exercise runs 24 hours a day. You can bet that as soon as your best person takes a nap, that's when the break-in will occur, so you want everyone to know what to do and how to handle it." He says that the competition is very real world. "In the real world, we're always forming and breaking up coalitions and alliances. We're always sharing information and protecting against break-ins to the system." Hendricks estimates that the majority of break-ins occur from within the system. "You never know where the red cells are going to come from," he says. "During the exercise, the midshipmen see how easy it is for someone to get into a system and how much damage they can cause." Hendricks contends that every system will be broken into at one time or another. "What counts is how quickly you can detect the infiltration and how well you respond to it," he says. "You want to test your system for weaknesses and minimize them as much as possible." Midshipmen interested in joining this year's information assurance team should e-mail hendrick AT usna.edu. From isn at c4i.org Mon Jan 23 02:20:00 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:20:00 -0600 (CST) Subject: [ISN] Windows back door rumor is bunk Message-ID: http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/ By Thomas C Greene in Washington 21st January 2006 Contrary to a recent rumor circulating on the internet, Microsoft did not intentionally back-door the majority of Windows systems by means of the WMF vulnerability. Although it is a serious issue that should be patched straight away, the idea that it's a secret back door is quite preposterous. The rumor began when popinjay expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy. He then went on to speculate publicly about this via a "This Week in Tech" podcast, and on his own web site. Slashdot grabbed the story, and the result is a fair number of Netizens who now mistakenly believe that the WMF flaw was created with malicious intent. What it is We think it's time that this irrational fear is put to rest. First, let's look at how the flaw works: A WMF (Windows Metafile) image can trigger the execution of arbitrary code because the rendering engine, shimgvw.dll, supports the SetAbortProc API, which was originally intended as a means to cancel a print task, say when the printer is busy with a very large job, or the queue is very long, or there is a mechanical problem, and so on. Unfortunately, due to a bit of careless coding, it is possible to cause shimgvw.dll (i.e., the Windows Picture and Fax Viewer) to execute code when SetAbortProc is invoked. A metafile is essentially a script to play back graphical device interface (GDI) calls when a rendering task is initiated. Unfortunately, and due entirely to Microsoft's carelessness whenever security competes with functionality, it is possible to point the abort procedure to arbitrary code embedded in a metafile. Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well. But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it? Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles. The more logical explanation, Gibson reckoned, was that someone at Microsoft had deliberately back-doored Windows with this peculiar little stuff-up. And besides, the idea of compromising a computer with an image file seemed quite cloak-and-dagger, adding to the supposed "mystery." Nothing new here To anyone well acquainted with Windows security, hence Microsoft's insistence on ease of use whatever the cost, the idea of intentional mischief along these lines is immediately suspect. Microsoft still encourages users to run Windows as administrators, because it believes that logging in is too much trouble for the average point-and-drool civilian. It enables scores of potentially dangerous networking services by default, lest anyone struggle to enable them as needed; and its security scheme for IE - which, instead of distrusting Web content by default, forces the user to decide whose content to trust and whose not to - is essentially a means of skirting responsibility by blaming the victim for the crushing burden of malware they are carrying. Microsoft has made a pudding of security from its earliest days, and no amount of malicious intent can possibly account for this. The company's obsession with ease of use is more than adequate to account for this and thousands of other security snafus like it. Furthermore, the WMF flaw doesn't make for a good backdoor, assuming that one would like to target a user, or class of users. For example, IE is not in itself vulnerable; the problem comes when the system renders online WMF files with shimgvw.dll. So luring a Windows user to a malicious web site is no guarantee that they will be affected, while many others, who are not targets, might well be affected. Similarly, when sending a malicious WMF file via e-mail or IM, there is no guarantee that the intended target or targets will be vulnerable. And there are plenty of other types of malicious file that can be sent or placed on line in a similar manner, so there is no distinct advantage to using WMF. It is not a powerful back door. Finally, Microsoft doesn't need this as a back door; it already has one: Windows Automatic Update. It's got Windows boxes phoning home without user interaction, identifying themselves, and downloading and installing code in the background. Technically speaking, it would not be difficult for the company to pervert this process subtly, and effectively, to target certain machines for malware. But naturally, there is no possibility that it ever will: its actually doing so would be detected, and proved, and the company would end up with the PR debacle of the century. So, yes, there is a back door in Windows, and no, it is not news. Here Gibson takes his preferred route to getting the ink that he craves: technobabble and innuendo. He can't prove anything (technically, he hasn't got the chops), so he lurks in the gray area between fact and fiction, and generates torrents of fear, uncertainty, and doubt. The FUD Olympics Gibson has a bad track record: a history of latching onto arcane issues that he doesn't fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down. In mid-2001, when he discovered the SOCK_RAW protocol (which had been implemented in UNIX and Linux for ages) and Microsoft's intent to implement it in Windows XP, he predicted an "XP Christmas of Death" for 2001-2002, which has yet to materialize. Nevertheless, he made such a riot over the issue for so long that Windows XP service Pack 2 disables the function. Naturally, the installed user base of XP machines in botnets remains the same, because the problem was, and is, the ease with which even the most inept script kiddie can own a Windows box. Default configurations are very loose, so there are scores of routes into most Windows systems that require very little knowledge or talent to exploit. Microsoft needs to tighten up thirty or so glaring design and configuration flaws, all right, but raw sockets is not among them. In 2002, when he discovered SYN floods, he developed a broken gimmick that he called "GENESIS" (Gibson's ENcryption-Enhanced Spoofing Immunity System). He said it was "beautiful and perfect." In fact, it was nothing more than an inept implementation of SYNcookies, which had been developed (in a properly working form) for Linux by Dan Bernstein and Eric Schenk years earlier. Gibson denied that he had ever heard of SYNcookies, and insisted had thought up his own, broken version independently, but this is highly unlikely. Of course, that can't be proved or disproved, keeping the issue in the vague territory that Gibson so comfortably inhabits. The WMF backdoor very much in keeping with Gibson's history of getting security matters a bit wrong, filling the gaps in his understanding with technobabble, and hyping the actual matter out of all reasonable proportion in his neverending quest of ink. And here, much as we regret it, we've given him even more ink. We can only hope that it dispels the ridiculous rumor that Gibson has propagated, and thus will do more good than harm. ? From isn at c4i.org Mon Jan 23 02:20:18 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:20:18 -0600 (CST) Subject: [ISN] Is your firewall spying on you? Message-ID: http://www.theinquirer.net/?article=29157 By Paul Hales, in Jerusalem 22 January 2006 IT'S OBVIOUS, REALLY, that the best way of penetrating users' PCs to see what they get up to online would be to become a Firewall maker. Like, when I wanted a Firewall and was too tight to pay for one, I turned to Checkpoint's little freebie Zone Alarm. It sits there between you and the Internet and lets you know when someone's trying to sneak in through your backdoor or when a program you're running tries to connect to the Web for no apparent reason. When you're as techie as me - not very - you just have to trust it. Of course, Checkpoint's an Israeli company and as a foreign journalist working in Israel you know the hyperactive security services here would like to keep tabs on you. And you know that they do. It has been confirmed to me by a security sources here that mobile phone conversations I have had have been listened to - and in circumstances which I won't reveal, the contents of a call I have been involved in have actually been relayed back to me. It's part of the game - like the airport interrogation, or the surreptitious copying of your notepad while you're off having a body search. You know what goes on but you have a job to do and just get on with it - hoping that what you get up to in the legitimate pursuit of your business won't upset anyone to the extent that they'll come break your door down and cart you off somewhere. Now, the handsomely-named Mr Cringely has revealed [1] that a colleague of his at Infoworld noticed that Zone Alarm 6.0 was sneakily sending off data to four different servers. Cringely says that Zone Labs (acquired by Checkpoint in March of 2004) at first denied the activity for a couple of months before deciding the software had a "bug" even though, as he points out, "the instructions to contact the servers were set out in the program's XML code." The company says it will fix the "bug" soon. In the meantime you can work around it by adding: # Block access to ZoneLabs Server 127.0.0.1 zonelabs.com to your Windows host file. The "bug" seems to be present in the retail version of Zone Alarm, so there's no telling what the freebie gets up to. We called Checkpoint here in Israel to find out, but were referred to a US spokeszoner. Trouble is they'll all be in bed there on this sunny Sunday morning. ? [1] http://www.infoworld.com/article/06/01/13/73792_03OPcringley_1.html From isn at c4i.org Mon Jan 23 02:17:13 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:17:13 -0600 (CST) Subject: [ISN] High-Tech Hunger Message-ID: http://msnbc.msn.com/id/10756796/site/newsweek/ By Melinda Liu Newsweek International Jan. 16, 2006 issue Don't be fooled by Wang Xiaoyun's demure demeanor. The 39-year-old mathematician is an instrument of China's campaign to become a tech power. She is also a legend among Western cryptographers. "Please don't write too much about my research; it's so difficult for journalists to get the technical details right," Wang pleads in rapid-fire English and Shandong dialect. She has a point: let's just say she and two colleagues shocked the cryptography world last year when they exposed a weakness in a key U.S. government encryption code called SHA-1, thought to be virtually unbreakable. Renowned MIT cryptographer Robert Rivest, who helped develop the SHA-1 algorithm, calls the breakthrough "stunning." (The SHA-1 "hash" is used, among other things, in technologies that transmit credit-card numbers over the Internet.) Which explains why experts from Wall Street to Washington, from Downing Street to Delhi, are beginning to pay attention to Chinese scientists like Wang?and the government campaign that helps sponsor their work. The "863 Program"?so named because in March 1986 Deng Xiaoping decreed Beijing would begin bankrolling key science and technology research?aims to vault China into the ranks of developed nations. When Deng, eager to make China a high-tech power, asked how much funding should be earmarked to jump-start the effort, some scientists suggested 5 billion yuan (about $625 million today), recalls People's University professor Mao Shoulong, who was involved at that stage. "But Deng said the program needed 10 billion yuan. So that's what was invested." Since then, Beijing has funneled 863 funds to new cutting-edge projects each year, boosting research on everything from aviation systems to mapping the rice genome. Nanjing University professor Wang Yuanqing, who won funding for his work on 3-D computer monitors, believes individual 863 projects are now "too numerous to be counted." During the same period, China's economy has racked up white-hot growth rates?in 2005 GDP expanded 9.8 percent. Beijing's boom has prompted some Western strategists to warn that China might supplant the United States as a tech leader in the not-too-distant future, and threaten Washington's Asian friends militarily. As China continues its economic rise, senior U.S. officials are asking publicly whether Beijing can become a "responsible stakeholder" in the international community. More to the point, many analysts fear that Beijing, in order to feed its high-tech hunger, is promoting not just legal research but economic espionage and violations of intellectual-property rights (IPR). Consultant James McGregor, author of "One Billion Customers: Lessons From the Front Lines of Doing Business in China," argues that "the biggest issue in [Sino-U.S.] commercial relations should be IPR, IPR, IPR." To be sure, China currently lags behind the United States in most if not all tech industries. Investment from multinationals such as Motorola, Nokia, Microsoft and Cisco Systems has driven much of China's high-tech growth. Although China recently supplanted America as the world's biggest exporter of information and communications technology, fully 80 percent of the mainland's high-tech and patented exports last year were produced by foreign-controlled firms. Tellingly, many foreign giants don't bring their cutting-edge tech to China; some who do expect it to be copied within five years, says an expert with one of the Big Four accounting firms. And although glittering high-tech zones and incubator parks have proliferated, "not many of them have actually produced science and technology projects yet," admits Professor Mao. He says the United States outshines China because it "has more money, more talent and more marketable products." But 863 is transforming China. It's why China has more than 700 multinational R&D centers, compared with fewer than 50 eight years ago. Why 59 percent of Chinese undergrads pursue science and engineering degrees, compared with 32 percent in the United States. Why a year ago Chinese computer giant Lenovo purchased IBM's PC unit. Why foreign governments now worry about the overseas acquisition efforts of other Chinese behemoths such as telecom-equipment maker Huawei or the oil firm Cnooc, which dropped its bid to buy the U.S. company Unocal after fierce opposition last year. And why FBI officials fret that a small but worrisome proportion of the Chinese firms and students in America may be engaged in covert tech-acquisition schemes. Former head of FBI counterintelligence operations David Szady says espionage has helped Beijing acquire in just a couple of years what would normally take a decade to achieve. The FBI isn't the only agency worrying. A Japanese magazine recently reported that tech secrets were a factor in the mysterious 2004 suicide of a Japanese consul in Shanghai. A Chinese intelligence agent threatened to make public a relationship the Japanese official had with a karaoke hostess unless the consul divulged information on Tokyo's diplomatic encryption system, the Shukan Bunshun reported; the consul decided to hang himself instead. In 2001, U.S. intel sources reportedly alerted their Indian counterparts to "suspicious" activities by the Chinese firm Huawei (next story). Telecom software developed at Huawei's Bangalore R&D center allegedly wound up in the hands of the Pakistan government, New Delhi's archrival, by way of Huawei's Afghan operations. (Huawei has denied the allegations.) Indian intelligence officials, in particular, oppose allowing Huawei to expand its presence in their country because they fear strategic telecom networks would become vulnerable to China. Beijing denies that it engages in high-tech theft, attributing such charges to a "cold-war mentality." In fact, China may be able to feed the bulk of its high-tech appetite through legal means. Chinese state-owned enterprises pressure foreign partners to share advanced technology. Foreign nuclear-reactor suppliers, for example, are required to allow local technicians to work alongside their foreign counterparts. While Western suppliers are reluctant to share software codes that actually run the reactors, they routinely divulge construction and operation details. U.S. firms generally consider such tech transfers the "price for admission" to the China market, states a November 2005 congressional report, which asserts that technology transfers are "a major source of advanced technology for the PRC." Former U.S. military intelligence officer Larry Wortzel, now with the conservative Heritage Foundation, contends 863 is part of a "climate inside China that rewards stealing secrets." He says centralized Chinese government efforts, "such as the 863 Program, are specifically designed to acquire foreign high technology with military application." To deter spies, FBI agents find themselves eyeballing a confusing welter of Chinese students, academics, business travelers, tourists and some 3,000 "front companies" in the United States, says former FBI official Szady. At present, the United States is prosecuting about a dozen cases involving individuals alleged to have smuggled technologies?such as night-vision systems or the proprietary source code for seismic imaging?to China. In one of the most recent cases, U.S. authorities detained mainland-born electronics engineer Mak Chi, his brother and his wife in late October. Mak worked for Power Paragon, a top U.S. defense contractor, and he had access to classified technology related to quiet electronic drive (QED) submarine propulsion systems?secrets that could prove valuable to Chinese strategists in the event of conflict in the Taiwan Strait. During phone calls tapped by the FBI, the three suspects allegedly discussed smuggling QED data, which Washington bans for export to the mainland, to Guangzhou on an encrypted disc. They were indicted only for illegally "acting as agents for a foreign government," however, since the smuggled disc didn't contain classified information. "I believe [they] are foreign intelligence operatives," wrote FBI Special Agent James Gaylord in an affidavit. (The three have pleaded not guilty.) Tech advances make it easier to steal some secrets. For the past two years a group of Chinese hackers suspected of intelligence-gathering cyber-attacks have assaulted U.S. government computer systems. Nicknamed "Titan Rain," they have vacuumed up data on everything from aerospace propulsion systems to flight-planning software used by the U.S. Army and Air Force. (China calls reports of Titan Rain "groundless and irresponsible.") The big question is whether such efforts are government-sponsored or freelance. The answer is probably both. One Beijing hacker says two Chinese officials approached him a couple of years ago requesting "help in obtaining classified information" from foreign governments. He says he refused the "assignment," but admits he perused a top U.S. general's personal documents once while scanning for weaknesses in Pentagon information systems "for fun." The hacker, who requested anonymity to avoid detection, acknowledges that Chinese companies now hire people like him to conduct industrial espionage. "It used to be that hackers wouldn't do that because we all had a sense of social responsibility," says the well-groomed thirtysomething, "but now people do anything for money." If that principle takes hold, China's high-tech appetite may well be cause for concern. With Craig Simons In Beijing, Sudip Mazumdar In New Delhi And Hideko Takayama In Tokyo ? 2006 Newsweek, Inc. From isn at c4i.org Mon Jan 23 02:20:36 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:20:36 -0600 (CST) Subject: [ISN] Teenage hacker facing court case for data theft Message-ID: http://www.taipeitimes.com/News/front/archives/2006/01/22/2003290158 STAFF WRITER Sunday, Jan 22, 2006 A 17-year-old high-school student identified only by his surname Hung (?x) has been named as one of the masterminds behind the nation's three main hacker groups, local media reported yesterday. According to a report in a Chinese-language newspaper, the China Times, Hung is suspected of having hacked his way through a firewall at the Web site of the well-known magazine Information Security (???w?H) to steal customer, member and commercial information on several occasions since last November. The magazine reported the intrusion and theft of information to the police. According to the newspaper report, the case was submitted to the juvenile court in Nantou County after Hung admitted to having entered the magazine's Web site. The paper said he was questioned by investigators at his school following his final exam last Friday. According to the report, Hung organized the Zuso hacker group -- one of the the nation's three main hacker groups -- while still in junior-high school and had been praised by other hackers for being the youngest hacker. Information Security provided the Ministry of Justice's Bureau of Investigation team with computer records which, together with the monitoring of their computer system, told the bureau that the hacker had used a method known as SQI injection to gain access to the database. Investigators then used a newly developed data-mining system to analyze records from one of the hacked computers, which yielded the IP address of Hung's computer. Investigators reportedly learned of Hung's identity more than a week ago, but waited until Friday, the day of his school's final exams, before confiscating Hung's computer and calling his parents to come to the school. Hung is a student at Washington High School, a well-known school in central Taiwan. He was an exchange student in the US in 2004. The media reports said that his father runs a medical clinic while his mother runs a high-tech firm. According to the newspaper, Hung said in an interview with Business Weekly last fall that his "career" as a hacker began when he was a student in the US. He reportedly told the magazine that it took him just half an hour to hack his way into eight Chinese Web sites and leave the message "Taiwanese never die" on their home pages. The report said Hung was awarded NT$10,000 for that stunt, although it did not say by whom. Copyright ? 1999-2006 The Taipei Times. All rights reserved. From isn at c4i.org Mon Jan 23 02:20:54 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:20:54 -0600 (CST) Subject: [ISN] University warns of possible hacking Message-ID: http://www.kansan.com/stories/2006/jan/20/hack/ By Rachel Parker January 20, 2006 Students who applied via the online application put out by the Department of Student Housing were alerted through either an e-mail or a letter that their private information might have been exposed. According to a University Relations news release, a computer file with names, addresses, birth dates, phone numbers, social security numbers and credit card numbers was found accessible to the public on Dec. 16. The lack of security affected students who applied and paid an application fee online between April 29, 2001, and Dec. 16, 2005. Becky Derdoski, Minnesota junior, applied online for residency in the 2003-2004 school year. "That information was given years ago; I didn't think I had to worry about it," she said. Derdoski remembered a similar incident in which her personal information was at risk of exposure. The Watkins Memorial Health Center pharmacy sent out an e-mail to warn her about it her freshman year. The housing department shut down its housing application Web site after the routine computer check showed that security measures were not working correctly. Todd Cohen, University Relations Associate Director for news and public issues, said an incident like this had never happened before at the University. "It is something that happens a lot at universities, unfortunately. We want to make sure we take care of every precaution, and make everyone fully aware," Cohen said. While no evidence pertaining to unlawful use of student information has been discovered, the threat to students is still prevalent. The notification sent out to possibly affected students advised them to place fraud alert through www.ku.edu/identity or to call the housing department with any questions. Out of about 9,200 online applicants in the past few years, only students that gave contact information were notified. Not all affected students still attend the University. Since Jan. 18, 154 phone calls and 52 e-mails have been placed in response to the incident, according to the Department of Student Housing records. The Web site has been shut down and applications are now being taken manually until a new, secure site is up and working. - Edited by Jodi Ann Holopirek From isn at c4i.org Mon Jan 23 02:24:19 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 23 Jan 2006 01:24:19 -0600 (CST) Subject: [ISN] Q&A: Oracle exec says users get enough flaw info Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107928,00.html By Jaikumar Vijayan JANUARY 20, 2006 COMPUTERWORLD As senior director of security assurance at Oracle Corp., Duncan Harris is in charge of the company's vulnerability remediation processes. He also manages a team of "ethical hackers" at Oracle's Reading, England, software lab whose job is to find flaws in the vendor's products. Following Oracle's latest quarterly patch release this week (see "Oracle releases patches for 82 flaws" [1]), Harris spoke with Computerworld about the company's patching policies and its relationship with the IT security community. Oracle just announced patches for 82 vulnerabilities. Why so many? Oracle doesn't shy away from fixing flaws publicly through our Critical Patch Updates. We don't hide our internally discovered vulnerabilities. When we discover something internally, we still mention it in our Critical Patch Updates. Other vendors, as the security community knows, may be doing silent fixes. It is something we don't believe in. That is part of the explanation for the large number of vulnerabilities. Certainly, there is also much more attention being paid to Oracle for whatever reason. Critics say Oracle doesn't share enough vulnerability information for users to make proper risk assessments. Why don't you disclose more details? The comparison is quite clearly with Microsoft's monthly updates. You have to remember that Windows updates are clearly aimed at client machines. Oracle has client-side products, some of which are quite important, but our fundamental focus is on the server side. Comparing this to the monthly patching that Microsoft does is like comparing apples and oranges. It really is quite different to have a systems administrator patch a server-side system and a small client. Why do you think the security community is so unhappy with Oracle? In terms of working with the security community, we work very well with those that are happy to abide by the security vulnerability handling processes, which we have published on our Web site for anyone to see. There are others who for their own good reasons choose to pressure us and put our customers at risk by a partial or early or zero-day disclosure of vulnerabilities in Oracle products. I assume that is part of their marketing method to potentially increase their consulting business. Our "Unbreakable" [advertising] campaign was also a bit of a red flag, which may be another reason why there is so much attention being paid to Oracle by security researchers. How long does it take for Oracle to fix flaws? It absolutely depends on their severity. The Critical Patch Update that we [just] issued -- one of the vulnerabilities there was reported to Oracle in November. There is another that was reported to Oracle 800-plus days ago by external researchers. That is not something we are proud of, [but] it points to the fact that we fix vulnerabilities in order of severity. We are making substantial efforts to refine the infrastructure such that reports of vulnerabilities being more than two years old should be a thing of the past. Perhaps in a year's time it will be. But I do anticipate that for the remainder of 2006, you will see security researchers declaring that vulnerabilities they reported two years ago have just been fixed. How many of your vulnerabilities are discovered internally? If you look at all of the vulnerabilities that my security group handles, we discover about 75% of them. About 10% is reported to us by our customers. The remainder comes to us through external security researchers. How has your vulnerability remediation processes evolved over the past few years? We have seen a substantial move starting over four or five years ago whereby real-world hackers and security researchers started turning their attention more and more to applications that sit on top of the operating system. There has been a substantial targeting of database and applications. About March 2001, Oracle was tracking exactly nine security vulnerabilities across our whole product stack. Eighteen months later, in September 2002, we were tracking 62. We've had to substantially change parts of our infrastructure to cope with the challenges. [1] http://www.computerworld.com/securitytopics/security/story/0,10801,107825,00.html From isn at c4i.org Tue Jan 24 01:28:08 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 24 Jan 2006 00:28:08 -0600 (CST) Subject: [ISN] Linux Security Week - January 23rd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 23rd, 2006 Volume 7, Number 4n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Five Mistakes of Vulnerability Management," "Tips For Staying Secure in 2006," and "Stallman Speaks on the Future of GPL 3.0." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- LINUX ADVISORY WATCH This week, advisories were released for httpd, mod_auth_pgsql, auth_ldap, ethereal, struts, cups, gpdf, apache, and the kernel. The distributor for this week is Red Hat. http://www.linuxsecurity.com/content/view/121242/150/ --- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Cisco squashes VoIP, router bugs 19th, January, 2006 Flaws in Cisco Systems software for routers and IP telephony could be a conduit for attacks on enterprise networks, the company has warned. On Wednesday, it released two security alerts along with fixes for Cisco CallManager, which runs Internet-based phone calling. Two flaws exist in the software: One could allow an attacker to paralyze a Cisco IP telephony installation, the other could allow someone with read-only access to the system to gain full privileges, according to the alerts. http://www.linuxsecurity.com/content/view/121238 * Five Mistakes of Vulnerability Management 18th, January, 2006 Vulnerability management is viewed by some as an esoteric security management activity. Others see it as a simple process that needs to be done in conjunction with Microsoft Corp.'s monthly patch update. "Yet another group considers it a marketing buzzword made up by the vendors. This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas. http://www.linuxsecurity.com/content/view/121233 * Hey, hey it's Oracle patching day 19th, January, 2006 Wednesday became a busy day for database administrators after Oracle released its quarterly patch update which, this time around, tackles more than 80 vulnerabilities in different Oracle software packages and components. Various flavours of Oracle database (37 security bugs), Oracle E-Business Suite and Applications (27), Oracle Collaboration Suite (20) and Oracle Application Server (17) are most in need of update. http://www.linuxsecurity.com/content/view/121236 * Novell opens AppArmour source code 17th, January, 2006 Looking to spread the usage of the AppArmour application security software it acquired when it bought Immunix, Novell announced last week that it would release the software's source code under the GNU General Public License (GPL) and sponsor a project to maintain and improve it. http://www.linuxsecurity.com/content/view/121229 * D-Link Fortifies Security With Checkpoint Partnership 18th, January, 2006 D-Link jumped aboard the unified threat management (UTM) bandwagon this week with a partnership with security vendor Checkpoint Software to develop a new line of small business-focused security appliances. Under the agreement, D-Link will weave Checkpoint's firewall and VPN technology into two new additions to its NetDefend line of SMB security appliances. Slated to be available sometime this quarter, the appliances are aimed at businesses of up to 100 seats and 25 VPN users. http://www.linuxsecurity.com/content/view/121231 * Users take a shine to Fedora Directory Server 1.0 19th, January, 2006 Putting on its fedora hat, Red Hat last month released the first version of its free, open-source Directory Server. The Fedora Project is Red Hat's pure open-source arm, with all product releases and source code being freely available without the company's licensing, or "subscription" restrictions, which are required for running Red Hat's enterprise product offerings. http://www.linuxsecurity.com/content/view/121239 * Tips For Staying Secure in 2006 16th, January, 2006 Securing data while it travels between applications, business partners, suppliers, customers, and other members of an extended enterprise is crucial. As enterprise networks continue to become increasingly accessible, so do the risks that information will be intercepted or altered in transmission. http://www.linuxsecurity.com/content/view/121212 * Draft of GPL Version 3 now available for comment 16th, January, 2006 The Free Software Foundation has published the first draft of the much-anticipated version 3 of the GNU General Public License. The draft of the new version is almost twice as long as version 2: It weighs in at more than 4,500 words, versus 2,900 for the earlier version. http://www.linuxsecurity.com/content/view/121216 * Tracking the Attackers 17th, January, 2006 It has become increasingly important for security professionals to deploy new detection mechanisms to track and capture an attacker's activities. Third Generation (GenIII) Honeynets provide all the components and tools required to gather this information at the deepest level. Sebek is the primary data capture tool for GenIII Honeynets. http://www.linuxsecurity.com/content/view/121217 * Security Pros Get Their Due 17th, January, 2006 There's a growing market for information security expertise, and salaries are reflecting heightened demand. But beware--when it comes to pay, there's essentially no difference between IS workers with high school diplomas and bachelor's degrees, according to the SANS Institute's 2005 Information Security Salary and Career Advancement survey of more than 4,250 IS pros. People with grad degrees can expect to earn significantly more, however. http://www.linuxsecurity.com/content/view/121218 * IT security industry 'to be professionalised' 18th, January, 2006 An organisation is being set up to ensure that IT security officers are competent, but it won't have the power to stop people working if they make mistakes IT security officers are to get their own professional body in the UK with the launch of the Institute of Information Security Professionals (IISP) next month. The IISP, which was given the go-ahead by the Department for Trade and Industry at the end of last year, is due to officially launch in February. http://www.linuxsecurity.com/content/view/121232 * Hackers blackmail milliondollar site 18th, January, 2006 The FBI is investigating the hijacking of milliondollarhomepage.com - the website that earned $1m 566,000 for its British creator Alex Tew by hosting micro-advertisements - by hackers who demanded a ransom to restore the site. Mr Tew was sent a demand for $50,000 by e-mail by a hacker, believed to be Russian. When he refused, the website crashed. http://www.linuxsecurity.com/content/view/121234 * New FBI Computer Crime Survey 19th, January, 2006 Want insight into the cyber attacks that U.S. organizations are facing, what defenses they're using against these assaults, and the implications for industry and government? You'll be interested in reading the new 2005 FBI Computer Crime Survey (PDF), their largest survey on these issues to date. http://www.linuxsecurity.com/content/view/121235 * Has Corporate Info Security Gotten Out of Hand? 19th, January, 2006 What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. http://www.linuxsecurity.com/content/view/121237 * PC virus celebrates 20th birthday 20th, January, 2006 Today, 19 January is the 20th anniversary for the appearance of the first PC virus. Brain, a boot sector virus, was let loose in January 1986. Brain spread via infected floppy disks and was a relatively innocuous nuisance in contrast with modern Trojan, rootkits and other malware. The appearance of the first Windows malware nonetheless set in train a chain of events that led up to today's computer virus landscape. http://www.linuxsecurity.com/content/view/121243 * Computer crime costs $67 billion, FBI says 20th, January, 2006 Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. http://www.linuxsecurity.com/content/view/121244 * Stallman Speaks on the Future of GPL 3.0 20th, January, 2006 Q&A: Richard Stallman, founder of the FSF, talks about his goals for the GPL and the hopes and fears of free software advocates. The update to the GNU General Public License 2.0, which was some five years in the making, was released this week for a year of public commentary. http://www.linuxsecurity.com/content/view/121245 * Flaw researcher offers ad space in report 20th, January, 2006 A security researcher who previously tried to auction off a vulnerability in Microsoft Excel plans to sell ad space in the public report about the flaw, SecurityFocus has learned. http://www.linuxsecurity.com/content/view/121246 * Novell urged to build open source around AppArmor Linux 20th, January, 2006 On Jan. 10 2005, Novell announced the creation of the AppArmor project, an open-source project designed to develop Linux application security using Novell's AppArmor technology. AppArmor technology has previously been available with SUSE Linux 10.0 and Novell's SUSE Linux Enterprise Server 9 Service Pack 3. However, Gartner warned that the move does not guarantee that the AppArmor project will be successful. http://www.linuxsecurity.com/content/view/121247 * US tests e-Passports 16th, January, 2006 The US government has started testing electronic passports which contain an RFID chip holding information and a digital photo of the passport's carrier. The tests started yesterday at San Francisco airport, Changi Airport in Singapore and Sydney Airport in Australia. Singapore Airlines crew, some US diplomats and some citizens from Australia and New Zealand are carrying the new passports. http://www.linuxsecurity.com/content/view/121214 * DOD Eyes Network Revamp 17th, January, 2006 The U.S. Military's point man for global network operations says that a total overhaul of the government's classified and unclassified information networks may be necessary to ward off legions of hackers and adequately protect the military from crippling attacks in future conflicts. http://www.linuxsecurity.com/content/view/121219 * Hackers: If You Can't Beat 'em, Recruit 'em 16th, January, 2006 In the days of increased reliance on the Internet, hackers are making computers increasingly unsafe. To counter that, IT security firms are turning around and hiring talented hackers to find security system holes. Sebastian Schreiber's face lights up with a mischievous grin and his eyes gleam with excitement as he talks about computer hack attacks. http://www.linuxsecurity.com/content/view/121215 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jan 24 01:28:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 24 Jan 2006 00:28:25 -0600 (CST) Subject: [ISN] Breach may have exposed donor information Message-ID: http://www.ndsmcobserver.com/media/paper660/news/2006/01/23/News/Breach.May.Have.Exposed.Donor.Information-1493395.shtml By: Maddie Hanna 1/23/06 Hacker causes Notre Dame's first significant computer security intrusion The personal and financial information of some University donors may be at risk after an unknown intruder hacked into a Development Office server Jan. 13 - the first computer security breach of its magnitude at Notre Dame, University officials said Sunday. The data in question - possibly including Social Security numbers, credit card information and check images from donations made between Nov. 22, 2005 and Jan. 12 - pertains to a "minority" of alumni donors and friends of the University, said Hilary Crnkovich, vice president of Public Affairs and Communication. She declined to provide a specific estimate of the number of donors affected. "We're not comfortable quantifying it," Crnkovich said Sunday. "We have no facts or quantification that people were compromised." The intrusion was not initiated from an on-campus location, Crnkovich said, but its source is still a mystery. "We just really don't know," she said. Gordon Wishon, chief information officer for the Office of Information Technologies, said the University is working with two independent forensics firms to determine the source of the intrusion and expects to receive results in several days. The analysis will "examine the contents of the server, look at the logs and a variety of data to help describe the nature of the intrusion and the intent of the intruder," Wishon said Sunday. However, the investigation may be unable to pinpoint the intruder's exact location, especially if the site was overseas or several relay sites were involved, Wishon said. And it's also unclear whether or not the University will know what information, if any, was viewed. "It may be that we'll never find out exactly what was exposed or taken," Wishon said. Both Crnkovich and Wishon said it was possible the purpose of the intrusion was for file-sharing purposes, designed to obtain server space rather than personal information. "Most commonly with incidents of this type, that's what happens," Wishon said. "It's very common - [but] I certainly don't know if that's the case." The server, which is not part of the University's central data system, was used for inter-office file sharing in the Development Office, Wishon said. While the server is maintained primarily by Development Office staff, Wishon said OIT's Information Security Department collaborated with the Development Office to provide security standards for the server. OIT was involved in the detection of the intrusion, when staff noticed "anomalous behavior" on the server and notified the Development Office, Wishon said. The server was immediately taken off-line after a breach Wishon estimated to be "fairly short in duration." Donors whose information was potentially viewed received an e-mail Saturday from Vice President of University Relations Louis Nanni and were also sent letters in the mail advising them to take appropriate safeguards listed on a newly-created University support Web site and to call a toll-free Notre Dame phone number for more information. Since little is known at this point, donors should not necessarily expect the worst, Crnkovich said. "What we're doing is providing recommendations and outreach to the potential group and asking them to take their own precautions," Crnkovich said. "We really feel it's prudent to give people all the resources we can. We take it seriously." Crnkovich said the Development Office had not received phone calls from concerned donors as of Saturday night. The Office has received e-mails, but they have all been positive, she said. "People have been very thoughtful and said thank you for letting them know to take the steps," she said. But other donors say they are far from thankful. Mike Coffey, a 1991 alumnus who runs the NDNation Web site and message boards that received a flurry of posts over the weekend from concerned donors, said he was "extremely disappointed" after receiving e-mails informing him of the security breach. "It seems to be a very shoddy set-up for protection of personal information I've provided to the school," Coffey said. "What is a server with this sensitive information on it doing on the Web? I can't perceive anyone outside of Notre Dame needing that information." Coffey, who received his degree in Management Information Systems and has been an IT professional for 15 years, said he "thought [he] learned" the proper way to maintain a server at Notre Dame. "Apparently [University staff members] don't practice what they preach," he said. Despite his disappointment, Coffey said he would not change his donating practices and hopes the incident causes the University to improve the way it stores and accesses information. "I donate to Notre Dame because I believe in what Notre Dame does," he said. Crnkovich said similar security breaches have occurred at other universities, including Stanford and the University of Connecticut. However, she said she did not know how the incidents were handled by those schools. From isn at c4i.org Tue Jan 24 01:28:43 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 24 Jan 2006 00:28:43 -0600 (CST) Subject: [ISN] Hacker pleads guilty to building, renting attack network Message-ID: http://www.mercurynews.com/mld/mercurynews/business/13693354.htm Jan. 23, 2006 SAN FRANCISCO (AP) - A 20-year-old hacker admitted Monday to surreptitiously seizing control of hundreds of thousands of Internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on Web sites and sent out spam. Jeanson James Ancheta, of Downey, Calif., pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him more than $61,000, said federal prosecutor James Aquilina. Under a plea agreement, which still must be approved by a judge, Ancheta faces up to 6 years in prison and must pay the federal government restitution. He also will forfeit his profits and a 1993 BMW. Sentencing is schedule for May 1. Prosecutors called the case the first to target profits derived from use of ``botnets,'' large numbers of computers that hackers commandeer and marshal for various nefarious deeds. The ``zombie'' machines' owners are unaware that parasitic programs have been installed on them and are being controlled remotely. Botnets are being used increasingly to overwhelm Web sites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft Corp.'s Windows operating system, typically machines whose owners haven't bothered to install security patches. A November indictment charged Ancheta with 17 counts of conspiracy, fraud and other crimes connected to a 14-month hacking spree that started in June 2004 and that authorities say continued even after FBI agents raided his house the following December. ``Part of what's most troubling about those who commit these kinds of offenses is they think they'll never be caught,'' said Aquilina, who spent more than a year investigating Ancheta and several of Ancheta's online associates who remain uncharged co-conspirators. Ancheta's attorney, federal public defender Greg Wesley, did not immediately return phone calls seeking comment. Ancheta has been in federal custody since his November indictment. He previously worked at an Internet cafe owned by a relative and had hoped to join the military reserves, according to his aunt, Sharon Gregorio. Court documents suggested he had a taste for expensive goods, spending $600 a week on new clothes and car parts. The guilty plea comes less than a week after the FBI released a report that estimates viruses, worms and Trojan horse programs like the ones Ancheta employed cost U.S. organizations $11.9 billion each year. November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on Web sites. Ancheta one-upped his hacking peers by advertising his network of ``bots,'' short for robots, on Internet chat channels. A Web site Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of Web site. In July 2004, he told one chat partner he had more than 40,000 machines available, ``more than I can handle,'' according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half. In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 ``different nefarious computer users,'' according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said. Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom prosecutors identified by his Internet nickname ``SoBe,'' Ancheta infected more than 400,000 computers. Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits. Prosecutors say Ancheta and SoBe then installed the ad software from the two companies -- Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired last year by 180Solutions of Bellevue, Wash. -- on the bots they controlled, pocketing more than $58,000 in 13 months. ``It's immoral, but the money makes it right,'' Ancheta told SoBe during one online chat, according to the indictment. ``I just hope this (Loudcash) stuff lasts a while so I don't have to get a job right away,'' SoBe told Ancheta during a different conversation. Aquilina, the assistant U.S. attorney prosecuting the case, wouldn't say whether authorities plan to charge SoBe or any of the people accused of renting out Ancheta's bots, many of whom are described as ``unindicted co-conspirators.'' During the course of their scheme, Ancheta and SoBe infected U.S. military computers at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Va., according to a sworn declaration signed by Ancheta. From isn at c4i.org Tue Jan 24 01:30:06 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 24 Jan 2006 00:30:06 -0600 (CST) Subject: [ISN] Contractors told to relax about BlackBerry Message-ID: http://www.fcw.com/article92023-01-23-06-Print By Michael Arnone Jan. 23, 2006 The thought of life without Research in Motion's BlackBerry - often called "CrackBerries" for their addictive ease of use - makes many owners of the handheld devices check the waiting list at the nearest rehab clinic. But the end could come next month. A federal appeals court judge is expected to announce a decision in a patent feud over the ubiquitous technology. The ruling could include shutting down BlackBerry service in the United States. Government contractors have come to depend on the handheld messaging devices like they depend on their morning coffee. They rely on the devices to communicate with their federal clients and one another. BlackBerries provide users with great freedom and have changed the way contractors work, said Chris Pate, director of mobile solutions at GTSI and a self-described BlackBerry junkie. Because the devices have become so ubiquitous, many contractors are seriously worried about how they would cope if they suddenly lost access to them. Companies and federal agencies are consulting experts for advice on preparing for the worst-case scenario. Ellen Daley, an analyst at Forrester Research, said she has received more than 100 inquiries during the past four weeks from customers, including contractors, who are worried that they might lose their BlackBerry service. But Daley and other analysts say that contractors should calm down. Although the possible injunction is a real threat, many analysts regard it as unlikely. "I feel like they're worrying unnecessarily, but they are worrying," Daley said about the contractors. "It's more emotional than anything," Pate said. His colleague, Scott Keough, senior manager of enterprise software at GTSI, said people are afraid to lose the flexibility and mobility they have taken for granted since BlackBerries came on the market. The microscopic media coverage of the legal case has made contractors nervous about the future. "For all the details, it's hard to tell what will happen," Pate said. The heart of the argument Two companies - RIM and NTP - each argue that they hold the original patents on the BlackBerry's wireless e-mail technology. NTP has sued RIM to get the credit and money it says it is due. RIM has encouraged the U.S. Patent and Trademark Office to re-evaluate the credibility of NTP's patent claims. The possibility of an injunction against RIM, forcing the company to shut down its U.S. service, is the scenario that has contractors panicked but which analysts believe to be unlikely - only a 10 percent chance in Gartner Research's estimation. Forrester Research is even more confident, giving the possibility only a 2 percent chance. Feds could get exception The federal government has requested that employees with mission-critical responsibilities receive an exemption from an injunction. Daley said many contractors are jumping on the government bandwagon to ensure they keep their service to keep essential government operations running. Ken Dulaney, an analyst at Gartner, said that in case of a shutdown, the judge will create a strict rule defining which critical government employees and contractors can keep their service. But "it's tough to define what a government contractor is," Dulaney said. Someone who works directly with federal agencies certainly qualifies. But consider subcontractors or others who work less directly with agencies and the waters grow murkier, he said. The judge will have to come up with the formula. If contractors are forbidden to use BlackBerries, it may make it impossible for them to meet all of their contractual obligations, some of which were agreed to with the assumption that the instant communication provided by the devices would be available, Pate said. "It's hard to say how far the line will be drawn," Pate said. If the judge does not provide a generous definition of critical government employees, "it would cause performance issues in a company our size." Endgame scenarios In the unlikely event that RIM has to shut down U.S. mobile e-mail operations, contractors would not have to go cold turkey. Any injunctions would provide ample time - 30 to 60 days - to migrate to new systems, Pate said. Many RIM customers already have continuity of operations plans in place, he said. Gartner predicts that the two most likely outcomes ? 35 percent chance of either - are that RIM and NTP will settle or that the resolution will take another 12 months to 18 months. Gartner foresees a 20 percent chance that RIM will use workaround plans that don't infringe on NTP. If RIM and NTP settle, it would likely mean no changes at all for contractors, Dulaney said. RIM could potentially charge more for the service to pay for the settlement but will likely eat those costs, he said. "I'm not convinced that this is a total disaster for anyone," Dulaney said. "It's just an inconvenience." Contractors should prepare The possibility that Research in Motion BlackBerry users in the United States could lose their service may push federal agencies to look more closely at their mobile communications plans, said Chris Pate, director of mobile solutions at GTSI. That is a good thing because many organizations may use BlackBerries as a technological crutch, Pate said. BlackBerries work so well and are so popular that some agencies have not created wireless communication plans that encourage effective information technology management or address workforce needs, he said. No organization should rely on one technology so that its absence could ruin a communications plan, he said. No matter what happens, organizations that use BlackBerries should assign one person to spend a week developing contingency plans, said Ellen Daley, an analyst at Forrester Research. -=- The planner should: * Identify and contact other vendors in case the companies need to move to another technology. * Develop a migration plan with a deployment timeline and prioritized list of who would receive new devices. * Identify purchasing locations, including existing vendors. * Determine which wireless applications, other than e-mail clients, employees want to access via mobile devices. Michael Arnone From isn at c4i.org Tue Jan 24 01:27:41 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 24 Jan 2006 00:27:41 -0600 (CST) Subject: [ISN] The Worst-Case Hack Scenario Message-ID: http://business.newsfactor.com/story.xhtml?story_id=41047 By Jack M. Germain January 23, 2006 A flurry of data breaches at major corporations late last year seemed to confirm a growing consensus among computer-security experts that 2005 was the worst year yet for such transgressions. Incidents at Marriott International, Ford Motor Company, and ABN Amro Mortgage Group served as eerie reminders to CIOs that they could be the next victims of thieves looking to poach Social Security and credit-card numbers, or of business-process breakdowns that cause sensitive information to fall into the wrong hands. Most CIOs will tell you that getting hacked is inevitable. But there is getting hacked, and then there is getting sacked. As the volume of information increases and criminals grow more brazen, the chances of companies suffering a worst-case scenario seem less remote every day. Part of any CIO's duty is to convince the boss that the company is ready for the very worst security crisis imaginable. Tales of Tech Terror An example of just how easily a security problem can hit a company is the data breach Ford Motor Company reported in the first week of January. Ford officials reported the theft of a computer with files that have the names and Social Security numbers of approximately 70,000 current and former employees of the company. Adding insult to significant injury, that theft had nothing to do with network intrusion or social-engineering tricks typically employed by data thieves. Neither did the disappearance in December of a box containing information on some two million customers of ABN Amro Mortgage Group, one of the nation's largest mortgage lenders. ABM Amro's customers learned that their Social Security numbers and other personal information were lost by a DHL courier on the way to the credit bureau Experian. A month later, a DHL worker found the unlabeled carton of data in the same DHL facility where it had been lost. Meanwhile, someone at the corporate offices of Marriott Vacation Club International, in Orlando, Florida, either misplaced or removed computer backup tapes containing data about some 206,000 associates, timeshare owners, and customers. The company reported the missing tapes in late December. Marriott officials mailed notifications to the affected people. In an effort to quell panic about possible identity theft, corporate officials said that the tapes require specialized equipment to read their content. Marriott is investigating how the tapes went astray and will monitor for unusual activity or possible misuse of the data. We Have a Situation Data security is a topic most corporate CIOs are reluctant to discuss. The consensus is, the less said, the better for the corporate image. But that does not mean CIOs are sitting around with their hands in their pockets wondering how to convince their bosses that the sky is not about to fall. "Actually, believe it or not, many CIOs do already have a worst-case scenario list," said Ed Moyle, manager of Information Security Services at CTG and an analyst at Illuminata. "The specific terminology varies from firm to firm, but a situation report is one common way that a CIO can keep an eye on how the firm's I.T. infrastructure is impacted by developments in the outside world such as worms, viruses, and fraud activity." The situation report might be prepared by CIO staff and contain high-level information about threats in the environment and the company's position with respect to each threat. Moyle said the staff might draw on data from Web sites like the SANS Internet Storm Center, which actively monitors and warns of attacks, or they might collaborate with peers to gauge the effectiveness of their security measures. Keeping a list of threats is only the first step in crisis management, Moyle said. Most large companies also are likely to have an incident-response plan that details how I.T. personnel will respond to particular types of threats, including information about whom to call when a threat occurs and how to make sure the right people are involved. Opening It Up At General Motors, the approach to crisis management is very different than it was a few years ago. Back then, responding to worst-case scenarios was much like applying triage to a catastrophe, said Eric Litt, chief information security officer for Global Information Security at GM Information Systems and Services. "Now we try to assess threats and decide how to handle them before the crisis hits," he said. GM is unique in that it outsources 100 percent of its I.T. By necessity, the global operation requires around-the-clock scrutiny, and that includes preparation for nightmare scenarios. "We operate 24-7 so computer security incidents and events are handled no differently than other kinds of incidents," Litt said. GM follows a model that aligns Litt with each sector of the corporate structure while allowing him oversight of the operations and support of the I.T. department. Because the company is always functioning at multiple locations worldwide, the data security infrastructure is more expansive, and concerns over data breaches are not treated as a separate entity linked only to I.T. Litt said that this is a big change in the way he approaches his job. "I no longer worry about what could go wrong," he said. Assessing Risk Clearly Today's CIOs are more keyed in than ever on the risks that hackers pose, said Paul Stamp, an analyst at Forrester Research. That focus has strengthened the defenses around company perimeters and shifted focus somewhat to threats from within. "CIOs are now better equipped to stay ahead of the security curve," said Stamp. "The feeling now is that the perimeter holes have been licked." In fact, he said, studies have shown that most security breaches in the last two years have come fairly consistently from inside corporations. Despite this recent success against outside threats, CIOs are still struggling with how to communicate specific threat information to the bosses, said Moyle. "That's where the situation gets tricky," he said. Since CEOs are focused on increasing the profitability of the firm, he said, many of them regard security as an expense that draws money away from investment in the business. To win over the CEO, information officers must demonstrate how activities within their purview affect the bottom line. "By using data from their threat-tracking efforts, the CIO can demonstrate how I.T. investment impacted the bottom line in terms of cost savings," said Moyle. In other words, if a CIO can prove that money spent resulted in money saved, it could ease the pain involved in outlining a worst-case scenario. "Granted, it is very difficult to get anything but a rough estimate from these metrics," Moyle said, "but a rough estimate is better than no estimate at all." As to the degree of worry that CIOs have, Moyle conceded that quite a few CIOs are worried about attacks, incidents, and other types of security threats. And to him that is not a good sign. "Worry in a CIO reflects uncertainty in the management process," said Moyle. For example, in a well-prepared company, a CIO might have metrics to help predict how likely an incident is to occur and how much it is likely to cost the company. He or she can then look at the balance sheet and make a considered determination as to how much to spend. But if CIOs are panicked, it's a sign that their confidence in that process is not there for one reason or another, Moyle said. "The metrics might be so skewed as to be useless. They might not have metrics at all. They might have no way of tracking threats, or they might not have a defined response process, and so on." The Best Defense Moyle likened the role of the CIO in handling risk management to having flood insurance. Financial officers do not stay up late at night worrying whether there will be a flood, and adequately prepared CIOs shouldn't lose any sleep either. The CIOs who manage risks effectively have become successful in showing their bosses the need to build computer systems from the ground up rather than to bolt on fixes, according to Forrester's Stamp. "[Risk management] is now a laundry list of things to do. Security is no longer a separate department. Rather, it is integrated into business practices," he said. That integration seems to be the key to understanding and preparing for a worst-case scenario. Instead of having a plan waiting behind a pane of glass, to be broken out only in case of emergency, CIOs would seem to be best served telling their bosses that the systems are already in place to respond to a data-security crisis. Besides, as GM's Litt sees it, a worst-case scenario, in the truest sense of the term, is one that is not survivable. The best CIOs can do is to have a plan in place to mitigate attacks effectively and be ready to follow it whenever needed. "That doesn't mean an attack will never have an impact on the business," Litt said. "There is no such thing as a perfect security plan." From isn at c4i.org Tue Jan 24 01:30:20 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 24 Jan 2006 00:30:20 -0600 (CST) Subject: [ISN] OpenSSL gets NIST certifications Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38074-1.html By Joab Jackson GCN Staff 01/23/06 Agencies setting up sensitive virtual private networks now have an open-source alternative. The National Institute of Standards and Technology has certified OpenSSL, an open-source library of encryption algorithms, as meeting Federal Information Processing Standard 140-2 Level 1 standards, according to the Open Source Software Institute of Hattiesburg, Miss. "This validation will save us hundreds of thousands of dollars," said Debora Bonner, operations director for the Defense Department's Defense Medical Logistics Standard Support program, in a statement. "Multiple commercial and government entities, including [the Defense Department's] Medical Health System, have been counting on this validation to avoid massive software licensing expenditures." Federal agencies must use FIPS-compliant products to secure networks carrying unclassified sensitive data. The FIPS certification of OpenSSL opens the possibility of using an SSL-based VPN to carry sensitive data, according to Peter Sargent, who heads the Severna Park, Md.-based PreVal Specialist Inc., one of the companies that supported the validation process. Traditionally, agencies wishing to set up a VPN for sensitive data would use an approach that involved a secret key implementation of a cryptographic module, which is more expensive to implement and has limited the number of smaller companies that can provide such a product, Sargent said. Sargent added that few agencies would directly deploy OpenSSL FIPS. Rather, they would purchase OpenSSL-based VPN products from vendors. To accompany the release, OSSI has published a guidebook, The OpenSSL Security Policy Version 1.0, describing how the OpenSSL cryptographic module works in relation to FIPS 140-2 requirements. The organization also plans to issue a users' guide within two weeks, according to John Weathersby, executive director of OSSI. Agencies will also find support from a December 2005 update of NIST's Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program. The document addresses how users can deploy a program with FIPS modules across multiple platforms. The cryptographic module of OpenSSL (SSL stands for Secure Sockets Layer) consists of an open-source implementation of SSL encryption - originally created by Netscape Communications Corp. - as well as a Transport Layer Security module. SSL and TLS are security protocols that browsers and other software can utilize to encrypt and decrypt Web pages and sensitive data. In order to be FIPS-approved, it is necessary to limit the SSL-based implementation to the TLS mode, Sargent said. The volunteer-led OpenSSL project oversees the development of OpenSSL. The team has made the module and source code available at the project's Web site under an Apache-style license permitting free noncommercial use. NIST validated the library cryptographic module contained in Version 0.9.7j of OpenSSL-FIPS as a validation process only for encryption modules, not entire software packages. The OpenSSL-FIPS library cryptographic module uses the Advanced Encryption Standard, the Data Encryption Standard, the Digital Signature Algorithm, FIPS-mode RSA for signatures, as well as the FIPS-qualified approved Secure Hash Algorithm-1, or SHA-1. In addition to PreVal, OSSI and DMLSS, Hewlett-Packard Co. of Palo Alto, Calif., and the Domus IT Security Laboratory of Ottawa sponsored the FIPS testing for OpenSSL. From isn at c4i.org Tue Jan 24 01:30:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 24 Jan 2006 00:30:31 -0600 (CST) Subject: [ISN] Oracle no longer a 'bastion of security': Gartner Message-ID: http://www.zdnet.com.au/news/security/soa/Oracle_no_longer_a_bastion_of_security_Gartner/0,2000061744,39234277,00.htm By Munir Kotadia ZDNet Australia 24 January 2006 Analyst group Gartner has warned administrators to be "more aggressive" when protecting their Oracle applications because they are not getting enough help from the database giant. Gartner published an advisory on its Web site just days after Oracle's latest quarterly patch cycle, which included a total of 103 fixes with 37 related to flaws in the company's database products. Some of the flaws carry Oracle's most serious rating, which means they're easy to exploit and an attack can have a wide impact. According to the advisory, which was posted by Gartner analyst Rich Mogull on Monday, "the range and seriousness of the vulnerabilities patched in this update cause us great concern. Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur." Mogull said that because Oracle has historically been seen as having very strong security and many of Oracle's products are located "deep within the enterprise", administrators often neglect their patching duties. "Moreover, patching is sometimes impossible, due to ties to legacy versions that Oracle no longer supports. These practices are no longer acceptable," said Mogull who advises administrators to pay more attention to securing their Oracle applications. Mogull said administrators should: * Immediately shield these systems as well as possible, using firewalls, intrusion prevention systems and other technologies. * Apply available patches as rapidly as possible. * Use alternative security tools, such as activity-monitoring technologies, to detect unusual activity. * Pressure Oracle to change its security management practices. In response to the Oracle patch release, Symantec raised its ThreatCon global threat index to Level 2, which means an outbreak is expected. It typically does that after a patch release because malicious hackers might use the fixes as a blueprint for attacks. CNET News.com's Joris Evers contributed to this report Copyright ? 2006 CNET Networks, Inc. From isn at c4i.org Wed Jan 25 01:33:36 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 25 Jan 2006 00:33:36 -0600 (CST) Subject: [ISN] DHS IT security spanked again Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38088-1.html By Wilson P. Dizard III GCN Staff 01/24/06 The Homeland Security Department's forlorn IT security came in for another pasting today from the department's inspector general and from Sen. Judd Gregg (R-N.H.), chairman of the Senate Appropriations Subcommittee on Homeland Security. The department's IT security has been the subject of several critical reports and evaluations, and DHS has earned three consecutive failing grades [1] in its annual IT security evaluation under the Federal Information Systems Management Act. Department officials said they would reserve at least part of their response to Gregg's comments on what he called the "disturbing IG reports on weaknesses in DHS operations" until a hearing tomorrow morning in the senator's subcommittee about the U.S. Visitor and Immigrant Status Indicator Technology system. U.S. Visit program manager Jim Williams and Government Accountability Office architecture expert Randy Hite are slated to testify at the hearing. Gregg praised DHS officials for pledging to address the problems raised in the three reports. Homeland Security CIO Scott Charbo responded to the reports with detailed letters describing DHS' plans to improve database security and the management of the department?s OneNet network. DHS officials responsible for IT used in border security, which formerly fell under the authority of the now-dissolved Border and Transportation Security Directorate, submitted a detailed reply to an IG report on border systems. Gregg issued comments in a press release on three IG reports, with the following titles: * Management of the DHS Wide Area Network Needs Improvement * Security Weaknesses Increase Risks to Critical DHS Databases and * U.S. Visit System Security Management Needs Strengthening. Gregg said that during a time when the government is spending billions on security, it is unacceptable that DHS has failed to properly manage and secure its systems. "The reports of threats posed by holes in the department's information technology and infrastructure are a concern," Gregg said in his statement. "The U.S. Visit program, for example, is a major IT investment, and the department must concentrate on this program operating effectively." The IG reports include extensive blank spaces that omit sensitive IT security information about issues such as database configuration guidelines and database security and audit trail procedures. DHS also blanked out the locations of DHS database facilities in six states. The IG reported that DHS officials have not yet fully aligned their databases with FISMA procedures, failing, for example, to test and evaluate security controls, to integrate security control costs into system life cycle costs and to provide specialized security training to system administrators. The auditors said DHS had not followed its own procedures to clear an upgrade of the department's wide area network, and had relied on a network security operation at Immigration and Customs Enforcement rather than creating a separate security operations center. They pointed out ineffective network monitoring and the lack of interconnection service agreements as additional problems with the WAN. [1] http://www.gcn.com/vol1_no1/FISMA/35548-1.html From isn at c4i.org Wed Jan 25 01:33:49 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 25 Jan 2006 00:33:49 -0600 (CST) Subject: [ISN] When Data Goes Missing: Will You Even Know? Message-ID: http://www.computerworld.com/managementtopics/management/story/0,10801,107967,00.html Advice by Jack Gold JANUARY 23, 2006 COMPUTERWORLD Recent reports of company-compiled personal data gone missing (such as Marriott losing many thousands of vacation club records), while clearly important, is really just the tip of the iceberg. What customers really need to ask of companies is, What other data has been lost? And in all likelihood, there is absolutely no way for the companies to know. The truth of the matter is, reported cases of massive data loss are just the ones they know about. And this problem will only grow with the proliferation of tiny personal mass-storage devices of dramatically increasing capacity. How many people currently own flash memory drives? Tens of millions. And how many companies control the use of flash drives? You can count them on one hand. I travel a lot, and on a recent trek through airport security, I found a flash drive that had fallen under the security table. This lost drive had no distinguishing characteristics -- no labels to tell me who owned it or where he worked. With some time to kill before my flight, I decided to see if I could track down the owner. I had to invade the owner's privacy to see what I could discover from the content of the files. Turns out the files contained fairly innocuous content -- some project plans and a short PowerPoint in draft form -- but no way to identify the owner. (As a result of this experience, I have put a small .txt file on my devices with my name and address, and I figure an address label on the outside can't hurt either.) Why is this an issue? Well, for starters, the storage capacity of these devices is growing at the "silicon curve" rate. Within the next two to three years, instead of the 500MB or 1GB drives commonly available today, you'll be able to purchase for about the same money a stick-like drive of 10GB or greater capacity. What if an employee decided to download a customer database to one of these devices (say, to transfer the data to another machine) and then proceeded to lose it? Is the data protected from loss? Probably not, even though there are many devices now available that include encryption capability (which is rarely used). And what if a competitor picks it up? The potential to lose data on portable devices is a massive hole in most companies' security plans. The laws being passed in a number of states that require data loss to be reported to affected consumers work only if the company actually discovers the loss. With more and more employees using flash drives, smart phones with Secure Digital memory cards, portable hard drives, etc., the likelihood of companies actually knowing about all instances of data loss is declining rapidly. And as a result, the possibility of companies breaking laws, whether for data-loss disclosure or regulatory compliance, is growing dramatically. Most companies attempting to come to terms with this problem are still aiming at technologies that are at least 10 years old (e.g., loss of data backup tapes), when an even greater potential mechanism for loss is increasingly appearing in their organizations with virtually no control and no disclosure, nor for that matter internal discovery. So what should companies do? Certainly I wouldn't suggest eliminating external memory devices, since they provide real benefit to many users. But companies must take steps, starting with user education on what is and is not appropriate use. Further, companies should track sensitive data with trails of user access. Finally, companies should employ techniques that can discover when devices are connected and by whom, and make sure such devices have protection enabled (or better yet, provide users who need them enterprise-class, protection-enhanced storage devices). It is highly likely that within the next year, we will see at least one publicized major case of unencrypted data loss from a portable device. Afterward, a lot of companies will ban such devices. But it would be better for them to formulate a proactive strategy now. Educate users, and deploy technology that will prevent data loss even if portable devices are lost. Educated users will be more aware of the ramifications of losing the valuable data that has become so easy to carry around. From isn at c4i.org Wed Jan 25 01:34:04 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 25 Jan 2006 00:34:04 -0600 (CST) Subject: [ISN] Most spam still coming from the U.S. Message-ID: http://news.com.com/Most+spam+still+coming+from+the+U.S./2100-1029_3-6030758.html By Joris Evers Staff Writer, CNET News.com January 24, 2006 Almost a quarter of the world's spam in the last three months of 2005 was sent from computers in the United States, according to U.K. antivirus company Sophos. The U.S. is closely followed by China, with 22.3 percent. South Korea rounds out the top three with 9.7 percent, according to Sophos, which said the level of non-English language spam is rising. The company bases its numbers on a scan of all junk mail caught by its spam traps. While the U.S. still tops the chart, the latest figures mark the first time the country accounts for less than one quarter of all spam relayed, Sophos said. The decrease is a continuing trend. Last October, 26.3 percent of all spam sent from April through September last year was sent from the U.S., a significant drop from 41.5 percent a year earlier, Sophos said. The decline in U.S.-sourced spam is thanks in part to the crackdown against fraudulent e-mail, Sophos said. In particular, the company pointed to monetary damages that spammers have been ordered to pay as well as jail sentences, tighter legislation and improved coordination among Internet service providers. The numbers do suggest, however, that Microsoft Chairman Bill Gates' prediction two years ago that the spam problem would be solved by now has not come true. The spam tide appeared to slow in the first half of last year, with an annual average of 68.6 percent of all e-mail identified as spam, according to recent MessageLabs data. However, in the closing months of 2005, the rate of spam e-mail increased, and in the most frequently targeted industry sectors, telecommunications and health care, eight out of 10 messages was spam, according to MessageLabs, which sells a spam-blocking service. The majority of the junk mail, 60 percent, is now being relayed by compromised PCs, called zombies, that are at the beck and call of cybercriminals, Sophos said. A zombie is typically infected by a Trojan horse or other malicious code and is used remotely to send spam, mount denial-of-service attacks, or other online crimes. The criminals typically rent out the capabilities of their network of zombies, also called a botnet. Jumps in the number of spam messages can also be attributed to "pump-and-dump" schemes that advertise stock, Sophos said. The top 12 spam relaying countries, according to Sophos, are as follows: 1. United States, 24.5 percent 2. China, 22.3 percent 3. South Korea, 9.7 percent 4. France, 5 percent 5. Canada, 3 percent 6. Brazil, 2.6 percent 7. Spain, 2.5 percent 8. Austria, 2.4 percent 9. Taiwan, 2.1 percent 10. Poland, 2 percent 10. Japan, 2 percent 12. Germany, 1.8 percent Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed Jan 25 01:33:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 25 Jan 2006 00:33:21 -0600 (CST) Subject: [ISN] 22 police officers complete anti-terror training Message-ID: http://www.newkerala.com/news.php?action=fullnews&id=93688 India News 24 Jan 2006 New Delhi: Twenty two officers from Indian law enforcement agencies today graduated from an Incident Response Course sponsored by the US State Department's Anti-terrorism Assistance Programme (ATA) which is viewed as a concrete example of strong bilateral ties and partnership against terrorism. The officers including Inspectors and Deputy Superintendents of Police were trained in areas including methodology of securing and preserving evidence at a cyber-terrorism crime scene and identifying and seizing digital evidence in accordance with generally-accepted methods and practices. The week-long course was conducted at the CBI Academy at Ghaziabad in Uttar Pradesh. During the course the officers were also educated on how to properly approach, document, sketch, photograph and search a terrorist crime scene containign suspect software and related software. The course is one of the ten such courses presented to the government of India in 2005 through the State Department's ATA programme. Since 1995, Indian law enfrorcement officers have participated in 38 ATA courses in the US and India with more than 900 Indian officers participating. From isn at c4i.org Wed Jan 25 01:34:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 25 Jan 2006 00:34:23 -0600 (CST) Subject: [ISN] Hacker who gave to poor gets on wrong side of law Message-ID: http://www.stuff.co.nz/stuff/0,2106,3551205a11,00.html By MERVYN DYKES 25 January 2006 Stealing from the rich and giving to the poor might have worked for Robin Hood, but it landed hacker Thomas Gawith in court on six charges of computer crime. Gawith pleaded guilty before Judge Gregory Ross in Palmerston North District Court yesterday and was convicted and remanded on bail until March 2 for sentencing. Prosecutor Sergeant Johnny Ireland claimed the defendant had purchased access codes for Kiwibank accounts and using a computer at a house where he was staying in Tauranga had taken money from those who had it and given it to those who didn't. On June 7 last year he had taken a total of about $7700 from three accounts. The next day he broke into three more, taking $6050. Gawith told police he thought he had not done anything wrong because he hadn't kept any of the money for himself, Sgt Ireland said. "He said he liked playing God, but was unable to think things through properly." Defence counsel Mark Alderdice sought bail for his client to allow Gawith to go to Manukau, where he was due to graduate from the Salvation Army's Bridge programme. He would then return to live at his parents' address in Palmerston north until his March 2 appearance. Kiwibank restored the money to the correct accounts as soon as the Gawith's transactions were discovered. From isn at c4i.org Wed Jan 25 01:34:45 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 25 Jan 2006 00:34:45 -0600 (CST) Subject: [ISN] DHS vows to protect info on national database Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27812-1.html By Alice Lipowicz Staff Writer 01/24/06 The Homeland Security Department has stepped up assurances that it will maintain the confidentiality of critical infrastructure information submitted to the National Asset Database, according to the newly revised draft National Infrastructure Protection Plan Base Plan version 2.0. DHS will evaluate all requests to view the database and will grant access only to select DHS employees and others on a "tightly controlled, need-to-know" basis, the revised plan states. The new language is set forth in the 234-page national infrastructure protection plan distributed by DHS this week. The plan was delivered by e-mail via NIPP at dhs.gov. The plan establishes a work and time frame for assessing vulnerabilities and risks and coordinating protections for 17 critical infrastructure sectors, including IT and telecommunications. Cybersecurity is treated as a cross-sector responsibility. The department will accept comments until Feb. 6. DHS' assurances about database access appear to address concerns raised by IT executives and others over protecting confidentiality of the information they might submit on specific vulnerabilities within their sectors. One fear raised by IT industry members is that disclosing weak spots in their own networks may result in leaks that can be exploited by competitors. "We've been concerned about what [DHS] can do to protect the IT infrastructure information and how they can help protect the critical assets," said Greg Garcia, vice president of information for the Information Technology Association of America in Arlington, Va., who is involved with the IT Sector Coordinating Council organization efforts. IT industry members have asked for "originator control" for specific information they provide to the database, so they can be assured of its protection, Garcia said. However, that term does not appear in the new document. Garcia, contacted today, said he was still reviewing the language proposed by DHS to give access on a need-to-know basis and to selected employees only. The new plan version updates an earlier 175-page draft National Infrastructure Protection Plan released in November 2005. It reflects changes in response to nearly 7,000 public comments received on the previous version, according to a statement from DHS officials. The new document also contains more information on cybersecurity initiatives, international cooperation and the goal of resilience. "Resilient" and "resiliency" are mentioned 26 times in the updated plan versus 18 times in the initial draft. Other changes include a new executive summary, clarification of all-hazards linkages, and explanations of requirements pertaining to the risk management framework, according to DHS in a statement. From isn at c4i.org Wed Jan 25 01:35:00 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 25 Jan 2006 00:35:00 -0600 (CST) Subject: [ISN] Linux struck by major security hole Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=5217 By Matthew Broersma Techworld 23 January 2006 Linux vendors have warned of a serious security flaw affecting the KDE desktop environment, one of the two main graphical user interfaces used on Linux and Unix operating systems. The bug, the worst to hit KDE in nearly a year, affects kjs, a Javascript interpreter used by the Konqueror Web browser and other parts of KDE, KDE developers said in an advisory. An incorrect bounds check in the interpreter allows a heap based buffer overflow when decoding maliciously crafted URI sequences encoded with UTF-8. An attacker could supply Javascript code that will crash programs using kjs, such as Konqueror, and execute malicious code, potentially gaining complete control of the system, developers said. Versions 3.2.0 to 3.5.0 of kjs are affected. Security vendor Secunia, which maintains a vulnerabilities database, said the flaw was "highly critical". KDE released a source code patch at the end of last week, and Linux vendors have followed on with binary patches. Fixes are available directly from Ubuntu, Red Hat, Debian, Suse, Red Hat's Fedora project, Gentoo and others. Last April, KDE patched a serious imaging-related flaw in the handling of PCX images, which affected Konqueror and other KDE imaging applications. A month later, however, the project had to release a second patch for the same problem, saying that the original patch still allowed some attacks. KDE is one of the two main desktop environments for Linux and Unix, along with Gnome. From isn at c4i.org Fri Jan 27 05:12:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:12:14 -0600 (CST) Subject: [ISN] Researchers: Rootkits headed for BIOS Message-ID: http://www.securityfocus.com/news/11372 Robert Lemos SecurityFocus 2006-01-26 ARLINGTON, Virginia -- Insider attacks and industrial espionage could become more stealthy by hiding malicious code in the core system functions available in a motherboard's flash memory, researchers said on Wednesday at the Black Hat Federal conference. A collection of functions for power management, known as the Advanced Configuration and Power Interface (ACPI), has its own high-level interpreted language that could be used to code a rootkit and store key attack functions in the Basic Input/Output System (BIOS) in flash memory, according to John Heasman, principal security consultant for U.K.-based Next-Generation Security Software. The researcher tested basic features, such as elevating privileges and reading physical memory, using malicious procedures that replaced legitimate functions stored in flash memory. "Rootkits are becoming more of a threat in general--BIOS is just the next step," Heasman said during a presentation at the conference. "While this is not a threat now, it is a warning to people to look out." The worries come as security professionals are increasingly worried about rootkits. Earlier this month, a security researcher warned that the digital-rights management software, which experts say resembled a rootkit, used by music giant Sony BMG remained on hundreds of thousands of servers. Last year, the first rootkit for the Mac OS X was released to the Internet. While some attacks have attempted to affect a computer's flash memory, most notably the CIH or Chernobyl virus in 1998, the ability to use the high-level programming language available for creating ACPI functions has opened up the attack to far more programmers. One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. "It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in." The firmware on most modern motherboards has tables associating commands in the ACPI Machine Language (AML) to hardware commands. New functionality can be programmed in a higher level ACPI Source Language (ASL) and compiled into machine language and then flashed into the tables. However, the ability to flash the memory depends on whether the motherboard allows the BIOS to be changed by default or if a jumper or setting in the machine setup program has to be changed. Security professionals at the conference disagrees over how many machines would have the ability to write to flash memory turned on by the manufacturer. While Hoglund believed that most computers would not have protections against writing to flash memory turned on by default, NGSSoftware's Heasman disagreed. "The obstacles to deployment are numerous," Heasman said. "Almost all machines have a physical protection, such as a jumper on the motherboard, against flashing." However, an insider attacker could flash their laptop before they leave a company and then use the rootkit, which would survive reinstallation of the operating system. The insider could then gain access to the corporate network at a later time. Because the amount of memory that could be used by an attacker in the BIOS firmware is small, it is unlikely that an entire rootkit will be stored in the motherboard's memory. Instead, only specific functions and bootstrap code would likely be hidden there. Another benefit of programming to the ACPI Source Language is that, for the most part, the code can be ported easily to any platform. "This is platform independent," Heasman said. "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Windows." Copyright 2005, SecurityFocus From isn at c4i.org Fri Jan 27 05:12:48 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:12:48 -0600 (CST) Subject: [ISN] OSVDB - 2005 Recap and Status Update Message-ID: Forwarded from: jkouns @ opensecurityfoundation.org OSVDB - 2005 Recap and Status Update The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the world's security vulnerabilities, has had a challenging yet successful year. The project is fortunate to have the continued support of some devoted volunteers, yet remains challenged to keep up with the increasing number of vulnerability reports, as well as work on the back-log of historical information. Volunteers are continually sought to help us achieve our short and long-term goals. Despite resource constraints, there have been many exciting successes in 2005: * A major project goal of obtaining 501(c)3 non-profit status from the U.S. IRS was achieved. Obtaining non-profit status was critical to the long-term viability of the project. This status allows OSVDB to take charitable donations to help cover operating expenses, while providing a tax benefit to donor companies and individuals. * The vulnerability database has grown to over 22,000 entries thanks to the dedicated work of Brian Martin, OSVDB Content Manager. At the end of December, over 10,000 of those vulnerabilities were worked on by volunteers to provide more detailed and cross-referenced information. Our volunteer "Data Manglers" and Brian have helped ensure OSVDB is the most complete resource for vulnerability information on the Internet. * OSVDB started a blog in April, as a way for us to keep the public better informed on the project's status. Very quickly we realized the blog was a perfect place to discuss and comment on various aspects of vulnerabilities, and has become a successful mechanism for communicating with the security industry. If you have suggestions for topics, or would like to join the discussion, please visit the OSVDB blog at: http://osvdb.org/blog/. * We are pleased to welcome Kevin Johnson as leader of the OSVDB development team. Kevin joins OSVDB with a strong background in information security, and as leader of the BASE project, has a proven track-record managing open source teams. We are very excited about Kevin joining the project, and hope to provide more information soon regarding the OSVDB development road map. If you are interested in becoming a part of the new OSVDB development team, please contact us! We would like to also recognize our sponsors and thank them for their support. Digital Defense, Churchill & Harriman, Audit My PC, and Opengear have all provided important resources to OSVDB over the past year. We would also like to thank Renaud Deraison of the Nessus Project and HD Moore of the Metasploit Project for their support. Lastly, we of course want to thank our volunteers, and note that several of them have contributed to Nessus Network Auditing, available from Syngress Publishing. We are very pleased with the progress and growth of OSVDB over the past year, but do not want to downplay the importance of recruiting new volunteers, as well as retaining our current ones, in order to get through the considerable back-log of vulnerabilities that need further work. This task is daunting, but will not only help retain valuable historical vulnerability information, but will also allow OSVDB to generate meaningful statistics for past and current years. We have had a great year, and are looking forward to another one! We are of course still seeking assistance to help keep OSVDB successful--the project has many ideas in need of financial and volunteer support to implement. For more information on supporting OSVDB through volunteering or sponsorship, please contact moderators at osvdb.org. Sponsors/References: Audit My PC: http://www.auditmypc.com/ Churchill & Harriman: http://www.chus.com/ Digital Defense: http://www.digitaldefense.net/ Opengear: http://www.opengear.com/ Nessus Network Auditing: http://www.syngress.com/catalog/?pid=2850 ### More Information: Jake Kouns Open Source Vulnerability Database Project +1.804.306.8412 jkouns at osvdb.org From isn at c4i.org Fri Jan 27 05:13:22 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:13:22 -0600 (CST) Subject: [ISN] Bad Karma for Wi-Fi on Windows? Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. DSRAZOR for Windows http://list.windowsitpro.com/t?ctl=1EEA2:4FB69 Klocwork http://list.windowsitpro.com/t?ctl=1EEB2:4FB69 ==================== 1. In Focus: Bad Karma for Wi-Fi on Windows? 2. Security News and Features - Recent Security Vulnerabilities - Least-Privileged User Accounts on Windows XP - LANDesk Augments Security with Business Process Management - Time to Patch QuickTime 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - New Instant Poll - Share Your Security Tips 4. New and Improved - Passwords on a Stick ==================== ==== Sponsor: DSRAZOR for Windows ==== Q&A Q: Are you looking for an easy and reliable way to audit your AD? Do you need a tool that will generate baseline and comprehensive reports for your auditors? A: DSRAZOR is your answer. DSRAZOR can easily export your results to a format that will satisfy even the most demanding auditors. Q: Looking to replace the native group membership reporting tools? Do you need a tool to identify group membership security trustees? A: With DSRAZOR, you can simply and quickly get the group membership and security trustee reports that you need. Customized solutions, support & teamwork. This is how DSRAZOR helps you manage your Active Directory and Windows File Systems. Schedule Your FREE Interactive Assessment Today! http://list.windowsitpro.com/t?ctl=1EEA2:4FB69 ==================== ==== 1. In Focus: Bad Karma for Wi-Fi on Windows? ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net At the recent SchmooCon conference in Washington, D.C., Mark Lovelace (aka Simple Nomad) described an interesting behavior of Wi-Fi connectivity in Windows Server 2003, Windows XP, and Windows 2000. In a subsequent advisory (at the URL below), Lovelace points out that "If a laptop connects to an ad-hoc network it can later start beaconing the ad-hoc network's SSID as its own ad-hoc network without the laptop owner's knowledge. This can allow an attacker to attach to the laptop as a prelude to further attack." http://list.windowsitpro.com/t?ctl=1EEB0:4FB69 There are workarounds to help ensure this doesn't happen to your users' computers. The best solution is to configure the network connections (by using the Wireless Network Connection applet) so that they connect only to Access Points (APs), which will prevent any connections to ad hoc networks. You'll find step-by-step instructions in Lovelace's advisory. Lovelace checked during various airplane flights to see how many laptops were available via Wi-Fi connectivity and how many of those were vulnerable to remote compromise or were open enough to allow files to be copied to and from their drives. On one flight, 12 laptops were available, and of those 12, 5 were broadcasting ad hoc networks and 4 were completely vulnerable to intrusion. These numbers suggest that many people might have had their personal data copied during in-flight use of their laptops. Of course, a decent firewall would make such intrusion much more difficult to accomplish. But many people don't have adequate protection in place. I recently learned about a new Wi-Fi client security assessment tool called KARMA. KARMA clearly shows the dangers of wireless networking given today's technology. Dino A. Dai Zovi, one of the developers of KARMA, wrote that "Windows and Mac OS X probe for every network in the preferred/trusted networks list upon boot up and [when] waking from sleep. Under Windows the entire list is [probed continually] when the machine is not currently associated to a wireless network." And that's bad news for Windows users when a tool like KARMA is in use, even if you use the workarounds described in Lovelace's advisory. Here's why: KARMA uses a modified Wi-Fi driver on Linux and FreeBSD systems to establish a wireless AP. KARMA operates in stealth fashion-- it doesn't send out beacons advertising its presence. Instead, it monitors the airwaves listening for wireless client probes that are looking for a particular AP by its SSID. When KARMA detects a probe, it responds to the client as if it were the sought-after AP. That is to say, KARMA changes its SSID on the fly and mimics a host AP. This effectively lures unsuspecting Wi-Fi users into KARMA's wireless network. KARMA also includes a framework that can be used to develop exploits for use against vulnerabilities in connected client systems. According to Zovi, "[KARMA] revealed vulnerabilities in how Windows XP and Mac OS X look for networks, so clients may join even if their preferred networks list is empty." Zovi also said that Apple already issued an update (at the URL below) to correct the problem. Microsoft intends to correct this behavior in an upcoming service pack or update rollup package. For XP, that could mean Service Pack 3 (SP3), due out sometime in late 2007. http://list.windowsitpro.com/t?ctl=1EEA7:4FB69 In the meantime, you might want to get a copy of KARMA (at the URL below) and try it out on your wireless clients. As best I can tell, right now the only way to defend against a tool like KARMA is for wireless clients to require authentication when connecting to APs. http://list.windowsitpro.com/t?ctl=1EEB4:4FB69 ==================== ==== Sponsor: Klocwork==== IMPROVE SOFTWARE QUALITY AND REDUCE COSTS New White Paper from Klocwork: Improve software quality and reduce life-cycle costs by incorporating Static Analysis tools into your routine development processes. Results: More maintainable code, more secure, reliable software and a more predictable development process. Download White Paper: http://list.windowsitpro.com/t?ctl=1EEB2:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=1EEA1:4FB69 Least-Privileged User Accounts on Windows XP After a subtantial amount of beta testing, Microsoft published a document that can help administrators who want to implement least- privileged user accounts (LUAs) on Windows XP. However, implementing LUAs could come with significant costs and challenges. http://list.windowsitpro.com/t?ctl=1EEAB:4FB69 LANDesk Augments Security with Business Process Management LANDesk announced that it will integrate business process management into its systems and security management solutions with the acquisition of privately held NewRoad Software. http://list.windowsitpro.com/t?ctl=1EEA9:4FB69 Time to Patch QuickTime Windows metafiles don't represent the only recently discovered dangerous media file vulnerabilities. Apple released an updated version of QuickTime that fixes five dangerous vulnerabilities. http://list.windowsitpro.com/t?ctl=1EEA8:4FB69 ==================== ==== Resources and Events ==== WEB SEMINAR: Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives. http://list.windowsitpro.com/t?ctl=1EE9B:4FB69 20% off for All Windows IT Pro Subscribers! Learn how SOA doesn't require investments in new technology to deliver immediate and lasting bottom-line results. Attend Developing Service Oriented Architecture, February 20-22 in Orlando. http://list.windowsitpro.com/t?ctl=1EEAF:4FB69 WHITE PAPER: Optimize your existing Windows Server infrastructure with the addition of server and storage consolidation software and techniques. http://list.windowsitpro.com/t?ctl=1EE9C:4FB69 WEB SEMINAR: Get the tools, tips, and training that you need to avoid a messaging meltdown when an outage strikes. View this seminar today: http://list.windowsitpro.com/t?ctl=1EE9E:4FB69 WEB SEMINAR: Learn how to leverage new features in SQL Server 2005 to greatly extend your existing backup and restore capabilities. http://list.windowsitpro.com/t?ctl=1EE9F:4FB69 ==================== ==== Featured White Paper ==== WHITE PAPER: Evaluate the costs of losing information and learn what real-time information management means and how to accomplish it in your business. http://list.windowsitpro.com/t?ctl=1EE9D:4FB69 ==================== ==== Hot Spot ==== The Starter PKI Program Do you need to secure multiple domains or host names? In this free white paper you'll learn how the Starter PKI Program will benefit your company with timesaving convenience. Plus--you'll get the chance to actually test the program! http://list.windowsitpro.com/t?ctl=1EEA0:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: New Version of Nmap Recently Released by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1EEB1:4FB69 You undoubtedly have Nmap in your security toolkit--it's an incredibly useful scanning and auditing tool for nearly any platform, including Windows, Linux, BSD Unix, Mac OS X, Solaris, and more. Do you have the latest version? Learn about some of the cool features in this blog article. http://list.windowsitpro.com/t?ctl=1EEAA:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=1EEAE:4FB69 Q: How can I monitor registry activity during logon and logoff? Find the answer at http://list.windowsitpro.com/t?ctl=1EEAC:4FB69 Security Forum Featured Thread: List All Shares a User Has Access To A forum participant wonders if there's a way to list all the shares a given user has access to. His servers have dozens of shares, and he'd like to start auditing those shares for access privileges per user but doesn't know how. Join the discussion at: http://list.windowsitpro.com/t?ctl=1EE9A:4FB69 New Instant Poll Do you plan to upgrade to IE 7.0? - Yes, I will immediately install the standalone IE 7.0 upgrade. - Yes, but I will wait for the Vista-integrated IE 7.0 version. - No, I will continue using IE 6.0. - No, I'm using a different browser and don't plan to change. Go to the Security Hot Topic on our Web site and submit your vote http://list.windowsitpro.com/t?ctl=1EEAD:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Become a VIP Monthly Pass Subscriber Sign up now and get a VIP Monthly Online Pass that includes online access to ALL the articles, tools, and helpful resources published in SQL Server Magazine, Windows IT Pro, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters. You'll also have 24/7 access to a database of more than 25,000 online articles that will give you all the answers you need, when you need them. BONUS--Includes the latest issue of Windows IT Pro each month. Sign up now for just $29.95 per month. http://list.windowsitpro.com/t?ctl=1EEA3:4FB69 Windows Scripting Solutions Newsletter--2006 Special Order now and SAVE up to $30 off the regular price. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get access to the entire online newsletter archive (more than 500 scripting articles), including the popular "Shell Scripting 101" series. Order now for just $99: http://list.windowsitpro.com/t?ctl=1EEA5:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Passwords on a Stick Dekart released Dekart Password Manager, software that runs on a portable memory device such as a USB key drive and automatically collects your passwords and personal data as you type them. Password Manager then encrypts (by using 256-bit AES encryption) and stores your information on the drive, which only you can use. The next time you need to supply the information, you insert the drive, and Password Manager does the rest. Password Manager works directly from the key drive, with no host PC installation. Password Manager requires Windows XP/2000/Me/98/95/NT and costs $39. A free 30-day trial period is available. For more information, go to http://list.windowsitpro.com/t?ctl=1EEB5:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=1EEB3:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=1EEA6:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Jan 27 05:13:39 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:13:39 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-4 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-01-19 - 2006-01-26 This week : 59 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in various F-Secure products, which can be exploited by malware to bypass detection or malicious people to compromise a vulnerable system. All users of F-Secure products are advised to check for available patches. Reference: http://secunia.com/SA18529 -- Maksim Orlovich has reported a vulnerability in KDE kjs, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user's system. Additional details may be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA18500 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18529] F-Secure Anti-Virus Archive Handling Vulnerabilities 2. [SA18493] Oracle Products Multiple Vulnerabilities and Security Issues 3. [SA11762] Opera Browser Favicon Displaying Address Bar Spoofing Vulnerability 4. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 5. [SA18579] OpenSSH scp Command Line Shell Command Injection 6. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 7. [SA18500] KDE kjs UTF-8 Encoded URI Buffer Overflow Vulnerability 8. [SA18556] Etomite "cij" Shell Command Execution Backdoor Security Issue 9. [SA18560] WebspotBlogging "username" SQL Injection Vulnerability 10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18574] Sami FTP Server USER Command Buffer Overflow [SA18553] Hitachi HITSENSER Data Mart Server SQL Injection [SA18550] FileCOPA FTP Server Directory Traversal Vulnerability [SA18589] Kerio WinRoute Firewall Web Browsing Denial of Service [SA18551] MailSite Cross-Site Scripting and Denial of Service UNIX/Linux: [SA18584] Avaya S87XX/S8500/S8300 Lynx "HTrjis()" NNTP Buffer Overflow [SA18583] Fedora update for kdelibs [SA18570] Gentoo update for kdelibs [SA18568] Debian update for libapache-auth-ldap [SA18561] Debian update for kdelibs [SA18559] SUSE update for kdelibs3 [SA18552] Ubuntu update for kdelibs4c2 [SA18616] Mandriva update for ipsec-tools [SA18612] Debian update for mailman [SA18609] FreeBSD "pf" IP Fragment Denial of Service Vulnerability [SA18607] Ubuntu update for imagemagick [SA18585] Fedora update for httpd [SA18582] Debian update for cupsys [SA18578] Debian update for wine [SA18571] Fetchmail Bounced Message Denial of Service Vulnerability [SA18569] Avaya PDS HP-UX ftpd Denial of Service Vulnerability [SA18555] Debian update for trac [SA18554] SGI Advanced Linux Environment Multiple Updates [SA18606] Debian update for flyspray [SA18594] WeBWorK Arbitrary Command Execution Vulnerability [SA18562] Red Hat update for kernel [SA18600] HP-UX Unspecified Privilege Escalation Vulnerability [SA18599] FreeBSD Kernel Memory Disclosure Vulnerabilities [SA18596] Avaya PDS HP-UX Unspecified Privilege Escalation [SA18586] LibAST Configuration Filename Buffer Overflow Vulnerability [SA18580] Sun Grid Engine rsh Client Privilege Escalation Vulnerability [SA18564] LSH lshd Seed-file File Descriptor Leak Vulnerability [SA18558] Debian update for sudo [SA18587] LibTIFF TIFFVSetField Denial of Service Vulnerability [SA18595] Fedora update for openssh [SA18579] OpenSSH scp Command Line Shell Command Injection [SA18573] Debian update for crawl Other: Cross Platform: [SA18605] Text Rider Exposure of User Credentials [SA18560] WebspotBlogging "username" SQL Injection Vulnerability [SA18556] Etomite "cij" Shell Command Execution Backdoor Security Issue [SA18608] HP Oracle for Openview Multiple Vulnerabilities [SA18604] miniBloggie "user" SQL Injection Vulnerability [SA18601] Reamday Enterprises Magic News Password Change Bypass [SA18597] Phpclanwebsite SQL Injection Vulnerabilities [SA18593] BEA WebLogic Portal Information Disclosure and Security Bypass [SA18592] BEA WebLogic Server/Express Vulnerabilities and Security Issues [SA18575] ADOdb PostgreSQL SQL Injection Vulnerability [SA18572] Pixelpost Comment Script Insertion Vulnerability [SA18567] e-moBLOG SQL Injection Vulnerabilities [SA18563] Zoph SQL Injection Vulnerabilities [SA18557] Gallery Fullname Script Insertion Vulnerability [SA18591] CA Products iGateway Service Content-Length Buffer Overflow [SA18603] MyBB User Control Panel Cross-Site Request Forgery [SA18588] Claroline Single Sign-On System Predictable Cookie [SA18581] BEA WebLogic Server/Express Multiple Domains Administrator Access [SA18576] Tor Hidden Service Disclosure Weakness [SA18566] Note-A-Day Weblog Exposure of User Credentials [SA18565] AZ Bulletin Board Cross-Site Scripting Vulnerabilities [SA18577] MyBB Disclosure of Table Prefix Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18574] Sami FTP Server USER Command Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-25 Critical Security has discovered a vulnerability in Sami FTP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18574/ -- [SA18553] Hitachi HITSENSER Data Mart Server SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-20 A vulnerability has been reported in HITSENSER Data Mart Server, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18553/ -- [SA18550] FileCOPA FTP Server Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2006-01-20 P at r@n01d and $um$id have discovered a vulnerability in FileCopa FTP Server, which can be exploited by malicious users to access files in arbitrary locations on a vulnerable system. Full Advisory: http://secunia.com/advisories/18550/ -- [SA18589] Kerio WinRoute Firewall Web Browsing Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-01-25 A vulnerability has been reported in Kerio WinRoute Firewall, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18589/ -- [SA18551] MailSite Cross-Site Scripting and Denial of Service Critical: Less critical Where: From local network Impact: Cross Site Scripting, DoS Released: 2006-01-20 Rahul Mohandas has reported two vulnerabilities in MailSite Email Server, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18551/ UNIX/Linux:-- [SA18584] Avaya S87XX/S8500/S8300 Lynx "HTrjis()" NNTP Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-25 Avaya has acknowledged a vulnerability in Avaya S87XX/S8500/S8300, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18584/ -- [SA18583] Fedora update for kdelibs Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Fedora has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18583/ -- [SA18570] Gentoo update for kdelibs Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Gentoo has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18570/ -- [SA18568] Debian update for libapache-auth-ldap Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-23 Debian has issued an update for libapache-auth-ldap. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18568/ -- [SA18561] Debian update for kdelibs Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Debian has issued an update for kdelibs. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18561/ -- [SA18559] SUSE update for kdelibs3 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-23 SUSE has issued an update for kdelibs3. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18559/ -- [SA18552] Ubuntu update for kdelibs4c2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-01-20 Ubuntu has issued an update for kdelibs4c2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18552/ -- [SA18616] Mandriva update for ipsec-tools Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-26 Mandriva has issued an update for ipsec-tools. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18616/ -- [SA18612] Debian update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-26 Debian has issued an update for mailman. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18612/ -- [SA18609] FreeBSD "pf" IP Fragment Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-25 A vulnerability has been reported in FreeBSD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18609/ -- [SA18607] Ubuntu update for imagemagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-25 Ubuntu has issued an update for imagemagick. This fixes two vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18607/ -- [SA18585] Fedora update for httpd Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-01-23 Fedora has issued an update for httpd. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18585/ -- [SA18582] Debian update for cupsys Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-23 Debian has issued an update for cupsys. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18582/ -- [SA18578] Debian update for wine Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-25 Debian has issued an update for wine. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18578/ -- [SA18571] Fetchmail Bounced Message Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-23 A vulnerability has been reported in Fetchmail, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18571/ -- [SA18569] Avaya PDS HP-UX ftpd Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-24 Avaya has acknowledged a vulnerability in Predictive Dialing System (PDS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18569/ -- [SA18555] Debian update for trac Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-01-23 Debian has issued an update for trac. This fixes two vulnerabilities, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18555/ -- [SA18554] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-01-20 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system, and by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/18554/ -- [SA18606] Debian update for flyspray Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-25 Debian has issued an update for flyspray. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18606/ -- [SA18594] WeBWorK Arbitrary Command Execution Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-01-25 A vulnerability has been reported in WeBWorK, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18594/ -- [SA18562] Red Hat update for kernel Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2006-01-20 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious people or local users to cause a DoS (Denial of Service), and by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18562/ -- [SA18600] HP-UX Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-25 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18600/ -- [SA18599] FreeBSD Kernel Memory Disclosure Vulnerabilities Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-01-25 Two vulnerabilities have been reported in FreeBSD, which can be exploited to malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/18599/ -- [SA18596] Avaya PDS HP-UX Unspecified Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-26 Avaya has acknowledged a vulnerability in Predictive Dialing System (PDS), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18596/ -- [SA18586] LibAST Configuration Filename Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-25 Johnny Mast has reported a vulnerability in LibAST, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18586/ -- [SA18580] Sun Grid Engine rsh Client Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-24 A vulnerability has been reported in Sun Grid Engine (SGE), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18580/ -- [SA18564] LSH lshd Seed-file File Descriptor Leak Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2006-01-23 A vulnerability has been reported in LSH, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18564/ -- [SA18558] Debian update for sudo Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-20 Debian has issued an update for sudo. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18558/ -- [SA18587] LibTIFF TIFFVSetField Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-01-23 Herve Drolon has reported a vulnerability in LibTIFF, which can be exploited by malicious people to crash certain applications on a user's system. Full Advisory: http://secunia.com/advisories/18587/ -- [SA18595] Fedora update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-24 Fedora has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18595/ -- [SA18579] OpenSSH scp Command Line Shell Command Injection Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-24 Josh Bressers has reported a weakness in OpenSSH, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/18579/ -- [SA18573] Debian update for crawl Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-01-23 Debian has issued an update for crawl. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18573/ Other: Cross Platform:-- [SA18605] Text Rider Exposure of User Credentials Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-01-25 Aliaksandr Hartsuyeu has discovered a security issue in Text Rider, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18605/ -- [SA18560] WebspotBlogging "username" SQL Injection Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2006-01-20 Aliaksandr Hartsuyeu has discovered a vulnerability in WebspotBlogging, which can be exploited by malicious people to conduct SQL injection attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18560/ -- [SA18556] Etomite "cij" Shell Command Execution Backdoor Security Issue Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-20 Luca Ercoli has reported a security issue in Etomite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18556/ -- [SA18608] HP Oracle for Openview Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2006-01-25 HP has acknowledged some vulnerabilities and security issues in HP OfO (Oracle for Openview), which can be exploited with unknown impact, to gain knowledge of certain information, overwrite arbitrary files, and to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18608/ -- [SA18604] miniBloggie "user" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-25 Aliaksandr Hartsuyeu has discovered a vulnerability in miniBloggie, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18604/ -- [SA18601] Reamday Enterprises Magic News Password Change Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-01-25 cijfer has discovered a vulnerability in Reamday Enterprises Magic News, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18601/ -- [SA18597] Phpclanwebsite SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-26 matrix_killer has discovered two vulnerabilities in Phpclanwebsite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18597/ -- [SA18593] BEA WebLogic Portal Information Disclosure and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2006-01-24 Two security issues and a vulnerability have been reported in WebLogic Portal, which potentially can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18593/ -- [SA18592] BEA WebLogic Server/Express Vulnerabilities and Security Issues Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2006-01-24 Multiple vulnerabilities and security issues have been reported in WebLogic Server and WebLogic Express, where the most critical ones potentially can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18592/ -- [SA18575] ADOdb PostgreSQL SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-24 Andy Staudacher has reported a vulnerability in ADOdb, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18575/ -- [SA18572] Pixelpost Comment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-24 Aliaksandr Hartsuyeu has discovered a vulnerability in Pixelpost, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18572/ -- [SA18567] e-moBLOG SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-23 Aliaksandr Hartsuyeu has discovered some vulnerabilities in e-moBLOG, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18567/ -- [SA18563] Zoph SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-23 Some vulnerabilities have been reported in Zoph, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18563/ -- [SA18557] Gallery Fullname Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-20 A vulnerability has been reported in Gallery, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18557/ -- [SA18591] CA Products iGateway Service Content-Length Buffer Overflow Critical: Moderately critical Where: From local network Impact: System access Released: 2006-01-24 Erika Mendoza has reported a vulnerability in various CA products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18591/ -- [SA18603] MyBB User Control Panel Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Hijacking Released: 2006-01-25 Roozbeh Afrasiabi has discovered a vulnerability in MyBB, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/18603/ -- [SA18588] Claroline Single Sign-On System Predictable Cookie Critical: Less critical Where: From remote Impact: Hijacking, Security Bypass Released: 2006-01-25 karmaguedon has reported a vulnerability in Claroline, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18588/ -- [SA18581] BEA WebLogic Server/Express Multiple Domains Administrator Access Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-01-24 A security issue has been reported in WebLogic Server and WebLogic Express, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/18581/ -- [SA18576] Tor Hidden Service Disclosure Weakness Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-23 Lasse Overlier and Paul Syverson have reported a weakness in Tor, which can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/18576/ -- [SA18566] Note-A-Day Weblog Exposure of User Credentials Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-01-23 Aliaksandr Hartsuyeu has discovered a security issue in Note-A-Day Weblog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/18566/ -- [SA18565] AZ Bulletin Board Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-23 Roozbeh Afrasiabi has reported two vulnerabilities in AZ Bulletin Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18565/ -- [SA18577] MyBB Disclosure of Table Prefix Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-01-23 imei has discovered a weakness in MyBB, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/18577/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jan 27 05:13:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:13:57 -0600 (CST) Subject: [ISN] Information warfare: The need to know your enemy Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38107-1.html By William Jackson GCN Staff 01/26/06 When terrorists - or another nation - launch a cyberattack against the U.S. infrastructure, it probably won't be with a zero-day exploit, security experts say. "There is enough low-hanging fruit already out there that works," security analyst Tom Parker said at the Black Hat Federal Briefings in Alexandria, Va. There is no reason to expose a perfectly good new vulnerability and exploit. But just what the attack will look like is not clear. "There isn't a whole lot of information out there on how nation-states go about attacking each other," Parker said. To IT security professionals, one attack looks pretty much like another. They focus on the exploit being used. But Parker and Matthew G. Devost, CEO of the Terrorism Research Center Inc., make the case that we need to be able to identify our attackers more clearly if we are to defend ourselves effectively. "Obviously, nation-states have greater capacity to finance attacks," Devost said. "We need to ask ourselves, "Who are the threats," because they all look the same in the exploit." Effective risk management requires greater granularity in identifying our attackers, their motives and their capabilities, Devost said. Parker and Devost described a model for characterizing the motives and capabilities of cyberadversaries. By feeding information about political and cultural conditions, possible motivations of attackers and the resources available to different groups, patterns could be identified that would let analysts pull meaningful data from the noise of IT system and event logs. This could be used to help prioritize threats and responses. Worries about the potential for cyberterrorism and information warfare have existed for more than a decade, but there is little real-world information about the actual nature of these threats. "It obviously is something that is on the radar screen," Devost said. "But we really can't predict whether it will be five or 10 years out" before a serious attack actually occurs. That is a real problem in a society where a three- to five-year horizon is considered long term. Researchers have identified some probable general characteristics of an information warfare attack. The attack code is likely to be robust and work across multiple platforms, and the payload will be precise and efficient, executing only what is necessary to achieve its goal. This would help the exploit avoid detection, as would the use of sophisticated rootkit technology to burrow deep into the operating system kernel or even the computer's firmware. These traits also describe recent trends being observed as organized crime turns toward computer hacking to steal and exploit valuable data. Parker said the potential for cooperation between organized crime, nation-states and terrorist organizations in developing malicious code is a serious threat that already may be under way. He said the value of malicious code is growing in underground markets, with a robust Windows exploit now selling for $50,000, compared with $25,000 two years ago. He did not say how he obtained this information. Parker said cyberattacks are unlikely to replace proven physical attacks used by existing terrorist organizations and are more likely to be adopted by new and marginalized groups with limited resources to carry out traditional attacks. From isn at c4i.org Fri Jan 27 05:14:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:14:14 -0600 (CST) Subject: [ISN] Ameriprise Says Stolen Laptop Had Data on 230,000 People Message-ID: http://www.nytimes.com/2006/01/26/business/26data.html By ERIC DASH January 26, 2006 Ameriprise Financial, the investment advisory unit spun off from American Express last year, said yesterday that lists containing the personal information of about 230,000 customers and advisers had been compromised. A security breach occurred in late December, Ameriprise said, after a company laptop was stolen from an employee's parked car. The laptop contained a list of reassigned customer accounts that was being stored unencrypted, a violation of Ameriprise's rules. The information on the laptop included the names and Social Security numbers of about 70,000 current and former financial advisers and the names and internal account numbers of about 158,000 customers, about 6 percent of its 2.8 million clients. An Ameriprise spokesman, Andrew MacMillan, said it was unlikely that the thief knew that the information was on the laptop and the risk of "any data being used or discovered is very low." Mr. MacMillan said that the laptop was protected by a password but that the data was being stored unencrypted in violation of company rules. The employee involved has been fired. "This information should not have been removed from the corporate office without the security measures in place," he said. "This individual violated a few written company policies." The company said it had started notifying the customers and the advisers on Saturday. Ameriprise, which reports its earnings today, is the latest company to acknowledge a security breach in a wave of incidents that have rocked the financial services industry. Some have occurred when cyberthieves broke into unprotected computer networks, like one at CardSystems Solutions, a tiny credit card processing company that left the personal account information of 40 million consumers exposed to fraud. Others, like those at Bank of America and Citigroup, have occurred when data tapes were lost. From isn at c4i.org Fri Jan 27 05:14:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:14:30 -0600 (CST) Subject: [ISN] Computer security breach in urban affairs, agriculture Message-ID: http://www.udel.edu/PR/UDaily/2006/jan/breach012506.html Jan. 25, 2006 Two recent computer security breaches at the University of Delaware have resulted in the possible exposure of names and Social Security Numbers that were stored on the machines. A computer in the University's School of Urban Affairs and Public Policy was hacked, and a back-up hard drive in the UD Department of Entomology and Wildlife Ecology was stolen. The computer in the School of Urban Affairs and Public Policy was attacked sometime between Nov. 22-26 by an unknown hacker, and it contained a portion of a database that included Social Security numbers for 159 graduate students. "Since the incident, those affected have been notified, the file has been removed from the computer, and we have taken steps to properly secure the system," Jeff Raffel, director of the school, said. A back-up hard drive was stolen from the Department of Entomology and Wildlife Ecology some time between Dec. 16-18, and a police report was filed Dec. 19. A valuable microscope worth nearly $6,000 and belonging to Judith Hough-Goldstein, professor of entomology, also was stolen, and it is believed the theft of the hard drive was an afterthought. The hard drive contained personal information on a few individuals, and Jack B. Gingrich, a postdoctoral fellow in the department whose hard drive was stolen, has informed all those involved. The University's policy is to notify all individuals if their personal information may have been compromised following such incidents, and in both cases, letters have been sent to everyone whose personal information may have been compromised. The letters informed them of the breach and shared information on how to combat identity theft. It is unknown whether any personal information was actually acquired in either case. Individuals with concerns about identity theft may visit a special web site prepared by Information Technologies at [www.udel.edu/security/identitytheft.html]. UD's Office of Information Technologies has conducted a campuswide campaign to help departments protect sensitive personal nonpublic information (PNPI), such as Social Security and credit card numbers. Every University department was visited and advised about proper security for stored PNPI. Information Technologies staff also stressed collecting such information only when required and reiterated the responsibility of each employee to follow UD policy, Delaware laws and federal laws and regulations for the processing and safekeeping of confidential, personal information. "In every department, those individuals who are responsible for maintaining records must understand that they are responsible for assuring compliance with the Family Educational Rights and Privacy Act (FERPA) and other laws that govern the use of PNPI," Susan Foster, vice president for information technologies, said. "This includes not only the proper use of PNPI but the responsibility to secure systems in which it resides," she said. Although the University has moved away from using Social Security Numbers as identifiers, some older databases that University departments and units set up in the past may still have such information. Information Technologies has posted guidelines aimed at helping departments secure PNPI and make sure they are in compliance with the University policy and the law. Those can be found at [www.udel.edu/ssn/guid.html]. The guidelines direct departments to ensure the privacy of PNPI by encrypting electronic transmissions, not storing PNPI locally and protecting PNPI when working from home or outside the University. Members of the University community with questions about uses of PNPI should call the Information Technologies Help Center at (302) 831-6000 or send email to [consult at udel.edu]. Additional information is available at these sites: * Protecting Personal Non-Public Information [www.udel.edu/ssn/]; * UD Computer Security [www.udel.edu/security/]; and * Responsible Computing: A Manual for Staff [www.udel.edu/ecce/staff.htm]. From isn at c4i.org Fri Jan 27 05:15:23 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:15:23 -0600 (CST) Subject: [ISN] Thief nabs backup data on 365,000 patients Message-ID: http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,108101,00.html By Todd R. Weiss JANUARY 26, 2006 COMPUTERWORLD About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records. In an announcement [1] yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. The incident was reported by the employee on Dec. 31, according to the health care system. The tapes and disks were taken home by the employee as part of a backup protocol that sent them off-site to protect them against loss from fires or other disasters. That practice, which was only used by the home health care division of the hospital system, has since been stopped, said health system spokesman Gary Walker. "This was only done in one area of the company," Walker said. "It did not involve the hospital's database [of patients]....That one part of the company was sending data home off-site. But we should have reviewed the policy." The data on the tapes was encrypted, Walker said, and the data on the disks was in a proprietary file format that was not encrypted, but "is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it." From now on, all data will be made secure using additional technologies, according to Walker. "We are encrypting all the material we can encrypt now," as the health care system reviews all of its procedures and security, he said. "We are sorry that this happened and we don't want it to happen again." Providence officials said there have been no reports that any of the stolen information has been used improperly since the incident. Providence is notifying affected patients by mail about the theft. The information on the disks and tapes included names, addresses, dates of birth, physicians? names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the health system. Some of the records also included patient financial information. Rick Cagen, CEO of Providence's Portland service area, said new backup procedures are being implemented using more traditional IT means, including secure sites in remote locations for safety and redundancy. "We do have alternate practices now," Cagen said. The four-week delay in publicly announcing the theft was needed so Providence officials could recreate the stolen data and identify the patients who needed to be contacted, he said. The delay was also caused in part by the large number of records that had to be processed, he said. "We realize this is a major inconvenience and cause for real concern, and we deeply apologize to everyone affected by this incident," Cagen said. "Even though we have no indication that the thief has accessed the data, we are doing all we can to help our patients and employees protect their information." The incident is the second data theft from a motor vehicle announced this week. Yesterday, Minneapolis-based financial services company Ameriprise Financial Inc. said it is notifying some 158,000 customers and 68,000 financial advisers that a laptop containing personal information about them -- including names, account numbers or Social Security numbers -- was stolen from a parked car late last month (see "Ameriprise notifying 226,000 customers, advisers of data theft" [2]). [1] http://www.providence.org/oregon/hcs/newsrelease.htm [2] http://www.computerworld.com/securitytopics/security/story/0,10801,108071,00.html From isn at c4i.org Fri Jan 27 05:16:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 27 Jan 2006 04:16:29 -0600 (CST) Subject: [ISN] REVIEW: "Network Security First-Step", Tom Thomas Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKNTSCFS.RVW 20051106 "Network Security First-Step", Tom Thomas, 2004, 1-58720-099-6, U$29.95/C$42.95 %A Tom Thomas %C 800 East 96th Street, Indianapolis, IN 46240 %D 2004 %G 1-58720-099-6 %I Cisco Press %O U$29.95/C$42.95 feedback at ciscopress.com 800-382-3419 %O http://www.amazon.com/exec/obidos/ASIN/1587200996/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1587200996/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1587200996/robsladesin03-20 %O Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 456 p. %T "Network Security First-Step" The introduction defines the audience for this book very broadly: so broadly that it appears to try to be all things to all people, and simply, too! (Wireless security seems to be a major consideration.) The preface does specifically mention students and security professionals. Chapter one is the usual "selling" section of the book: in this case promoting the idea that "hackers" are out there and trying to getcha. The material is only loosely organized, and seemingly more intent on proving that the author knows a bunch of "inside" information than on usefully informing the reader. (Thomas also tends to make thinly veiled attacks on Microsoft: many security experts are unhappy with some of Microsoft's decisions in regard to security, but snide references to "the richest man in the world" are unlikely to assist users in securing their systems.) A couple of references for further study are mentioned: these are works that are more popular than accurate. Review questions are provided at the end: these are the all-too-standard simplistic reading checks. (Some of the answers provided don't actually answer the questions at all.) The review of security policies, in chapter two, is reasonable, but generic and terse. The bulk of the content comes in a sample set of functional security policies which touch on a few important topics, but will probably be of very limited use to most readers. Supposedly an overview of security technologies, most of chapter three concentrates on defining different types of firewalls (and doesn't do a very good job with stateful inspection), with (for some odd reason) brief mentions of public key infrastructure and two centralized authentication systems. Chapter four lists a couple of cryptographic, a couple of tunneling, and the secure shell protocols. An introduction to the concept of firewalls, in chapter five, seems odd following the more detailed catalogue previously. In contradiction to the introduction's position, much of this content is complicated (not assisted by a lack of structure in the writing), and also becomes more specific to Cisco products, including pages of PIX configuration tables. Routers would relate to packet filtering, one would think, but chapter six also contains content inspection and intrusion detection topics. (The material becomes even more focussed on Cisco, reprinting a twelve page secure IOS template.) Chapter seven, on virtual private networks, fails to stress the difference between tunnelling and encryption, does a very poor job of explaining IPSec (also seems to confuse the discrete log problem used by the Diffie- Hellman algorithm with the prime factoring used by RSA), and spends a large section at the end listing commands for configuring IPSec on Cisco products. The ordinary wireless security topics are in chapter eight. Chapter nine looks primarily at intrusion detection, and a little bit at honeypots. A list of attacks, more specific than those in chapter one, and some vulnerability scanning tools, are outlined in chapter ten. In relation to the attempt to make the material simple, the author seems to assume that understanding equates with entertainment, and tries to provide humour. The attempts at witticisms are irrelevant and distracting. The student will find this text too facile, and of questionable accuracy in a number of places. The professional will find the work too disorganized to act as any kind of reference, and the content lacking in both analytical and implementation considerations. copyright Robert M. Slade, 2005 BKNTSCFS.RVW 20051106 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu This is not a novel to be tossed aside lightly. It should be thrown with great force. - Dorothy Parker http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Mon Jan 30 01:32:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 30 Jan 2006 00:32:12 -0600 (CST) Subject: [ISN] Credit card numbers reported stolen from R.I. state Web site Message-ID: http://www.timesargus.com/apps/pbcs.dll/article?AID=/20060128/NEWS/601280319/1003/NEWS02 By Ray Henry Associated Press January 28, 2006 PROVIDENCE, R.I. - Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday. New England Interactive, the company that runs the Web site, also manages Web sites for state governments in other states, spokeswoman Renee Loring said. On Friday morning it listed Vermont, Maine and New Hampshire as clients. Loring said its other state Web sites were not affected. The private company that runs RI.gov told the state this week that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any possible security problems could be fixed, and the state planned to notify cardholders of the breach, said Beverly Najarian, director of the Department of Administration. No fraudulent purchases had been reported so far, Najarian said. NEI said using the stolen information to make a fraudulent purchase would be difficult. The site's system only records partial credit card numbers, Loring said. The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit cardholders were affected, she said. But soon after, an outside security firm discovered a Web site in Russian listing the names and partial credit card numbers of several residents, Najarian said. The site, purportedly written by a university student, claimed he overslept class, found Rhode Island's Web site and hacked into it. The posting details how he was able to hack the site. The purported hacker said he obtained 53,000 credit card numbers. Loring said the total was much smaller, but would not put an exact number on the amount, estimating it was in the thousands. She said she did not know when NEI realized that breach was greater than first believed. Steven O'Donnell, spokesman for the Rhode Island State Police, said a computer crimes team was investigating the case. NEI tightened security, Loring said, although she declined to describe the measures. She said the Web site is "absolutely safe" and the intrusion was reported to financial institutions. The state did not tell consumers about the breach in December because the hacking appeared limited, Najarian said. Jeff Neal, a spokesman for Gov. Don Carcieri, said NEI's contract to run the state's Web site expires this summer and the governor's office plans a review before deciding whether to extend it. Officials at Vermont's Department of Information and Innovation did not immediately return a call for comment. Erin Hutchins, who manages the Maine government's site, said there have been no reports of hacking. New Hampshire Fish and Game Department spokeswoman Liza Poinier said New England Interactive hasn't handled the transactions on its Web site for about 18 months. The Rhode Island Web site allows residents to complete dozens of transactions online. --- On the Net: Rhode Island state Web site: http://www.ri.gov New England Interactive: http://www.neinetwork.com Maine state Web site: http://www.maine.gov New Hampshire Fish and Game: http://www.nhfishandgame.com From isn at c4i.org Mon Jan 30 01:32:47 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 30 Jan 2006 00:32:47 -0600 (CST) Subject: [ISN] ITL Bulletin for January 2006 Message-ID: Forwarded from: Elizabeth Lennon TESTING AND VALIDATION OF PERSONAL IDENTITY VERIFICATION (PIV) COMPONENTS AND SUBSYSTEMS FOR CONFORMANCE TO FEDERAL INFORMATION PROCESSING STANDARD 201 Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The National Institute of Standards and Technology (NIST), Information Technology Laboratory, has set up a new program to test and validate personal identity verification (PIV) components and subsystems for conformance to Federal Information Processing Standard (FIPS) 201, Personal Identification Verification (PIV) of Federal Employees and Contractors. Approved by the Secretary of Commerce in February 2005, FIPS 201 applies to the identification cards that are issued by federal government departments and agencies to their employees and contractors who require access to federal facilities and information systems. PIV cards incorporate an individual's identity credentials on smart cards. PIV components and subsystems use the electronically stored data on the cards to carry out automated identity verification of the individual. The program for testing and validating PIV components and subsystems for conformance to FIPS 201 is managed by the NIST PIV Program (NPIVP), and testing organizations will be accredited by NIST?s National Voluntary Laboratory Accreditation Program (NVLAP), which provides third-party accreditation to testing and calibration laboratories. NVLAP accredits public and private sector laboratories, including commercial, manufacturers' in-house, university, and federal, state and local government laboratories, based on evaluation of their technical qualifications and their competence to carry out specific calibrations or tests. FIPS 201 Requirements Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, established the requirement for a common standard for identification credentials. Issued in August 2004, HSPD 12 directed NIST to develop a mandatory standard for secure and reliable forms of identification for use throughout the federal government. Secure forms of identification are needed to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. In developing the standard, NIST worked with private industry and with other federal agencies, including the Office of Management and Budget, the Office of Science and Technology Policy, and the Departments of Defense, State, Justice, and Homeland Security. FIPS 201 specifies the technical and operational requirements for interoperable PIV systems that issue smart cards as identification credentials and that use the cards to authenticate an individual's identity. FIPS 201 was issued in two parts to assist agencies in planning for a smooth migration to secure, reliable personal identification processes. The first part of FIPS 201 (PIV I) describes the minimum requirements needed to meet the control and security objectives of HSPD 12, including the process to prove an individual's identity. Agencies may issue credentials only to applicants whose identities have been established and who have had a background investigation. Federal departments and agencies were required to implement Part 1 in October 2005. The second part of the standard (PIV II) provides the detailed technical specifications to support the control and security objectives of Part 1, as well as the requirements for the interoperability of PIV cards and systems. Part 2 specifies the policies and minimum requirements for PIV cards, which will allow for the interoperability of PIV cards when used for physical access to facilities and for logical access to information systems. Part 2 also describes the processes for collecting, storing, and maintaining the information and the documentation needed to authenticate and assure an individual's identity. Federal organizations that are currently using different electronic credential systems will have additional time to phase in their changeover to interoperable systems based on the Part 2 specifications. The Office of Management and Budget (OMB) in its August 5, 2005, Memorandum M-05-24 provides instructions to federal organizations for implementing HSPD 12 and FIPS 201. Federal organizations are required to begin implementation of Part 2 by October 27, 2006. Details on these requirements are available at the OMB website: www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf. When FIPS 201 is fully implemented, it will be possible for a card issued by one agency to be electronically recognized by any other agency, thus enabling a decision to be made about whether to grant the cardholder access to facilities and information systems. The Validation Program The use of products that have been tested by independent laboratories and validated for conformance to established standards promotes security and confidence in the products. Initially, the NIST Personal Identity Verification Program (NPIVP) will test and validate the FIPS 201 interface of PIV card applications and PIV middleware for correct implementation of the technical requirements detailed in NIST Special Publication (SP) 800-73, Interfaces for Personal Identity Verification, one of the specifications referenced by FIPS 201. The PIV Middleware and PIV Card Application test suites have been modeled according to NIST SP 800-85, PIV Middleware and PIV Card Application Conformance Test Guidelines (SP800-73 compliance). All of the testing under the NPIVP will be handled by the third-party test facilities. The test facilities, which are listed below, have been designated as interim NPIVP Test Facilities for FIPS 201 components and subsystems. When these NPIVP laboratories have been assessed for NPIVP testing and accredited by NVLAP, the "Interim" designation will be removed. Interim NPIVP Laboratories Atlan Laboratories, McLean, Virginia atsec information security company, Austin, Texas BKP Security Laboratories, Santa Clara, California BT Cryptographic Module Testing Laboratory, Fleet, Hampshire, UK CEAL: a CygnaCom Solutions Laboratory, McLean, Virginia COACT Inc. CAF? Laboratory, Columbia, Maryland DOMUS IT Security Laboratory, Ottawa, Canada EWA - Canada IT Evaluation and Test Facility, Ottawa, Canada ICSA Labs, a division of Cybertrust, Inc., Mechanicsburg, Pennsylvania InfoGuard Laboratories, Inc., San Luis Obispo, California LogicaCMG FIPS Laboratory, Leatherhead, Surrey, UK These interim laboratories for testing FIPS 201 components and subsystems are also accredited to perform conformance testing for FIPS 140-1 and 140-2, Security Requirements for Cryptographic Modules. NIST and the Communications Security Establishment (CSE) of the government of Canada jointly administer the Cryptographic Module Validation Program (CMVP), which has issued more than 620 validation certificates representing more than 1,000 modules. All cryptographic modules used in PIV systems, both on the card and in issuer software, must be validated to FIPS 140-2 under the CMVP. NIST plans to develop additional testing and validation programs under the NPIVP in the future. FIPS 201 Specifications FIPS 201 incorporates three technical publications specifying several aspects of the required administrative procedures and technical specifications. - NIST Special Publication (SP) 800-73, Interfaces for Personal Identity Verification, by James F. Dray, Scott B. Guthery, and Teresa Schwarzhoff, specifies the interface requirements for retrieving and using the identity credentials from the PIV card. NIST SP 800-73 provides the PIV data elements, identifiers, structure, and format, and describes the Application Programming Interface (API) and the card interface requirements that will enable PIV identity credentials to be used interchangeably throughout federal agencies. NIST SP 800-73 includes two specifications to help agencies make the transition to conformance with FIPS 201: a transitional card specification that is derived from the Government Smart Card Interoperability Specification and that agencies already invested in smart card implementations might want to consider using; and a Part 2 card specification for agencies choosing to move directly to the Part 2 architecture. A reference implementation for NIST SP 800-73 is available at the NPIVP web page listed in the More Information section below. - NIST Draft SP 800-76, Biometric Data Specification for Personal Identity Verification, by Charles Wilson, Patrick Grother, and Ramaswamy Chandramouli, specifies the technical acquisition and formatting requirements for biometric data used by the PIV system. To assist agencies in implementing FIPS 201, the specification selects options from published biometric standards to facilitate interoperability and ensure performance of PIV systems. Included are specifications for the fingerprints used in the PIV systems, optional specifications for facial images, the format for all PIV biometric data representation, and the requirements for biometric devices. NIST expects to issue the final version of NIST SP 800-76 in early 2006. - NIST SP 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, by W. Timothy Polk, Donna F. Dodson, and William E. Burr, specifies the acceptable cryptographic algorithms and key sizes to be implemented in the PIV system. The publication covers the infrastructure components for issuance and management of the PIV card, and the applications for security services that rely on the credentials supported by the PIV card. NIST SP 800-78 identifies acceptable symmetric and asymmetric encryption algorithms, digital signature algorithms, and message digest algorithms, and details the mechanisms to identify the algorithms associated with PIV keys or digital signatures. Algorithms and key sizes were selected to be consistent with federal standards and ensure adequate cryptographic strength for PIV applications. Other NIST Special Publications also support the implementation of FIPS 201 and the testing and validation program. - NIST SP 800-21-1 is the second edition of the Guideline for Implementing Cryptography in the Federal Government, which was issued in November 1999. Written by Elaine B. Barker, William C. Barker, and Annabelle Lee, the revision updates and replaces the 1999 version of the guideline, and provides new tools and techniques for using cryptography to protect data that is sensitive, has a high value, or is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. NIST SP 800-21-1 provides guidance on Federal Information Processing Standards and NIST Special Publications that have been issued, or amended, since 1999, and on cryptographic modules and algorithms that are validated for conformance to standards. The guideline assists federal organizations in selecting cryptographic controls and in implementing the controls on new or existing systems. - NIST SP 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, by Dennis Branstad, Alicia Clay, and Joan Hash, assists federal agencies in assessing the reliability of organizations that provide PIV card issuing (PCI) services. HSPD 12 requires that all identity cards be issued by providers whose reliability has been established by an official accreditation process. Agencies must have accurate, reliable, and trustworthy information about their PCI in order to make appropriate decisions about whether to authorize its operation. Certification is the formal process for assessing that the PCI is reliable and capable of enrolling approved applicants and of issuing PIV cards. Accreditation is the official management decision to authorize the operation of a PCI after a thorough certification process has been conducted. - NIST SP 800-85, PIV Middleware and PIV Card Application Conformance Test Guidelines (SP800-73 compliance), by Ramaswamy Chandramouli, Levent Eyuboglu, and Ketan Mehta, specifies the test plan, processes, derived test requirements, and the detailed test assertions and conformance tests needed for testing PIV middleware and the PIV card application for conformance with the specifications detailed in NIST SP 800-73. NIST SP 800-85 supports developers of PIV middleware and PIV card applications in the development and testing of their software modules, and it assists testing laboratories in developing appropriate test suites for the interface requirements in NIST SP 800-73. The guidelines for conformance testing help to advance the availability of validated, interoperable PIV products and the acquisition of these products by federal organizations. - NIST SP 800-87, Codes for the Identification of Federal and Federally Assisted Organizations, by William C. Barker and Hildegard Ferraiolo, provides four-character identifying codes for federal organizations. These codes are used in the implementation of FIPS 201 to establish the Federal Agency Smart Card Credential Number (FASC-N), which is part of the Card Holder Unique Identifier (CHUID). - NIST Interagency Report (NISTIR) 7284, Personal Identity Verification Card Management Report, by Jim Dray and David Corcoran, presents an overview of card management systems, and identifies generic card management requirements. Card management refers to the preparation of a smart card before it is issued, and the administrative functions that are related to the use of the card. The report provides some technical approaches to filling the existing gaps in PIV card management in order to achieve a higher level of consistency and testability for PIV card issuance processes, enhance an organization's ability to outsource various card management components and functions, and thereby improve the overall security for the Federal PIV framework. Future Technical Support As FIPS 201 is implemented and used, the procedures and technical specifications will be reviewed regularly and may be updated when necessary. NIST has identified additional guidelines, reference implementations, and conformance tests that will be needed to implement and use the PIV system; to protect the personal privacy of individuals using the PIV system; to authenticate identity source documents and obtain the correct legal name of the person applying for a PIV card; to obtain electronically and store required biometric data, such as fingerprints and facial images, from the PIV system applicant; to create a PIV card that is personalized with the data needed by the PIV system to later grant the individual access to federal facilities and information systems; to assure appropriate levels of security for federal applications; and to provide for interoperability among federal organizations using the standards. NIST will pursue these projects to the extent that its resources permit. PIV Demonstration In November 2005, NIST announced the Personal Identity Verification (PIV) Demonstration project and invited vendors with commercially available products to participate in the project and to join in a Cooperative Research and Development Agreement (CRADA) with NIST. Products that vendors submit to be included in the demonstration must be tested and validated in accordance with the NPIVP. The purpose of the project is to provide proof-of-concept demonstrations of commercially available products that support FIPS 201, Part 2. Additionally, the demonstrations will show the interoperability of NPIVP-certified PIV cards and PIV middleware. The demonstrations will be available to all federal agencies interested in FIPS 201 implementations. Information about these activities is available at the demonstration website http://csrc.nist.gov/piv-program/CRADA/index.html. More Information about NPIVP Information about the NPIVP, interim laboratories, and validation testing is available at http://csrc.nist.gov/npivp/. The NPIVP director is Ramaswamy Chandramouli (Mouli); telephone: (301) 975-5013; fax: (301) 948-0279. Requests for general information or questions about the program may be sent by e-mail to the NPIVP Project Team at npivp at nist.gov. FIPS 201 is available on the NIST website http://csrc.nist.gov/publications/fips/index.html. NIST Special Publications are available on the NIST website http://csrc.nist.gov/publications/nistpubs/index.html. NVLAP provides an unbiased third-party evaluation and recognition of performance, as well as expert technical guidance to upgrade laboratory performance. NVLAP accreditation signifies that a laboratory has demonstrated that it operates in accordance with NVLAP management and technical requirements pertaining to quality systems; personnel; accommodation and environment; test and calibration methods; equipment; measurement traceability; sampling; handling of test and calibration items; and test and calibration reports. Information about NVLAP is available at http://csrc.nist.gov/npivp/. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Mon Jan 30 01:33:02 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 30 Jan 2006 00:33:02 -0600 (CST) Subject: [ISN] Computer crimes seen as more likely than physical ones Message-ID: http://www.chicagotribune.com/technology/chi-0601280034jan28,1,1271387.story?coll=chi-techtopheds-hed&ctrack=1&cset=true By Jon Van Tribune staff reporter January 28, 2006 Internet users believe they are more likely to be victims of a cybercrime than a physical one in the coming year, according to a survey released this week. This growing fear of Internet vulnerability is well-founded, computer security experts contend. Whereas most malevolent software was once a form of electronic vandalism, it has become a profit-making venture backed by organized crime. The survey, commissioned by IBM Corp., found that nearly 40 percent of respondents do not bank online or use credit card information online. Seventy percent said they only shop at Web sites that display a security protection seal. "They conduct business with companies they know and trust," said Stuart McIrvine, IBM's director of corporate security strategy. "They're wary of Web sites they haven't been to before and wary of Web sites with no advertised security controls." Also, the survey found that people are taking steps to avoid identity theft and other cyberscams. Eighty-five percent of respondents said they destroy all documents containing personal information or assure those documents are safely stored. Yet fears about cybercrime are not leading to a slowdown in e-commerce, which continues to boom. Data collected by ComScore Networks show that people spent $5.5 billion online in the first three weeks of January for items unrelated to travel. That's a 33 percent increase over the same period a year ago. There has always been a subset of computer users who are reluctant to shop online because of security concerns, said Gian Fulgoni, ComScore's Chicago-based chairman. "Something like 40 percent of people don't shop online because of these concerns," he said. The survey results are good news, said Scott Pinzon, security chief at Watch Guard Technologies, a Seattle firm that supplies network security to businesses. "People are becoming aware of some very real threats." Pinzon said that most computer security people have attempted to thwart hacker threats with technology, believing it's futile to train computer users in techniques to protect themselves. "Crooks have been more effective in training users about cybercrime than security experts," Pinzon said. "People are learning about Internet security the hard way by being stung by phishing and other scams. It's rational for them to be wary of online activity." As more people get high-speed broadband Internet connections, they tend to spend more money online, McIrvine said. Generally, he added, the more experience people have online, the more receptive they are to shopping there. "Even among people who shop online, more than 90 percent of their spending is done offline," Fulgoni said. "So e-commerce has a lot of upside ahead." As people become more aware of online risks, they're moving to protect themselves in much the same way they operate offline, said Fahim Siddiqui, chief executive of Sereniti Inc., a home network services firm based in Jersey City. "They're using the same vigilance in traveling the information highway as they use in driving on physical highways," he said. "When you drive in your car, you buckle your seat belt for protection. You buy insurance." Siddiqui's firm provides firewalls and other computer protection. It also sells insurance that pays up to $25,000 to cover expenses incurred by ID theft victims and anti-virus insurance that pays up to $1,000 to cover harm inflicted upon computers by viruses. As a practical matter, Web sites that offer pornography and gambling are more likely to install malevolent software on computers that visit, Pinzon said. "If you avoid those Web sites, you reduce the chances you'll be victimized," he said. "But that's not to say you won't get some really odious spyware loaded on your machine from something that promises to turn your cursor into a cute kitten." From isn at c4i.org Mon Jan 30 01:33:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 30 Jan 2006 00:33:15 -0600 (CST) Subject: [ISN] Could your laptop be worth millions? Message-ID: http://news.com.com/Could+your+laptop+be+worth+millions/2100-1029_3-6032177.html By Will Sturgeon Special to CNET News.com January 27, 2006 The average laptop could contain data worth almost $1 million, according to new research. A report released Friday by security-software company Symantec suggests that an ordinary notebook holds content valued at 550,000 pounds ($972,000), and that some could store as much as 5 million pounds--or $8.8 million--in commercially sensitive data and intellectual property. The same research, commissioned by Symantec, shows that only 42 percent of companies automatically back up employees' e-mails, where much of this critical data is stored, and 45 percent leave it to the individual to do so. "It's alarming that executives have mobile devices containing data of such financial value and that very little is being done to protect the information on them," said Lindsey Armstrong, a vice president for Europe, the Middle East and Africa at Symantec. The threat of stolen laptops is a real concern. About 50 percent of respondents to an FBI computer crime survey said their organization had suffered theft of a notebook or other mobile gear in 2005. On Wednesday, investment consultancy Ameriprise Financial, an offshoot of American Express, said the theft of a company laptop had exposed sensitive data of about 230,000 customers and advisers. The message to businesses is clear, Symantec said: Ensure all data is backed up regularly and that laptops out on the road are thoroughly secure and don't unnecessarily contain sensitive data. "It is critical that businesses start looking beyond just the price of the hardware and recognize that they also need to invest in protecting the data stored on these machines," Armstrong said. Past research in the U.K. suggests that as many as 10,000 laptops are left in the backs of British taxis each year and civil servants are among the worst offenders. Will Sturgeon of Silicon.com reported from London. From isn at c4i.org Mon Jan 30 01:33:49 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 30 Jan 2006 00:33:49 -0600 (CST) Subject: [ISN] Reading Saddam's Email - What to do with an enemy's hard drives. Message-ID: Forwarded from: William Knowles http://www.weeklystandard.com/Content/Public/Articles/000/000/006/652zozfg.asp by Michael Tanji 02/06/2006 Volume 011, Issue 20 STEPHEN F. HAYES has written extensively in these pages about a large cache of documents and digital media captured in the course of Operation Iraqi Freedom and Operation Enduring Freedom. As a former intelligence officer who dealt with digital media exploitation and analysis issues at the Defense Intelligence Agency for nearly four years (2001 to 2005), I am prohibited from speaking publicly about what these documents may contain. What I can do is share my professional opinion on how one might solve some of the major problems associated with media exploitation. Let us assume hypothetically that the United States has overthrown a hostile regime, and a vast amount of paper and digital media has been looted or otherwise removed from the regime's ministries, industrial centers, and other facilities. A great deal of this material has been obtained by the U.S. military and eventually the U.S. intelligence services. Because of the lack of context--reliable information about where each item was obtained, who it belonged to, and so on--U.S. intelligence is faced with trying to make sense of a massive, amorphous heap of paper and digital data. The demands are tremendous. Combat commanders need actionable intelligence so they can turn around and capture or kill more of the enemy (and obtain still more media to exploit). But technical expertise and high-end equipment are hard to come by. So is good, trustworthy linguistic support. Subject matter experts are by and large still back in Washington. Given the problems, how does U.S. intelligence perform deep analysis on data that clearly need it? The process of exploitation begins with the recognition that neither human intelligence nor signals intelligence is the be-all and end-all. Human sources can lie. They can hide parts of the truth. Unwitting dupes in a deception scheme can honestly tell you what they think is the truth. Intercepted signals generally reveal only part of the intelligence picture. In a complex web of bad guys, tapping the phones of one or two leaves a lot of gaps, especially when your adversary is a whole network of webs. Digital media, on the other hand, are less prone to be a means of deception, and even one node of a network can reveal a significant amount about the entire network. Think about the data that you keep on your computers at work and at home. Unless you write fiction for a living, these are the most accurate and factual data that can be obtained about you (short of reading your mind). The memos and letters you write, the financial information you calculate, the websites you visit, and the people you email or instant-message--all this is a gold mine for anyone looking to know who you are, what you do, and with whom you cavort. Now imagine having access to the same data about your adversary. Enter "computer forensics." Exploiting paper documents is a relatively simple matter of reading and, if necessary, translating. Exploiting digital media is another story. Before you can read the data, you have to find it. Outside the intelligence field, computer forensics is the process by which data are extracted, preserved, and analyzed for pertinence and meaning. The computer forensics community has worked very hard to bring its practices up to the level portrayed on TV in shows like CSI, where digital evidence is now accepted in court as much as fingerprints or blood splatters. It stands to reason that the same people, tools, and methods used in computer crime labs are also used in intelligence efforts. However, the courtroom-centric, linear, law-enforcement mindset is actually a hindrance to effective exploitation for purposes of intelligence. A military intelligence unit is not interested in going to court; it is interested in helping soldiers put steel on target. This is not to say that a law enforcement approach has no use in the larger intelligence business (for example, in counterintelligence investigations), but if the goal is good data fast, then what is good for cops is not good for soldiers. ASSUME OUR HYPOTHETICAL hostile regime was a fairly large country with a population around 25 million. It was not the most technically advanced nation in the world, but it had ministries and industries and was believed to have advanced weapons capabilities. All these needed computers to function. How much data does this translate into? Consider some rough calculations. One floor of an average-sized university library full of academic journals contains about 100 gigabytes of data, the size of a large but not uncommon hard drive. The data in 100 such hard drives are comparable to the print holdings of the Library of Congress. Care to guess whether our formerly hostile regime had more than 100 computers? As if sheer quantity of data were not problem enough, remember that the materials have almost no supporting contextual information. A computer forensics examiner in a crime lab generally has access to the investigators, knows the nature of the crime, and knows the most common places to look for evidence. A piece of evidence comes to him in a plastic bag with a tag on it saying where it was found, what kind of computer it came out of, and so on. On the battlefield there is no time to "bag-and-tag" evidence. You find something that looks useful; you grab it, secure it, and move on. When the mission is over, you head to the tent where the Military Intelligence guys hang out and drop off your goods, covered in dust and a lot worse for wear. Under such conditions, context beyond a label reading "hard drive found on Monday" is scarce. You have a huge store of data and only the slightest idea where it came from, a vague idea of what to look for, and you must do the job to a standard of proof mindlessly imported from law enforcement and far exceeding what is necessary for your work. Is it any wonder that some consider the job hopeless? How can we hope to make any real sense of this mass of stuff? Technology can help. First, when data come without any meaningful context, we have to re-create it after the fact. We begin to do this by building lists of keywords, phrases, personalities, and other data that pertain to the topics of interest to our intelligence services. These lists can easily include tens of thousands of terms, names, figures, and data formats. The next step is to create a forensically sound process to spin off the more meaningful pieces of data (user-created documents, emails, spreadsheets, etc.) while leaving behind data that have less utility (files associated with the operating system and software applications). Let's call this our forensic centrifuge. Ideally our centrifuge will be built out of a cluster of computers: dozens of cheap processors networked together and scaled to rival a supercomputer in power. Cluster computers have been used by academia and the government for years, notably in places like NASA and the Department of Energy. Computer programs written to take advantage of the multiprocessor capabilities of the centrifuge will extract the easy-to-obtain data files, recover deleted files and those that have been obfuscated by various means, and find the data stored in web browsers, email software, and other programs. There are commercial applications that do this, but our applications will have to be custom-made. Once we have this notional system, we can aim it at our amorphous heap of captured data. The result should be large but much more meaningful subsets of data that we can be reasonably assured were created by members of the former regime. The problem of authenticity that sometimes complicates the exploitation of paper documents virtually does not arise. While we now have all the meaningful data we can obtain, there is one more step to take before we can overlay what is called our "contextual appliqu?." Our extracted data files must be compared with files of the same type--another computer process easily crafted--for both physical and content similarities. Through this process we should be able to determine things like: * the names of people who drafted, edited, and were expected to receive memorandums, letters, and orders, and sometimes which computers they worked on; * which computers were likely networked together, within the same ministry or between trusted associates; * discussions between former regime elements in the form of both memorandums and email exchanges, as well as the personal thoughts revealed in private letters between confidants; and * the foreign contacts of former regime elements in the form of email addresses and website data. This information and more can be used to reconstruct both the physical and social networks of our former hostile regime. It can show who was talking to whom and who was working on what prior to the war. Our contextual appliqu? is now complete, and many gaps left by insufficient prewar human and signals intelligence can be filled in. THE SYSTEM JUST DESCRIBED for sorting and organizing data is notional, but not fanciful. The technology exists, the mental wherewithal exists, and the contract vehicles exist. The problem of finding enough qualified, trusted Arabic speakers and translators is great, but familiar. If we want to do this, we know how. If we want to do it fast, and provide sufficient resources, we can see significant results this year. Adapting widely accepted technical methodologies to the unique challenges our intelligence services face is merely good sense. Modern technologies could be put to good use by the intelligence community to solve data extraction, processing, analysis, and display problems, if only certain elements in the community could get over the "not-invented-here" syndrome. There are signs of progress, but it is slow. Let's face it: You've probably got more powerful software on your computer at home than the average intelligence analyst has on the job. There is of course a strong political aspect to media exploitation. Which end of the political spectrum will come out ahead is not clear going in. We could very well have in our possession ample material to support all the reasons the public was told justified going to war--or we could find the opposite, or find there are no clear conclusions to be drawn. But unless we look, we will always be faced--in the immortal words of Donald Rumsfeld--with a huge cache of "unknown unknowns." After all the detainees have been interrogated, and all of the sand at suspected facilities has been sifted and tested, the only way finally to close the book on what our hypothetical former hostile regime was up to is to analyze every last reliable source of data available to us. That is, if we are really interested in the truth. -=- Michael Tanji is an associate of the Terrorism Research Center. He opines on intelligence and security issues at groupintel.com. ? Copyright 2005, News Corporation, Weekly Standard, All Rights Reserved. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Jan 30 01:34:04 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 30 Jan 2006 00:34:04 -0600 (CST) Subject: [ISN] Microsoft Tricks Hacker Into Jail Message-ID: http://www.wired.com/news/technology/0,70106-0.html By Kevin Poulsen Jan, 27, 2006 Nobody was ever arrested for leaking the secret source code for parts of the Windows operating system in 2004, but a hacker who sold a copy online afterward was sentenced to two years in federal prison Friday. William "IllWill" Genovese, 29, will serve three years of supervised release following his prison term, during which he'll be subject to electronic monitoring through special software installed on his computer, under the terms handed down by federal Judge William Pauley in New York. He remains free on bail, and is scheduled to report to prison March 14. Genovese ran a popular hacking-oriented community website called IllMob.org in February 2004 when two 200-MB files containing incomplete portions of the source code for the Windows 2000 and Windows NT operating systems hit the internet, flooding dodgy websites and peer-to-peer networks like some hard-core geek version of the Paris Hilton video. Like many others, Genovese downloaded a copy. Unlike others, he posted a note to his website offering it for sale. According to court records, an investigator hired by Microsoft took Genovese up on his offer and dropped two Hamiltons on the secret source code. The investigator then returned and arranged a second $20 transaction for an FBI agent, which led to Genovese's indictment under the U.S. Economic Espionage Act, which makes it a felony to sell a company's stolen trade secrets. After consulting with his public defender, Genovese pleaded guilty last August. Genovese would have had a viable defense had he gone to trial, because the documents were widely available on peer-to-peer networks at the time of the sale, said Mark Rasch, a former Justice Department cybercrime prosecutor. "This guy didn't participate in the misappropriation, and probably didn't conspire with anybody to misappropriate it," said Rasch, a vice president at security company Solutionary. "Once it's posted online, it's just not secret anymore. At some point it becomes public information." But Genovese's public posting, coupled with his long rap sheet, made him an obvious target for prosecution. Government court filings show the Connecticut man has an extensive record of mostly petty crimes, beginning with a 1996 conviction for criminal trespass for spray painting a bridge, followed by a rash of thefts from motor vehicles and a burglary conviction. In 1999 he was convicted of "breaching the peace" by assaulting the mother of his child, according to court records. At the time of the source-code sale, Genovese was on probation for computer trespass and eavesdropping after breaking into some private computers and installing keystroke-logging software. "Basically, everything I do, I do ass-backwards," Genovese said in an instant-messaging interview ahead of Friday's sentencing. "I like drawing, so I spray paint. I like music, so I took some radios of kids I hated in high school. I like computers, so I hack." Microsoft also asked for an "appropriate amount" of financial restitution, which the government estimated at $70,000. The judge declined. The company has long maintained that the source code to Windows and other products are its crown jewels, and that making the code public could cause serious harm by stripping it of trade-secret status, and allowing competitors to duplicate the functionality of Microsoft software. The company has also expressed fears that making its source code public could allow hackers to find security holes in Microsoft products -- though, so far, intruders are doing fine without the source. Microsoft had no immediate comment on the case. Genovese said Thursday that he shut down IllMob.org temporarily this week after Assistant U.S. Attorney Alexander Southwell cited it in his request that Genovese receive a 30-month sentence -- the maximum under federal sentencing guidelines. In addition to providing free hacking tools, the website has played host to candid photos stolen from celebrity cell phones and Sidekicks. And Limp Bizkit lead singer Fred Durst recently blamed IllMob for stealing and releasing his sex video last year. From isn at c4i.org Mon Jan 30 01:34:18 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 30 Jan 2006 00:34:18 -0600 (CST) Subject: [ISN] Botnet Herders Hide Behind VoIP Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=177104813 By Gregg Keizer TechWeb News Jan 27, 2006 Internet telephone applications like Skype and Vonage could become hacker hideouts, a group of technologists and academics funded by MIT and Cambridge University said Thursday. According to the Communications Research Network (CRN), voice-over-Internet (VoIP) software could give perfect cover for launching denial-of-service (DoS) attacks. Jon Crowcroft, a Cambridge professor and the lead CRN researcher on the problem, noted that if botnet "herders," the term given to attackers who control large numbers of bot-infected PCs, turn to VoIP applications for command and control, security experts might find it impossible to trace back an attack to the perpetrator. Current practice by most botnet herders is to issue commands to their armies of "zombie" machines over IRC (Internet Relay Chat) channels, or less frequently, via instant messaging (IM). Crowcroft argued that attackers could use VoIP's ability to dial in and out of its overlays to make their tracks impossible to trace. In addition, proprietary protocols -- in some cases used by VoIP software to ensure ISPs can't block their applications -- make it tough for providers to track DoS attacks. Ditto for the encryption these applications offer and their peer-to-peer approach to routing packets. "While these security measures are in many ways positive," said Crowcroft in a statement, "they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks. "It would be much harder to find affected computers and almost impossible to trace the criminals behind the operation." The CRN recommended that VoIP providers publish their routing specs or switch to open standards so that law enforcement and ISPs can properly track misuse of the technology. "Criminal activity on the Internet should be a notifiable event," said David Cleevely, CRN chairman, in a separate statement. "It's important to remember that there are more of us good guys than there are bad guys. The more we share information between us, the more we stay ahead of the game." No such VoIP-directed DoS attacks have been seen in the wild, noted Crowcroft, but Internet telephony has been cited as a potential security risk by others, and some applications, notably Skype, have had to be patched against more mundane vulnerabilities. In late 2004, for instance, Symantec predicted that VoIP would become a security headache in 2005 (it didn't), while in October 2005, Skype had to issue fixes for several bugs that could let attackers hijack PCs. From isn at c4i.org Tue Jan 31 01:43:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:43:25 -0600 (CST) Subject: [ISN] Microsoft's Allchin has final mission of Vista delivery Message-ID: http://seattletimes.nwsource.com/html/businesstechnology/2002770700_btallchinqa30.html By Brier Dudley Seattle Times technology reporter January 30, 2006 Talk about a swan song. Retiring Windows boss Jim Allchin is putting final touches on software that could finally help people start feeling safe and secure using a PC, if all goes according to plan. Allchin gave an overview last week of Windows Vista, the new version of Microsoft's flagship software that Allchin's team is set to deliver before he retires at the end of 2006. He said it's on track to go on sale by the holidays. Other highlights include a built-in search system for finding and sorting through files on a PC; translucent graphics with a control panel down the right side of the desktop; and a new media player and Internet browser. Vista is Microsoft's first new PC operating system since the company overhauled its development process to emphasize security. Among Vista's security features is a protected mode that, in effect, puts an umbrella around the browser, insulating the PC from users' online activity, Allchin said. Microsoft also changed its practice of releasing several near-final "beta" test versions. Instead it's issuing "community-technology preview" or CTP versions, including one for big companies over the next month. In an interview with The Seattle Times, Allchin also discussed competition with Apple Computer, the future of the PC market and his dreams for Vista. Here's an edited transcript: Q: We've heard of big course changes during Vista's development. Is it delayed? A: We made all the deliveries that we said we would when we decided that we were going to re-engineer our processes for building the product. Q: So it's still going on sale this year? A: We still feel very good about making broad availability in this calendar year. This new approach to releasing the software ? where in the past we had these large betas and now we're moving to this new program of more frequent drops ? it's working out very, very well. We were able to reach feature-complete much earlier than what we anticipated and actually this quarter's CTP will have all the features that we're planning for the product in it. The bottom line is that this new program is letting us develop the product faster. We're getting more feedback on it and it's working out pretty well so far. Q: So it's not late? A: We're on track, as I mentioned, for this holiday year. I will also make a cautionary notice that I will not ship this product if it doesn't achieve the quality that's demanded by our customers. So although everything looks great right now, quality will be the deciding factor. I feel pretty good right now and we'll see how it goes the rest of the year. Q: Is "holiday 2006"' a bit later than expected? A: No, that's what we've always said. That's what I said last April; that has been the plan since 2004. Q: Are there any features you regret leaving out? A: Well, that's a hard thing. There's nothing that comes to mind right now. At this point, literally, I just want to complete what we've got in there because it's so rich in terms of features. Q: Will you make a version of Vista for Apple computers, now that they're using Intel processors? A: We have no plans to move Vista to the Macintosh hardware. Q: There's a bit of feature overlap with your new operating system and Apple's. What is the competitive situation going to be like now that you're on the same hardware platform? A: I actually am not sure that sharing the same hardware platform's going to make that much difference, personally. People may disagree on that perspective. ... We're a massive company. By that, I mean that Apple really has no presence in business, and we think Vista's going to have a huge presence in business. We think we're going to help the corporate IT stack save money. We think we're going to help information workers. And we think in the home space, we have significant advancements that we're very proud of, in terms of how we integrate with TV and how we do gaming. And most important, we're super proud of the fact that we're a partnership-level company where we're working with ISVs [independent software vendors] and IHVs [independent hardware vendors] and we're not trying to do it all ourselves. There's a fundamental difference of perspective there. And so the fact that they moved to Intel, I'm not sure that makes a lot of difference. We will, I'm sure, be judged by many people comparing us to Linux and to the Macintosh and who knows what else. That's what life is, and I hope we've done a good job and I hope customers like what we've done. Q: In developing countries, you now offer a lower-cost "Starter" edition of Windows. What are Vista plans for the developing world? A: We haven't announced the [product lineup], but you should expect us to continue on the same path that we're on. You should consider that we like what's happening in terms of the Starter world and we just think that we will continue on that same path. Q: What's going to happen to the PC market in the next two or three years, after Vista is released? A: I continue to see a healthy PC market, very healthy. The machines will continue to morph; you'll see smaller machines that have more capability. I continue to see good growth in the mobile space; I expect to see PCs being the core driver in the home. And I mean that for entertainment along with the work-at-home space. I expect to see more machines networked in the home, which is going to mean more sales, so I see a robust and very healthy industry. If I had a personal dream, it's that the hardware industry in the PC space spends more time innovating in terms of the capabilities of the system, and that there's a wide variety to choose from, from low-end priced systems to very cool, sexy high-end machines for the people who have the budget to afford it and who have the desire for the extra features. Q: How much will the experience of using Vista depend on subscribing to services - will users have to sign up for Windows Live (a Web service Microsoft is introducing)? A: Windows Live is totally separate from Windows Vista. Q: With all the security advances in Vista, will people not worry any more about computer security? Will that concern fade away over the next couple of years? A: This is my dream, so I'll have to see if my dream comes true. To some degree, when we did Windows 2000 and Windows XP, we worked on trying to take away the reliability stigma that PCs had. By that I mean I don't think people even think about their machines having to be rebooted, not like they used to be in the old days. It used to be very common to reboot your Windows 9x machine. I think we did a very good job there. I hope we can do the same thing on safety and security with Windows Vista. ... We are going to do a huge change with Windows Vista on this, but it truly is something that isn't going to go away for a very long time. We are going to make it much less of an issue, but it's still going to have to be something that people are aware of Brier Dudley: 206-515-5687 or bdudley @ seattletimes.com Copyright ? 2006 The Seattle Times Company From isn at c4i.org Tue Jan 31 01:43:47 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:43:47 -0600 (CST) Subject: [ISN] BlackBerry Backup: Surviving a Blackout Message-ID: http://www.eweek.com/article2/0,1895,1915931,00.asp By Carmen Nobel January 27, 2006 Analysis: The BlackBerry patent saga and worries over a potential shutdown continue. Here's what you need to know to avoid being stranded. The Research In Motion and NTP patent dispute provided a few more twists and turns this week as the Supreme Court refused to hear an appeal and a federal court judge set Feb. 24 as a key hearing date. On Jan. 23, the Supreme Court refused to hear an appeal in an ongoing battle that has loomed over BlackBerry customers for years. Then on Jan. 25 a federal judge set a Feb. 24 hearing date in the Eastern District Court of Virginia to consider a possible injunction that could shut down BlackBerry wireless e-mail service in the United States. What's next? More court hearings. More big headlines. And more big questions facing enterprises as managers ponder what it will mean for business if the BlackBerry goes bust. With that in mind, here's an FAQ to help you map out a plan. What's the back story? Holding company NTP sued Canadian BlackBerry maker Research in Motion for alleged patent infringement on nine wireless e-mail patents in 2001. U.S. District Judge James Spencer ruled in favor of NTP in 2003, instructing RIM to halt its sales of BlackBerry devices and services in the United States until NTP's patents run out in 2012. Spencer stayed the ruling, however, pending appeal. Since then, the case has gone through several appeals and failed settlement attempts. In the meantime, the U.S. Patent and Trademark Office has been re-evaluating several of the disputed patents for months. The USPTO has indicated that it intends to reject all of NTP's claims eventually, in which the case would be null and void. Industry experts said the process could take several months, though, as NTP has voiced plans to appeal every decision it can. Since Judge Spencer ruled against RIM, NTP has secured patent licensing deals with several of RIM's competitors in the remote access software industry, including Nokia in June 2004, Good Technology in March 2005 and Visto in Dec. 2005. "RIM refuses to take a license and pay NTP," said Kevin Anderson, an attorney with Wiley Rein & Fielding of Washington, one of the law firms that represent NTP. "If someone camps on your front lawn and refuses to pay you, you have no choice but to seek assistance in removing the squatter." How ugly can this get? Very ugly. Of the 4.3 million BlackBerry customers worldwide, 75 percent are in North America. For those customers, the worst thing in the near term would be for Judge Spencer to shut down BlackBerry sales and services in the United States, which could happen after the Feb. 24 hearing. For those who use their BlackBerrys as cell phones, the phone service would remain in place, but the e-mail service would be shelved. "While removing BlackBerry support from my life does seem very appealing, the truth is this service has become an integral part of our day-to-day business operations," said Nick Gass, IT manager at Color Kinetics, a digital lighting company in Boston. "Our sales team relies on their BlackBerry devices as their primary means of contact, and our executive team uses them to an almost manic degree. BlackBerries have become practically indispensable." Should an injunction occur, it is likely that customers would get a little time before a shutdown. In a recent court filing arguing for the injunction, NTP recommended that BlackBerry customers be given a 30-day grace period. Is there a real workaround? RIM maintains that the company has tested and readied a legal technical workaround solution that would let the company continue offering its mobile e-mail service even if the judge orders an injunction before the patent office rules. In an earnings call late last month, RIM Chairman and Co-CEO Jim Balsillie said the company will reveal details of a workaround "very soon" that it could ship latent in future products. Balsillie said a workaround will not violate any of NTP's patents. Nevertheless, details of this workaround have remained a stubborn mystery. RIM officials say that they have yet to release the details of the workaround - "for legal reasons," and so as not to tip a hand to NTP more than necessary. The bottom line is that customers have been left in the dark. "Nobody knows," said Alex Kogan, director of network and data center services at Boston Properties, a real estate company in Boston with a deployment of 170 BlackBerrys. "NTP is saying there's no solution that will work without defying the patent. It's kind of a waiting game." Will the workaround be pain free? Probably not. RIM's own court filings indicate that implementing a workaround won't be easy. "Implementing a workaround requires reloading software on servers and BlackBerry handheld devices," reads a January 17 court briefing from RIM's legal team. "This which would likely involve some significant effort on behalf of users and their supporting organizations, which will need to take time to implement the upgrades, and will likely experience typical problems experienced with undertaking upgrades." RIM goes on to note that customers could defect to other services rather than install any workaround, which may still be challenged by NTP. "Injunctions cover all products 'not colorably different' from the enjoined product," Anderson said. "So, if the workaround is merely to take an existing BlackBerry and call it a 'RedBerry,' then that product would be in contempt." Do I need a contingency plan? A backup plan certainly wouldn't hurt and it's a good idea to be aware of alternatives. Clyde Foster, chief operating officer of Intellisync, which makes server and client-side software that competes with RIM's, said he has seen an increase in interest in piloting his software largely from potential customers in financial services and government. John Halamka, CIO of Harvard Medical School and Caregroup Healthcare System, a Boston-area hospital group that supports some 800 BlackBerry devices, has explored alternatives even though he thinks RIM will prevail. "As risk mitigation, I've tested alternatives such as the [Palm] Treo 700, and they just do not work as well as BlackBerry for high volume e-mail users?600 e-mails a day for me," said Halamka. Also, remember that RIM's rivals may not be above scare tactics. "There have been a lot of companies out there trying to profit from this," Boston Properties' Kogan said. "A couple of them have contacted us." Indeed, on December 9 the Boston Properties IT team received an e-mail with the subject header "BlackBerry Shutdown at Boston Properties, Inc." The sender: the chief software architect at Mobiliam, a mobile computing software company that competes with RIM. Boston Properties' CEO was cc'd on the message. Kogan, however, said he'll implement a workaround if needed and long-term will consider defecting from BlackBerry, depending on how the installation goes. One IT manager told eWEEK that while he plans to keep supporting around 700 BlackBerrys on his company's network, he also is rolling out a separate server from Good Technology and buying around ten Treo 700 devices for the top executives. In case of a BlackBerry shutdown, these executives will be taken care of immediately, and an alternate server will be in place for future Treo deployments. Will RIM and NTP make up? Gartner estimates there's a 35 percent chance the two companies will settle and a 20 percent chance RIM will enact a workaround. Nevertheless, RIM and NTP almost made peace in the past. In March 2005, the companies announced a settlement deal worth $450 million, but the deal fell apart a couple of months later when the companies failed to agree to terms. Recently, NTP has proposed various licensing plans in court briefings, but RIM officials remain publicly confident that the Patent Office will reject the NTP patents. Still, many customers are banking on the companies making nice. "We're confident that there will be a settlement," Kogan said. "RIM won't shut down for that many customers. It would kill their business ... It will either be ruled in RIM's favor or there will be a settlement. But if there's an outage, we'll deal with it accordingly." From isn at c4i.org Tue Jan 31 01:41:45 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:41:45 -0600 (CST) Subject: [ISN] DHS, agencies plan joint Cyber Storm exercise Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/27877-1.html By Alice Lipowicz Staff Writer 01/30/06 The Homeland Security Department will test how well it works with other federal agencies and private IT companies to protect cybersecurity in a national exercise from Feb. 6-10. The Information Technology Information-Sharing and Analysis Center will take part in the exercise, known as "Cyber Storm," with DHS to test its draft concept of operations for responding to cybersecurity incidents. "This will be the first-ever cyber-focused exercise for DHS," the IT center stated on its Web site. Participating in Cyber Storm are Cisco Systems Inc., Citadel Security Software Inc., Computer Associates International Inc., Computer Sciences Corp., Intel Corp., Microsoft Corp., Symantec Corp., and VeriSign Inc., the center announced on its Web site. Cyber Storm also will involve government agencies. According to Donald Purdy, acting director of DHS' National Cyber Security Division, the division established the Government Forum of Incident Response and Security Teams (GFirst) to facilitate interagency information sharing and cooperation for readiness and response. The teams, comprising government computer experts, are responsible for IT security at government agencies. In addition to the GFirst teams, the agency has worked with the Defense and Justice departments to form the National Cyber Response Coordination Group to provide an organized federal response to cybersecurity breaches. This group, which includes 13 other federal agencies including intelligence agencies, is the principal federal interagency mechanism for responding to cyberincidents of national significance. The response coordination group has developed a concept of operations for national cyberincident response that will be examined in Cyber Storm, Purdy told Congress in October 2005. Cyber Storm initially was to be held in November 2005, but it was postponed because of the department's involvement in Hurricane Katrina reconstruction. From isn at c4i.org Tue Jan 31 01:42:33 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:42:33 -0600 (CST) Subject: [ISN] Linux Security Week - January 30th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 30th, 2006 Volume 7, Number 5n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Chrooted SSH HowTo," "Oracle no longer a 'bastion of security," and "Defending against unsafe coding practices with 'libsafe'. --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- EnGarde Secure Community 3.0.3 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * OpenSSL receives FIPS certification 23rd, January, 2006 The Cryptographic Module Validation Program (CMVP), a joint effort of the US and Canadian governments, approved the validation of the OpenSSL open source security toolkit for implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols on Friday. http://www.linuxsecurity.com/content/view/121252 * The Art of Intrusion 27th, January, 2006 Book review I'm not that keen on the word 'hacker' in the modern, pejorative sense (I remember when it meant a good UNIX programmer) and I'm generally not that that impressed by hackers either - mostly they're not particularly clever and just got lucky. So, I came to this book in a not very positive frame of mind; except I do think that the famous Kevin Mitnick was unfairly demonised, and I'm not sure how much actual damage he did in the end. Although unauthorised intrusion into production systems is always bad, what chance is there they were tested for resilience during the sorts of things intruders do, for example. http://www.linuxsecurity.com/content/view/121277 * The Perfect Linux Firewall Part I -- IPCop 26th, January, 2006 This document describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In the second installment we cover creating a DMZ for hosting your own web server or mail server and the Copfilter proxy for filtering web and email traffic. This is intended to be a quick and dirty overview on creating a IPCop firewall and comes without warranty of any kind! http://www.linuxsecurity.com/content/view/121270 * Put Up A Strong Defense 23rd, January, 2006 Most security breaches by insiders are unintentional. They come from employees who make ill-advised or uninformed choices regarding storage of their passwords, the Web sites they visit, and the E-mails they send. The Computing Technology Industry Association's annual survey on IT Security and the Workforce trends, to be published in March, indicates that nearly 80% of corporate security breaches are caused by computer-user error. http://www.linuxsecurity.com/content/view/121250 * Opening Keynote Speaker Announced for the Second Security-Enhanced Linux Symposium 24th, January, 2006 Steve Walker, president of Steve Walker & Associates and managing partner of Walker Ventures, will be the opening keynote speaker for the second annual Security-Enhanced Linux (SELinux) Symposium scheduled for February 27-March 3, 2006 in Baltimore, Maryland. http://www.linuxsecurity.com/content/view/121259 * Recon 2005 Conference Videos 25th, January, 2006 REcon is a computer security conference being held in Montreal. The conference offers a single track of presentations over the span of three days. Check the conference page for more details. A three day training course on reverse engineering will be presented by Nicolas Brulez. Two sessions are being made available, both before and after the conference. Check the training page for more details. http://www.linuxsecurity.com/content/view/121260 * Software dotDefender protects Linux & Solaris web servers 23rd, January, 2006 Applicure announced today the release of dotDefender 2.0 for Solaris and Linux Web servers. dotDefender secures websites against a broad range of HTTP-based attacks, including Session attacks (e.g. Denial of Service, Session Hijacking), Web application attacks (e.g. SQL injection, Cross-site scripting, and known attack signatures), as well as requests originating from known attack sources (e.g. spammer bots and compromised servers). http://www.linuxsecurity.com/content/view/121253 * Oracle no longer a 'bastion of security': Gartner 24th, January, 2006 Analyst group Gartner has warned administrators to be "more aggressive" when protecting their Oracle applications because they are not getting enough help from the database giant. Gartner published an advisory on its Web site just days after Oracle's latest quarterly patch cycle, which included a total of 103 fixes with 37 related to flaws in the company's database products. Some of the flaws carry Oracle's most serious rating, which means they're easy to exploit and an attack can have a wide impact. http://www.linuxsecurity.com/content/view/121257 * Chrooted SSH HowTo 25th, January, 2006 This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of. http://www.linuxsecurity.com/content/view/121261 * Oracle in war of words with security researcher 26th, January, 2006 A security researcher released details of a critical flaw in Oracle's application and Web software on Wednesday, criticising the company for not cooperating with the security community and taking too long to fix software issues that threaten its customers. The flaw occurs in the way that a module in Oracle's Apache Web server distribution handles input and could give external attackers the ability to take control of a backend Oracle database through the Web server, said David Litchfield, principal researcher of database security firm Next-Generation Security Software, during a presentation at the Black Hat Federal security conference. http://www.linuxsecurity.com/content/view/121269 * MailArchiva: Open Source Email Archiving Server 26th, January, 2006 There was much hype around the growth of the email archiving market last year. For example, the IDC predicted that 2005's email archiving application revenue reached US $310 million worldwide. Good news! The open source community has just released MailArchiva, a competitive email archiving product that integrates directly with Microsoft Exchange. http://www.linuxsecurity.com/content/view/121268 * SARA, spawn of SATAN 26th, January, 2006 If you are an old school Linux or Unix user, you probably remember the System Administrator's Tool for Scanning Networks (SATAN). In 1995, SATAN brought browser-based network auditing to the world. Despite its initial splash, SATAN fell to the wayside due to lack of updates. Thanks to the kind folks at the Advanced Research Corp., SATAN is back, in the form of the Security Auditor's Research Assistant (SARA), a kinder, gentler, easier to use, and more updated auditing tool. http://www.linuxsecurity.com/content/view/121272 * Hacker PC networks getting harder to find 23rd, January, 2006 Hacked computer networks, or botnets, are becoming increasingly difficult to trace as hackers develop new means to hide them, says security experts. Botnets are used to send spam, propagate viruses and carry out denial of service attacks - something that has again come to light with a high-profile attack on The Million Dollar Home Page, a novel advertising website idea by a British college student. http://www.linuxsecurity.com/content/view/121249 * KDE flaws put Linux, Unix systems at risk 23rd, January, 2006 A serious vulnerability has been found in the popular KDE open-source software bundle. The flaw, deemed "critical" by the research outfit the French Security Incident Response Team, could allow a remote attacker to gain control over vulnerable systems. KDE is a desktop software package for Linux and Unix systems and includes the Konqueror Web browser and other applications. http://www.linuxsecurity.com/content/view/121251 * IBM Predicts 2006 Security Threat Trends 23rd, January, 2006 IBM recorded more than 1 billion suspicious computer security events in 2005, despite a leveling off in the amount of spam e-mail and a decrease in major Internet worm and virus outbreaks. Enterprises should expect to see the same level of malicious traffic in 2006, even as online criminal groups shift to stealth attacks and cyber-extortion instead of massive, global malicious code attacks, said David Mackey, director of security intelligence at IBM. http://www.linuxsecurity.com/content/view/121254 * Security Hot Issue for Open-Source Database Developers 24th, January, 2006 Open-source database deployments rose dramatically in the last half of 2005, and as one might expect, as more IT pros get acquainted with these non-proprietary systems, security is a chief concern. Open-source database makers like MySQL and PostgreSQL simply must answer some of the most prevalent security-related questions in order to win more market share. http://www.linuxsecurity.com/content/view/121258 * IT security becomes 'top priority' for European financial institutions 25th, January, 2006 The growing threat from hackers, new regulations, reputation issues and the growing importance of direct channel self-service banking are pushing IT security to the very top of the corporate agenda for Western European financial institutions, new research has revealed. According to the report from IDC company Financial Insights, banking and finance firms are increasingly finding that their IT security is coming under pressure from both external hackers and ever-tightening corporate regulations. http://www.linuxsecurity.com/content/view/121264 * Users get to the root of Linux security holes 25th, January, 2006 IT pro Sid Boyce said he did not believe that, in his own words, "the wet-finger-in-the-wind analysis" applies to Linux as it does with Windows. Boyce, a retired IBM/Amdahl mainframe tech support specialist, said the assumption that Linux was just as prone to attacks as Windows because it ran on a PC is incorrect. "I'm not saying Linux isn't vulnerable, but to compare it in the same light as Windows is a gross distortion," Boyce said. http://www.linuxsecurity.com/content/view/121265 * (IN)SECURE Magazine issue 5 has been released 25th, January, 2006 A new issue of (IN)SECURE magazine has been released in PDF format. (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. http://www.linuxsecurity.com/content/view/121266 * IT security "top priority" for European financial institutions 27th, January, 2006 According to the report from IDC company Financial Insights, banking and finance firms are increasingly finding that their IT security is coming under pressure from both external hackers and ever-tightening corporate regulations. Angela Vacca, senior research analyst for European IT Opportunity: Financial Services research, said: "Financial institutions are under constant pressure because hackers' strategies evolve very rapidly and regulators constantly require stricter levels of control, which involve continuous upgrades of IT systems. Therefore, financial institutions that do not tackle security issues are expected to face huge tangible and intangible costs." http://www.linuxsecurity.com/content/view/121271 * Cybercrime Feared 3 Times More Than Physical Crime 26th, January, 2006 Three times more Americans think they'll be hit by computer crime in the next year than real-world wrongdoing of the old-fashioned kind, a survey released Wednesday by IBM said. http://www.linuxsecurity.com/content/view/121273 * Cyber crime strides in lockstep with security 26th, January, 2006 Information Security made great strides last year. Sadly, so did cyber crime. In the U.S. "according to a recent FBI study" almost 90 per cent of firms experienced computer attacks last year despite the use of security software. So what happened in 2005? In a year when rootkits went mainstream and malware went criminal, information security improved. http://www.linuxsecurity.com/content/view/121274 * Sharp Ideas Slurp Audit Exposes Threat Of Portable Storage Devices For Corporate Data Theft 27th, January, 2006 The application was designed to raise awareness within the corporate community about the risks associated with unmanaged portable storage devices in the workplace. http://www.linuxsecurity.com/content/view/121275 * Defending against unsafe coding practices with "libsafe" 27th, January, 2006 In a previous tip about securing Linux applications with compiler extensions, we described a defense-in-depth layered methodology ("defense in depth") to proactively mitigate the potential for risk or damage arising from fatally-flawed programming constructs. http://www.linuxsecurity.com/content/view/121282 * Researchers: Rootkits headed for BIOS 27th, January, 2006 Insider attacks and industrial espionage could become more stealthy by hiding malicious code in the core system functions available in a motherboard's flash memory, researchers said on Wednesday at the Black Hat Federal conference. http://www.linuxsecurity.com/content/view/121283 * IT industry prepares for the worst over ID cards 25th, January, 2006 After years in which suppliers have absorbed most of the blame for government IT failures, the case for there being equal measures of ineptitude in the civil service is gaining momentum behind the concerted campaign against ID Cards. The latest evidence was submitted as a statement this week by Intellect, the UK's IT trade association, in a thinly veiled case of passing the blame. http://www.linuxsecurity.com/content/view/121263 * Accused phone hacker walks free 24th, January, 2006 Sahil Gupta, the second man charged over the Telecom voicemail hacking incident in April, walked free from an Auckland court last week. Gupta was charged along with a teenager who cannot be identified for legal reasons. The teen was charged with unauthorised access of a computer system and pleaded guilty. Gupta was charged under the same section of the Crimes Act and faced up to two years in prison. http://www.linuxsecurity.com/content/view/121255 * Man pleads guilty to felony hacking 24th, January, 2006 A 20-year-old man pleaded guilty Monday to surreptitiously seizing control of hundreds of thousands of Internet-connected computers and renting the zombie network to people who mounted attacks on Web sites, served up pop-up ads and sent out spam. http://www.linuxsecurity.com/content/view/121256 * Shmoocon 2006: Dan Geer keynote 27th, January, 2006 Dan Geer's keynote was one of my favorite talks from the con. He believes that if people respect you enough to have you deliver a keynote, respect your audience enough to write it out. Thanks to that provided the full text and a pdf of the slides from his talk. My summary won't do it justice, but you can at least know what you are getting yourself into. http://www.linuxsecurity.com/content/view/121276 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Jan 31 01:44:06 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:44:06 -0600 (CST) Subject: [ISN] SOX Compliance Is Worth the Effort Message-ID: http://www.ecommercetimes.com/story/bNW52zISyRlBmd/SOX-Compliance-Is-Worth-the-Effort.xhtml By Joe Malec E-Commerce Times 01/30/06 SOX compliance has helped to make ethics training more common within the corporate environment. According to a 2005 survey by the Ethics Resource Center, 69 percent of employees reported that ethics training in their organizations was up, as compared to 14 percent who said so in the same survey conducted in 2003. When the Sarbanes-Oxley Act (SOX) was originally passed in 2002, many companies were less than enthusiastic about it. Concerns about the additional accountability and the internal changes that would need to take place weighed heavily on the minds of many company executives. These concerns turned out to be well founded. Some companies struggled to make the deadlines, and others missed them completely. Reasons included the high cost and enormous effort involved. In some cases, department directives were even changed to focus on meeting compliance. For example, an information security survey released by Ernst & Young in November found that over the 12 months prior, the main driving force for information security in 61 percent of firms surveyed was compliance rather than worms and viruses. However, as we approach year three, some companies have started to warm up to SOX as they begin to realize the advantages of implementing the required controls in their environment. Changes in Attitude The change in attitude toward SOX compliance comes as evidence of several benefits have surfaced. The typical IT department, in particular, has been greatly affected by the new regulations. Specifically, Section 404 mandates that the affected companies establish and maintain adequate controls over financial information. The goal is to improve data integrity and mitigate the chance of issuing incorrect or fraudulent financial reports. As a result, protection of the financial data has fallen primarily into the hands of IT staff. Gartner Group recently reported that IT budgets in most major firms are expected to see an increase of between 10 and 15 percent this year. This is up from a 5 percent expected increase a year ago. Much of the spending is likely to be focused on streamlining the effort involved in compliance. This includes system controls, auditing, process flow monitoring and automation, which has become prominent in meeting compliance. A survey by CFO Research Services, Versa Systems and PricewaterhouseCoopers released in August found that automating the compliance and control environment was a priority for 76 percent of companies. With the influx of dollars expected for their departments, IT managers can also use the opportunity to justify other projects that can potentially tie into compliance as well, such as e-mail archiving and storage management. Improving Operations The net effect of investing in compliance on the bottom line cannot be ignored either. Upgrading reporting systems can improve testing, risk management and operational performance, as well as allow for better financial oversight in the environment. These improvements can lead to better forecasting and more efficient data retrieval by consolidating data from different sources for reporting purposes. One illustration of the benefits of this is that almost half of the respondents in the CFO Research Services survey indicated that SOX efforts are helping to more effectively manage corporate risk. Analyzing current processes and seeing what can be automated or eliminated altogether will help to reduce waste and allow a company to run more efficiently and save money. This could help an organization to be more competitive as well. However, this is nothing new. Some financial companies reported discovering newfound efficiencies that led to significant cost reductions over Basel II compliance as well. SOX compliance has helped make corporate ethics training more common within the corporate environment. According to a 2005 survey by the Ethics Resource Center, 69 percent of employees reported that ethics training in their organizations was up, as compared to 14 percent who said so in the same survey conducted in 2003. Some companies have even hired ethics officers to help monitor and advise on good business practices, educate employees on ethical matters, and develop and implement a code of ethics for the company. This is important because employees and stockholders need to see that top management is sincere about developing and supporting an ethical culture within the organization. With fraud and abuse costing U.S. companies over US$600 billion annually, this is as important as ever. Bridging Gaps Improving data integrity and corporate responsibility can lead to other positive results, including new partnerships within the organization. Finance and IT departments historically have had little to do with each other. Since IT plays an important role in securing financial information, representatives from both areas have been able to work together on compliance and build relationships with the audit and legal departments. Part of this is due to necessity. For controls to be effectively developed, documented and implemented, the different departments involved need to have a thorough understanding of the company's financial reporting structure. This education can help lead to better collaboration on future projects and initiatives. Granted, the cost of implementing these regulations will run into the billions of dollars. Some companies may feel that they are being punished for the sins of a few bad apples, but the affected companies will have stronger controls in place as a result of the effort. Furthermore, whether it's reexamining a department whose importance in the organization has been previously overlooked or streamlining business processes and improving stockholder confidence, the rewards for meeting SOX compliance will continue to materialize as time goes on. -=- Joe Malec is a security analyst for Enterprise Rent-A-Car, specializing in compliance and application security. He is the president of the St. Louis chapter of the Information Systems Audit and Control Association and serves on the ISSA International Ethics Committee. From isn at c4i.org Tue Jan 31 01:44:21 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:44:21 -0600 (CST) Subject: [ISN] OSS is an easier hack: Mitnick Message-ID: http://www.tectonic.co.za/view.php?src=rss&id=839 By Jason Norwood-Young 30 January, 2006 In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment. "Open source would be easier [to hack]," admits ex-hacker turned security consultant Mitnick. "It's less work." Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called "fuzzing". Fuzzing means putting fake data - such as really long strings - into portions of the application that allow user input. "You want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn't validated the input. You could supply your code in a particular manner - thus tricking the application or function into executing your own code. Hackers want to execute their own code - preferably with privileges - and then they gain control. "On the face of it, open source software is more secure," says Mitnick. "A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?" Mitnick does qualify his statement carefully - it's six of one and half-a-dozen of the other. "Then again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code," he says diplomatically. Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security. He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he's penning an autobiography to clear up some myths about himself. And no, you can't launch a nuclear attack by whistling into a telephone. From isn at c4i.org Tue Jan 31 01:44:37 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:44:37 -0600 (CST) Subject: [ISN] Oracle denies researcher's security claims Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=5262 By Jeremy Kirk IDG News Service 30 January 2006 Oracle and a security researcher have fallen out over a vulnerability in the company's software that has gone unpatched since it was discovered in October. The company is warning its customers not to use a workaround written by David Litchfield for a security vulnerability, claiming the suggested workaround could break its software. Litchfield, managing director of Next Generation Security Software Ltd. in Sutton, England, said he posted the fix on the BugTraq mailing list on Wednesday after warning Oracle about the dangers the vulnerability posed. Oracle was notified of the workaround before it was released, but has found it "inadequate," said Duncan Harris, Oracle's senior director of security assurance. It will break a large number of E-Business Suite applications, he said. "We know it will break a number of Oracle products higher in the stack than the Oracle Application Server that the vulnerability exists in," Harris said. Oracle has issued several patches for the vulnerability over past four years, none of which worked, Litchfield said Friday. The vulnerability affects Oracle Application Server, Oracle Internet Applications Server and Oracle HTTP Server. The vulnerability lies with the PLSQL gateway, a bit of code that allow Web-based users to interact with PLSQL applications in the backend database server, Litchfield said. The gateway passes a user request to the backend database server and executes there, he said. "Someone can come in off the Internet over the Web without a user ID or password and interact with the backend database server, so it goes through all the firewalls," Litchfield said. "This is critical." The fix is "trivial" and he doesn't understand why a patch was not included in Oracle's Critical Patch Update last week. When a fix wasn't issued, Litchfield said he thought "well, you know I'll do it then. Christ, it's not difficult." But Harris contested that assumption. "Compared to some others, this one is extremely difficult to fix and test it thoroughly," he said. Oracle prioritises vulnerabilities as far as patching, Harris said. So far, no exploit code has been released. If exploit code is released, Oracle could push out a quick one-time emergency patch, Harris said. The next patching round is scheduled for April, and whether this vulnerability is fixed will depend on if there are other more pressing ones, he said. Nonetheless, Harris assailed Litchfield's action. "By just revealing what he has in this workaround, it definitely is a very strong starting point for any malicious hacker...to try and understand the vulnerability and produce an exploit," Harris said. "Yes, we are clearly disappointed that he felt the need to say anything about this vulnerability before we had a patch available." Litchfield said he didn't reveal specific details of the vulnerability on BugTraq. Oracle lags other software vendors in fixing bugs, he said. "They are well behind the curve at the moment." Earlier this week, Gartner analyst Rich Mogull wrote that Oracle could no longer be considered a bastion of security a few days after the company fixed 82 vulnerabilities in its products. Oracle hasn't had a mass security exploit, but more proof-of-concept code and exploit tools are circulating online, he wrote in a research note. Responding to Gartner, Oracle said in an e-mail statement to IDG News Service that it started a quarterly patch update program and is using code scanning analysis software from Fortify Software Inc. to increase the quality of code. Oracle licensed the code scanning tools for its Server Technologies group, which handles development of its database, application server, identity management and collaboration suite software. "We are continually evaluating our security development processes, as well as looking at ways to further strengthen our overall product security," the statement said. From isn at c4i.org Tue Jan 31 01:44:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 31 Jan 2006 00:44:51 -0600 (CST) Subject: [ISN] Defense information assurance manual to be posted online Message-ID: http://www.gcn.com/vol1_no1/daily-updates/38125-1.html By Patience Wait GCN Staff 01/30/06 The training manual for Defense Department information assurance professionals that was finalized in December will be available online this week. The manual, DOD 8570.1-M: Information Assurance Workforce Improvement Program, will be posted [1] Feb. 1, according to Robert Lentz, director of information assurance for the Pentagon. The manual sets the requirements for training and certification of approximately 80,000 IA professionals within the department, Lentz said. Defense contractors who provide IA services to the Pentagon also will be expected to provide staff who meet the requirements. DOD CIO John Grimes said in a foreword to the manual that it "is effective immediately and mandatory for use by all the DOD components." The basis for the manual is an August 2004 directive [2] from deputy secretary Paul Wolfowitz that assigned responsibilities for IA training. [1] http://www.dtic.mil/whs/directives/index.html [2] http://www.dtic.mil/whs/directives/corres/pdf/d85701_081104/d85701p.pdf