From isn at c4i.org Wed Jan 4 06:06:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:06:10 -0600 (CST) Subject: [ISN] Wait for Windows patch opens attack window Message-ID: http://news.com.com/Wait+for+Windows+patch+opens+attack+window/2100-1002_3-6016747.html By Joris Evers Staff Writer, CNET News.com January 3, 2006 A serious flaw in Windows is generating a rising number of cyberattacks, but Microsoft says it won't deliver a fix until next week. That could be too late, security experts said. The vulnerability, which lies in the way the operating system renders Windows Meta File images, could infect a PC if the victim simply visits a Web site that contains a malicious image file. Consumers and businesses face a serious risk until it's fixed, experts said. "This vulnerability is rising in popularity among hackers, and it is simple to exploit," said Sam Curry, a vice president at security vendor Computer Associates International. "This has to be taken very seriously, and time is of the essence. A patch coming out as soon as possible is what the responsible thing to do." Microsoft has come under fire in the past for the way it releases security patches. The company has responded in the past by instituting a monthly patching program, so system administrators could plan for the updates. Critics contend that in high-urgency cases such as the WMF flaw, Microsoft should release a fix outside of its monthly schedule. Details on the WMF security problem were publicly reported last week. Since then, a number of attacks that take advantage of the flaw have surfaced, including thousands of malicious Web sites, Trojan horses and at least one instant messaging worm, according to security reports. More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs. Microsoft has said that a patch will not be made available until Tuesday, its next official patch release day. That delay could provide an opportunity for attackers, security provider Symantec said on Tuesday. "There is a potential 7-day window for which attackers could exploit this issue in a potentially widespread and serious fashion," Symantec said in a notice sent to subscribers of its DeepSight alert service. Hackers have been quick to craft tools that make it easy to create malicious image files that advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the Internet. Many of the attacks today use the unpatched bug to attempt to install unwanted software, such as spyware and programs that display pop-up advertising, on Windows PCs. The flaw affects all current versions of the operating system, and a vulnerable system can be attacked simply if the user views a specially crafted image, according to a Microsoft security advisory. In most cases, the attacks require a user to visit a malicious Web site, but the schemes are likely to become more sophisticated, antivirus specialist Marx said. "I'm sure it's just a matter of days until the first (self-propagating) WMF worm will appear," he said. "A patch is urgently needed." Microsoft is urging people to be cautious when surfing the Web. "Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code," it said in its advisory. But most ordinary PC owners simply aren't aware of this type of threat, said Stacey Quandt, an analyst with the Aberdeen Group. "There are a lot of Windows users who aren't paranoid enough about never clicking on an unknown link," she said. Patch ahoy Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. "Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins," the company said. To protect Windows users, Microsoft shouldn't wait, but release the patch now, several critics said. "The flaw is actively exploited on multiple sites, and antivirus provides only limited protection," said Johannes Ullrich, the chief research officer at the SANS Institute. "Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch." Marx agreed. "As the vulnerability is already known, Microsoft should make this patch available now," he said. System administrators could do their own testing and then apply the patch, Marx and Ullrich said. Increasingly sophisticated computer code that exploits the Windows flaw has been made publicly available, Symantec said. In response, the security provider raised its ThreatCon global threat index to Level 3. Microsoft, however, said the threat is limited. "Although the issue is serious, and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks is not widespread," the software maker said in its advisory. Calculating potential cost Whether to issue the fix sooner rather than later has to be a matter of risk analysis, CA's Curry said. "They have to balance out what the risk involved with not having a patch for a day or two days is, versus not testing all scenarios. The only thing they could do worse than delaying a patch is if they bring out a bad patch," he said. Part of the problem is that the Microsoft's software is complicated and vulnerable to unintended side effects of patches, Quandt said. If the company sends out a fix prematurely, the update could cause bugs that affect the normal operation of systems, she said. Attacks designed to exploit WMF flaw range from malicious spam to MSN Messenger worm. Beyond this single instance is what appears to be a wider problem with WMF files, said John Pescatore, a Gartner analyst. Other flaws related to WMF have been put right in recent months, he noted. "I hope Microsoft is going to fix the underlying problem in how WMF files are handled," he said. "We need a stronger fix, so that we're not going to see another vulnerability like this one two weeks from now." While Microsoft is testing its patch, users can protect themselves with an unofficial, third-party fix. In an unusual move, some security experts are even recommending that people apply this solution while waiting for Microsoft to deliver the official update. "We carefully checked this patch and are 100 percent sure that it is not malicious," the SANS Institute's Ullrich said. "The patch is, of course, not as carefully tested as an official patch. But we feel it is worth the risk. We know it blocks all exploit attempts we are aware of." F-Secure, an antivirus company in Finland, has also tested the fix, created by Ilfak Guilfanov, a programmer in Europe. "We've tested and audited it and can recommend it. We're running it on all of our own Windows machines," said Mikko Hypponen chief research officer at F-Secure. But Microsoft cautions against Guilfanov's patch. "As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software," Microsoft said. At least one user has reported difficulties after installing the fix. The update can cause network printing problems, according to an e-mail sent to the Full Disclosure security mailing list. While some critics have given Microsoft's response to the WMF flaw a failing grade, the company has also gained some respect for its handling of the issue. "Everybody would like to see the patch as soon as possible, but I can't blame Microsoft for wanting to test it thoroughly," Hypponen said. "However, if a widespread worm is found before next Tuesday, I do believe they will break the cycle and just release the patch." As the official January patch day is only next week, the length of the wait for the update is fine, Gartner's Pescatore said. "If we were three weeks, or almost four weeks from the next regular patch cycle, it might be a different story," he said. "This close, most enterprises don't want to go through one patch this week and another next week." Still, Gartner is urging people to protect themselves while waiting for Microsoft's fix--by blocking access to known malicious sites, for example, Pescatore said. Microsoft also offers some workarounds in its advisory. From isn at c4i.org Wed Jan 4 06:06:45 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:06:45 -0600 (CST) Subject: [ISN] Terror stalks India's booming tech industry Message-ID: http://www.smh.com.au/news/breaking/terror-stalks-indias-tech-industry/2006/01/01/1136050343831.html New Delhi January 2, 2006 A suspected militant raid on one of India's top science universities has confirmed fears that the country's booming information technology sector could be a new target for terror groups, officials and analysts said. A professor was shot dead and four other people were wounded last week when an unidentified gunman drove on to the Indian Institute of Science (IISc) campus in the southern city of Bangalore, India's tech capital, and opened indiscriminate fire from an automatic rifle outside a conference hall. No group has claimed responsibility for the attack on what security experts said is a "soft target". But the nature of the attack - the use of a Kalashnikov rifle to open fire randomly and the recovery of unexploded grenades and cartridges from the site - points to anti-Indian Islamist militant groups, they said. "Whatever information is coming out of Bangalore shows that one of these groups is responsible," said B. Raman, a former head of the Research and Analysis Wing, India's external intelligence agency. "Although the damage was not much, it was a very daring attack. Unless there is evidence to the contrary, I would believe this is the work of jihadi groups," he said, referring to Muslim militants fighting Indian rule in disputed Kashmir. India has been a victim of separatist violence for decades and Kashmiri militants have struck regularly in the disputed Himalayan region as well as at targets in northern India, including in the capital, New Delhi, since the 1990s. India has long accused arch rival Pakistan - with which it is locked in a decades-old dispute over Kashmir - of aiding the militants and sending them across the border. Islamabad denies the charge. While southern India has largely been peaceful during this period, intelligence agencies have warned over the past two years that Islamist militants were making inroads in the south, setting up cells and recruiting sympathisers. Bangalore and the rival tech centres of Hyderabad and Chennai were prime targets as they were symbols of India's technological might and economic progress, analysts said. A city of 6.5 million people, Bangalore alone is home to more than 1,500 technology and back-office firms, among them dozens of global giants such as Intel, Motorola and IBM, and is now known as 'India's Silicon Valley'. The firms account for a third of India's $17.2 billion software industry and employ about one million people. Several Indian defence, space and scientific research institutions are also based in Bangalore. "The country is waking up to a new reality - its success in IT and concomitant economic boom has excited malice in certain quarters, who would like to attack symbols of that success," the Times of India wrote in an editorial on Friday. "Within the frame of this inchoate rage against modernity, an international conference of scientists is also a target," it said referring to the shooting at the IISc. While hard targets such as government offices and defence establishments are well protected, security at technology firms and institutions is in now way comparable, experts said. Following the Bangalore shooting, IT firms would need to boost 'physical security' at their facilities while government agencies should strengthen intelligence gathering and destroy militant cells before they could strike, they said. "The Indian IT industry ... already has in place many security measures," the National Association of Software and Service Companies (NASSCOM), the leading industry body, said in a statement after the Bangalore shooting. "This incident emphasises the need to review and upgrade these. NASSCOM and the IT industry will work, in collaboration with the police and government, towards tightening security measures to create a safer working environment for the industry," it said. From isn at c4i.org Wed Jan 4 06:03:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:03:21 -0600 (CST) Subject: [ISN] To Convergence (and Back) Message-ID: http://www.csoonline.com/read/010106/convergence.html By Anonymous January 2006 Issue Security convergence - that is, the true meshing of physical and cybersecurity along with business continuity management.is one of the most logical concepts that's been introduced to the security world in a very long time. Convergence makes sense conceptually in the boardroom and functionally within the organization. It saves security dollars, increases efficiency and provides more effective incident response, all of which are great incentives for getting and maintaining senior executive support. But here's a warning for all of you daring enough to push for change. You can do everything right as you go down the road to convergence. You can start getting past the cultural and political issues involved with convergence, and you can begin the tedious process of collecting metrics that demonstrate its positive impacts on the organization. But it may not be enough. The new combined organization may become a target of an efficiency program or a general cost-cutting initiative, or it may suffer after a risk decision upsets the wrong inside player. Then, you may suddenly find yourself overseeing a transition team into the Dark Ages. The CSO is told that the company needs to "focus on other things." But hey, they say, thanks.your efforts have improved security, so we can now go back to business as usual. (And oh, by the way, we now have one less VP mouth to feed.) I say all this because I've learned the hard way. But I still wouldn't have done anything differently. The Beginning and the End There are two camps as far as how companies deal with issues and resolve problems. In the first kind, the CEO hires people and puts them in charge of business units. If things blow up, then it's their problem; it's not the corporation going awry. In the second kind, the business aims for transparency. The CSO outlines risk and works with the business units to accept it. I belong to the latter camp. When I started with my former employer several years ago, I was asked to build a program that put together all the security pieces, including business continuity, and to be transparent. As a security department, we'd say: Here's where we think we are; we've done vulnerability and risk assessments; here are our results. We strove to make security very much a part of the business process, to be businesspeople who understood how our business worked and built programs that benefited it. Then the company got a new CEO, who brought in a lot of new executives. At first the organizational changes that followed were presented as cost-cutting measures. But soon it became clear that the new regime thought that transparency wasn't a great thing, and that sometimes it was better to have a risk be the responsibility of a business unit. The new attitude was, "Why are we hearing about this security problem? Here's an issue that we have to deal with now that it's down on paper." The moment I realized the extent of the change was when the new CFO was indicating to the chief risk officer that there would be changes in risk management. Once I heard that, I realized that the new leadership really didn't like the transparency we had. Culturally, my security program was the same as the CRO's risk management program. I thought the same way he did. If he was going down, and his program was structured the same as mine, that was bad news. Sure enough, several changes were announced. An internal non-risk management person was taking over a smaller risk management organization, and I was told that the new leadership wanted to transfer me into the shared service organization. Those groups are usually ones that other business units opt into.like with IT projects, you could go outside into the market, or you could go to the CIO. From a security perspective, though, you can't opt in or out of security. It was pretty clear to me, uh oh, here it comes. I was still the CSO, and I had my first meeting with the head of shared services. At the end of the conversation, that person basically said, your last day will be X days out. The new CEO's view was that IT security is an IT issue, and physical security is a facilities activity. They said, Let's figure out a conversion plan to integrate those pieces back into the different parts of the organization. To deconverge. I had a director for physical security and a director for information security, and management wanted those people to take demotions. It was very difficult. The security department had incredible executive support before the leadership transition. There had been nothing but accolades. We had done lots of things that had cost savings. We had gone out and nationally competed our guard-force contract and saved more than $1 million a year. We were much leaner and more efficient than many of our peers. We had one training group and a common voice to the employees. We had caught incidents, returned property, recovered dollars and stopped internal fraud. We were out there solving problems, protecting value and getting rid of bad apples. But under a regime where the leadership doesn't like the transparency of risk, those are all bad things. The CEO doesn't want to hear about a serious fraud, even if you brought the money back and caught everyone involved. The Transparency Backlash A lot of security guys get away with keeping very under-the-radar programs. They don't bring things up, and they resolve things at very low levels. Maybe it works for them. For me, I had a three-ring binder with 100 pages of all the incidents that occurred, all the regulatory issues that were affecting us, all the risk remediation activities that we had conducted. I always said, "Hey, I'm not hiding anything. My program is here to support the business. I want absolute transparency." In the end, it worked against me. If anybody wanted to take a punch at me, they could. I provided all the information. I don't think I would have been able to stomach taking the program so far under the radar that it wasn't an issue with the new leadership. I always thought we could let our accomplishments speak for themselves. But in the end, the decision for the company to deconverge seemed like an emotional outcome of how the new leadership liked to think about the world. Even with everything that happened, even after watching my unified security department be systematically taken apart, I still really believe in the convergence model. I believe that today's security organizations need to be wholly unified and manage all security risk across the organization. Traditional walls between security disciplines have to come down, and new positions have to be created to consolidate functions such as reporting, incident response, blended risk assessments, security policy and standards development. This combined security framework, which is made up of many integrated processes, begins to create its own business function, and it moves toward a security governance model that is better suited to support and guide the organization. The process of architecting this structure emphasizes the requirements and scope of the program, and it raises security awareness. It allows the security program to identify opportunities where security can produce business benefits, increase system and resource efficiency, and achieve enterprise compliance. A converged organization is positioned to make security a functional strategy and possibly a business opportunity. Expanding the view and scope of security is a necessary part of integrating security risk management into an organization. The definition of security is broadened to include physical security, information security, risk management and business continuity. A CSO with this functional breadth provides more value to the organization and to the overall leadership team. The overall goal is to embed security into business processes and executive decision-making. This is the convergence recipe. The only ingredients that the CSO can't provide are forward-thinking senior executives who are willing to do more than pay lip service to ensuring the company's sustained secure performance.even if this support stems only from the realization that security will protect their lucrative jobs and incentive plans. In doing all this, though, the CSO is taking a personal risk.first, by getting that level of visibility, and second, by consolidating what in some people's minds are several cost centers into one bigger cost center. In a Fortune 500 company with many executives, the CSO, usually one of the junior executives, is opening himself up by getting that level of attention in the boardroom. You're going to get your advocates, and you're going to have the folks who traditionally will look at security as a cost center no matter what. There were certain executives that appreciated our level of transparency and were strong advocates. There were others for whom it was too much. They didn't want to review and approve the policies we were writing. They saw security as cumbersome. Low-level grumbling about security ensued, growing louder, more insistent, its increasing volume usually inversely proportionate to its substance. When this happens, it's only a matter of time before CEOs are making critical decisions on security initiatives.and even on the continued existence of the security program itself.that are based on 10 percent facts, 80 percent blind acceptance of unfounded opinion and 10 percent their own uninformed conclusions. The attitude becomes, Don't ask the security experts; they'll probably just muddy up the water. Some of us will not survive the process, and organizational pressure will push the unified organizations back into a more traditional cost center model. Some will successfully make the transition, and slowly over time this new and valuable approach will become the norm. Down the road, I hope to be CSO of an organization where convergence is not just the reality, but the norm. I'm optimistic that I will be. I even predict that in a few years, my former employer will go back to the converged model. Everything worth achieving comes with risk. As CSOs, we do our best when facing and managing risk. We should continue to take the challenge and go into the breach. Chasing after a unified program is worth it. This column is written anonymously by a real CSO. Send your comments via e-mail to csoundercover at cxo.com. From isn at c4i.org Wed Jan 4 06:07:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:07:23 -0600 (CST) Subject: [ISN] Security Hole Claimed for BlackBerrys Message-ID: http://blogs.washingtonpost.com/securityfix/2006/01/security_hole_e.html By Brian Krebs January 3, 2006 Security Hole Claimed for BlackBerrys New research released over the weekend indicated that BlackBerrys -- the ubiquitous handheld devices favored by on-the-go types -- are vulnerable to a security hole that could let attackers break in to the gadgets by convincing users to open a specially crafted image file attached to an e-mail. The information was released at the 22nd Chaos Communication Congress hacker convention in Berlin by this guy -- "FX" of the security research group Phenoelit. Research in Motion Ltd., the Canadian company that makes the devices, said it is a previously reported issue "that has been escalated internally to our development team. No resolution time frame is currently available." RIM's advisory downplays the threat, saying that "a corrupt Tagged Image File Format (TIFF) file sent to a user may stop a user's ability to view attachments. There is no impact on any other services (for example, sending and receiving messages, making phone calls, browsing the Internet, and running handheld applications to access a corporate network)." RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat. I obviously didn't hear FX's talk, but an alert released over the weekend by US-CERT says remote code execution is possible. RIM doesn't say when it plans to have a fix available, but for now it is urging companies who use the service to reconfigure any machine serving as an internal BlackBerry Internet Server to filter TIFF images or disable the file-attachment capability altogether. Update, 10:27 a.m. ET: Having just spoken with FX (a.k.a Felix Lindner), I definitely feel like I understand the threat here a bit better, and it is a little more serious than I first thought. Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory. Lindner said he suspects that's because this PNG flaw is present not in the newest version of Blackberry server but in all versions from 4.0 to 4.0.1.9 (the latter was released roughly a month ago, and no doubt many companies still run that version). Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server. "We started looking at all of the privileges this server needs while sitting right in the middle of the network and realized we didn't know anything about it," Lindner said. "In a lot of companies, corporate managers want to install it because they want their Blackberrys, but we wanted to find out what risks are there connected to running this thing." Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Micorosft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network. I put in a call to the RIM folks: Will update the post if I get a response from them directly. From isn at c4i.org Wed Jan 4 06:07:59 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:07:59 -0600 (CST) Subject: [ISN] Update: Microsoft says 'wait for us' as WMF threat climbs Message-ID: http://www.infoworld.com/article/06/01/03/HNmssayswait_1.html By Peter Sayer IDG News Service January 03, 2006 Some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in the way the OS renders graphics files, but Microsoft (Profile, Products, Articles) Corp. wants customers to wait another week for its official security update, it announced Tuesday. The problem is in the way various versions of Windows handle graphics in the WMF (Windows Metafile) format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published a first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary. On Tuesday, Microsoft updated the advisory to say it has completed development of its own patch, and is now testing it for release next week. "Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006," said the advisory, the full text of which can be found here [1]. The company said it carefully reviews and tests its security updates, and offers them in 23 languages for all affected versions of its software simultaneously. It "cannot provide similar assurance for independent third-party security updates," it said. The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say. Staff at McAfee Inc.'s Avert security research lab report that 7.45 percent of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of Tuesday. That's up from 6 percent of users on Saturday. However, the chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system. Already, one security Web site has had to warn its readers to stay away: the owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site so as to attempt to exploit the vulnerability on site visitors' machines. There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president with Gartner Inc. and the company's lead analyst on information security issues. "If it can be exploited in any significant way, it would be an extremely big risk." "It's a race between Microsoft and the exploit community," he said. The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27, but those sites may have been doing so as early as Dec. 14, the company said. On Dec. 28, Microsoft ambled out of the starting blocks with its first security advisory acknowledging a potential problem. Over the weekend, it updated this to suggest a way in which users could reduce the risk by disabling an affected part of the OS, called shimgvw.dll. Microsoft warned that the fix has the side effect of stopping the Windows Picture and Fax Viewer from functioning normally. Others report that it also stops Windows Explorer from showing thumbnails for digital photos. Security researchers outside Microsoft had other ideas: rather than disable shimgvw.dll, they would modify it so that only the functionality considered dangerous was blocked. By Dec. 31, programmer Ilfak Guilfanov had developed an unofficial patch to reduce the danger of attack, without impairing Windows' graphics functions. His patch quickly won the support of security researchers including The SANS Institute's Internet Storm Center (ISC) and F-Secure Corp. Mikko Hypponen, chief research officer at F-Secure, feels safe recommending the Guilfanov patch for several reasons. "We know this guy. We have checked the code. It does exactly what he says it does, and nothing else. We've checked the binary, and we've checked that the fix works," he said. He had one final vote of confidence: "We've installed it on all our own computers." Sophos PLC's Senior Security Consultant Carole Theriault advised businesses not to install the unofficial patch. "We wouldn't recommend it, for testing reasons," she said. One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their .WMF file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as .JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name. That was the case with a file with the title "happynewyear.jpg" that began circulating in e-mail messages on Dec. 31: If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose. As a consequence, said Theriault, businesses should keep existing antivirus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practice safe computing by only visiting reputable Web sites and taking care with what they download, she said. (Jeremy Kirk in London contributed to this report.) [1] http://www.microsoft.com/technet/security/advisory/912840.mspx From isn at c4i.org Wed Jan 4 06:08:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:08:33 -0600 (CST) Subject: [ISN] H&R Block Mailing Reveals Customers' SSNs Message-ID: http://www.eweek.com/article2/0,1895,1907596,00.asp By Paul F. Roberts January 3, 2006 Some H&R Block customers who received free copies of the company's TaxCut software also had their Social Security numbers exposed, according to a company spokesperson. H&R Block sent a letter to customers in late December saying that a tracking number used on packages containing TaxCut contained the customer's Social Security number as part of a unique, 47-digit tracking number. H&R Block blamed user error for the slip and said the number would be impossible to spot, and that no customer data has been lost or stolen as a result of the mistake, according to Denise Sposato, a spokesperson for H&R Block. H&R Block learned of the slip-up in late December, after a customer informed the company that a unique ID that appeared on the package, above the mailing label, contained his or her Social Security number. The number is used by H&R Block's marketing department, Sposato said. After learning of the mishap, H&R Block moved quickly to identify the source of the error and customers who were affected by it, Sposato said. The Kansas City, Mo., company said it believes that less than 3 percent of those who were mailed a copy of TaxCut had their Social Security numbers used. Sposato declined to say how big the mailing was or to provide an estimate of how many of the company's current and former customers were affected. Sposato said the incident was an accident and "completely contrary to established procedure" at company, which makes its money helping individuals prepare and file tax returns. Social Security numbers are not used to track other mailings, nor are they used to derive the unique tracking numbers used on mailings, she said. H&R Block informed customers of the mistake in a letter, and set up a Web page on the company's site with information for those whose Social Security numbers were disclosed. H&R block feels the risk of identity theft is minimal, Sposato said. This is the first year that H&R Block mailed the TaxCut software to current and former customers. Some of those receiving the tax preparation software have not used H&R Block for a year or more, Sposato said. H&R Block has notified its compliance officer about the problem, but declined to say whether authorities or federal regulators were informed of the information leak. The news from H&R Block is just the latest in a long string of disclosures of corporate data leaks. Just last week, Marriott Vacation Club International, a division of Marriott International Inc., said computer backup tapes with information on more than 200,000 customers disappeared from the company's Orlando, Fla., offices. The tapes may contain credit card numbers, Social Security numbers and addresses of customers of the timeshare property business. Data privacy will be a top issue for federal lawmakers in 2006. The U.S. Congress will consider a federal data breach notification law next year, in addition to new regulations aimed at spyware programs. From isn at c4i.org Wed Jan 4 06:09:07 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:09:07 -0600 (CST) Subject: [ISN] Report: School technology should cough up hackers Message-ID: http://www.insidebayarea.com/dailyreview/localnews/ci_3367058 By Grace Rauh STAFF WRITER 01/03/2006 UNION CITY - A team of experts from outside the New Haven school district is recommending that the district take new steps to better safeguard student information and improve its technology. The recommendations were compiled in a report that will be shared with school board members at their meeting tonight. The board hired the Fiscal Crisis and Management Assistance Team for about $7,500 in October to study the district's technology system to try to keep hackers at bay. The decision was made on the heels of a security scare last spring, when it was mistakenly believed that an unauthorized user broke into the student information system. Superintendent Pat Jaurequi said at the time she wanted the district to conduct this study to prevent security breaches in the future. Team members visited the school district Oct. 10-11 and interviewed employees, collected data and reviewed information about technology in New Haven. They found the school district's technology department has motivated employees who are willing to improve the system, but lacks leadership. Some obvious security risks the team discovered during its two-day visit included teachers who let students work on their classroom computers and shared passwords with them, giving them access to confidential information. Team members found the door to New Haven's main data center unlocked and discovered there is no system in place to end an employee's access to confidential information before he or she is fired, leaving the district open to a security breach by a former employee. The meeting begins at 7:30 at the Educational Services Center board room, 34200 Alvarado-Niles Road. From isn at c4i.org Wed Jan 4 06:04:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 4 Jan 2006 05:04:33 -0600 (CST) Subject: [ISN] Linux Security Week - January 2nd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 2nd, 2006 Volume 7, Number 1n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Adaptive Firewalls with iptables," "Bandwidth monitoring with iptables," "Four Security Resolutions For The New Year," and "DNS Name Prediction With Google." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- LINUX ADVISORY WATCH This week, advisories were released for phpbb2, ketm, tkdiff, dhis-tools-dns, Mantis, NDB, rssh, OpenMotif, scponly, msec, fetchmail, cpio, php-mbstring, and libgphoto. The distributors include Debian, Gentoo, and Mandriva. http://www.linuxsecurity.com/content/view/121125/150/ --- * EnGarde Secure Community 3.0.2 Released 6th, December, 2005 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.2 (Version 3.0, Release 2). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/120951 --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Ethereal 0.10.14 Release Notes 30th, December, 2005 Ethereal 0.10.14 has been released. Several security-related vulnerabilities have been fixed. Everyone is encouraged to upgrade. The following features are new (or have been significantly updated) since the last release. http://www.linuxsecurity.com/content/view/121127 * Adaptive Firewalls with iptables 26th, December, 2005 Up until now, we've looked at stateless and stateful firewalls. Remember, stateless firewalls only have the features of a given packet to use as criteria for whether that packet should be passed, blocked, or logged. With a stateful firewall, in addition to the fields in that packet, we also have access to the kernel's table of open connections to use in deciding the fate of this packet. http://www.linuxsecurity.com/content/view/121099 * Bandwidth monitoring with iptables 27th, December, 2005 Linux has a number of useful bandwidth monitoring and management programs. A quick search on Freshmeat.net for bandwidth returns a number of applications. However, if all you need is a basic overview of your total bandwidth usage, iptables is all you really need -- and it's already installed if you're using a Linux distribution based on the 2.4.x or 2.6.x kernels. Most of the time we use iptables to set up a firewall on a machine, but iptables also provides packet and byte counters. Every time an iptables rule is matched by incoming or outgoing data streams, the software tracks the number of packets and the amount of data that passes through the rules. http://www.linuxsecurity.com/content/view/121106 * Cisco vulnerability posted to Internet 29th, December, 2005 One day after a security researcher and organizers of the Black Hat USA conference agreed not to post details of vulnerabilities in Cisco 's router software, the information has been published on the Internet.On Friday, the Web site Cryptome.org posted what appear to be slides written to accompany a presentation given by former Internet Security Systems Inc. (ISS) researcher Michael Lynn, at the Black Hat conference in Las Vegas. http://www.linuxsecurity.com/content/view/121119 * An Inexpensive and Versatile IDS 27th, December, 2005 An intrusion detection system can be an effective technical control in the modern world of information and network security. One option that provides for low cost NIDS sensor deployment is the use of the open source IDS software Snort in combination with a consumer grade LinkSys cable/DSL router and the open source firmware distribution OpenWrt. These three items together form a powerful yet inexpensive unit that delivers IDS, routing, firewall, wireless, and NAT functionality for use in a light-weight environment, i.e. consumer or small business deployments. http://www.linuxsecurity.com/content/view/121104 * D at TA Protection and the Linux Environment 28th, December, 2005 This is an exciting time for people involved in data protection, and not in the bad way that things can be exciting. Many more options, techniques, and practices have become available to IT professionals. The new technology solves a great many problems. http://www.linuxsecurity.com/content/view/121113 * Researchers pore over biometrics spoofing data 29th, December, 2005 Sweaty hands might make you unpopular as a dance partner but they could someday prevent hackers from getting into your bank account. Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-Doh or gelatine or a model of a finger moulded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers. http://www.linuxsecurity.com/content/view/121120 * Linux in a Business - Got Root? 30th, December, 2005 I work for a government contractor, and have recently convinced them to purchase a Beowulf cluster, and start moving their numeric modelers from Sun to Linux. Like most historically UNIX shops, they don't allow users even low-level SUDO access, to do silly things like change file permissions or ownerships, in a tracked environment. I am an ex-*NIX admin myself ,so I understand their perspective and wish to keep control over the environment, but as a user, I'm frustrated by having to frequently call the help-desk just to get a file ownership changed or a specific package installed. http://www.linuxsecurity.com/content/view/121126 * Financial institutions lead march to Linux in Korea 29th, December, 2005 In the latest in a series of moves aimed at getting Korean government institutions to move away from their reliance on Windows and Unix and adopt open source software, two state-owned financial institutions planned to launch the country's first Linux-based Internet banking services in December. The state-owned Korea Post and the National Agricultural Cooperative Federation (NACF) have both said their systems will be up and running for Linux users before the end of December as a part of the open source software fostering projects of the Ministry of Information and Communication. http://www.linuxsecurity.com/content/view/121121 * Four Security Resolutions For The New Year 26th, December, 2005 I always know what my first New Year=E2..s resolution is going to be, because it=E2..s the same every year: lose weight. Chances are, you have the same one. But by the time the Super Bowl happens, and you eat seven thousand calories on that one day, you=E2..ll have already have given up on that resolution. http://www.linuxsecurity.com/content/view/121098 * IT security professionals moving up the corporate pecking order 26th, December, 2005 Ultimate responsibility for information security is moving up corporate management hierarchies, as board-level directors and CEOs or CISO/CSOs are increasingly held accountable for safeguarding IT infrastructures, new research has revealed. The second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by not-for-profit IT security educational organisation, the International Information Systems Security Certification Consortium (ISC)2, expects this accountability shift to continue as information security becomes more relevant in risk management and IT governance strategies. http://www.linuxsecurity.com/content/view/121100 * Browser developers meet, see eye to eye on security 27th, December, 2005 Developers of four major Web browsers -- Konqueror, Mozilla Firefox, Opera, and Internet Explorer (IE) -- gathered at an informal meeting in Toronto on November 17 to review plans and share progress on security improvements and standards. The intents were making security information more meaningful to users, and balancing security for high-traffic sites (such as banks) and smaller organizations and businesses. http://www.linuxsecurity.com/content/view/121105 * Security Is Not Insurance 27th, December, 2005 What's the hardest part of a chief security officer's job? Evaluating new technologies? Establishing policies for users to follow? Actually, it's more political than that, Jim Routh, chief security officer of Depository Trust & Clearing Corp., said during an Interop presentation Tuesday. "The hardest part of a CSO's job is influencing information security and practices that will be implemented throughout an organization," he said. "It's a delicate process, particularly when you're asking an IT or business manager to rethink how they operate. Education is probably the most important strategic tool for a CSO, without a doubt." And you thought wayward data tapes throwing themselves off of the back of delivery trucks were going to be your biggest challenge. http://www.linuxsecurity.com/content/view/121108 * Rootkits, cybercrime and OneCare 28th, December, 2005 The year 2005 in net security will likely be remembered as the year of the Sony rootkit DRM controversy. In other ways the last 12 months continued the trend of profit becoming a primary driver for the creation of computer viruses. The last 12 months also witnessed a number of high-profile cybercrime prosecutions, including the sentencing of NetSky author Sven Jaschan. http://www.linuxsecurity.com/content/view/121111 * The Linux Year: A Look Back at 2005 29th, December, 2005 With the birth of each new year, the accolade of 'year of the penguin' has been dusted off and pre-emptively awarded time after time. 2005 was no different, and there's little reason to suppose that 2006 will underwhelm either. http://www.linuxsecurity.com/content/view/121122 * What Tech Skills Are Hot For 2006? 29th, December, 2005 There's continued demand for people with information security skills, say Symons and others. And even though long-term demand is expected to remain strong, the growing ranks of people who have obtained IT security certifications has had a short-term dampening effect on compensation. http://www.linuxsecurity.com/content/view/121123 * Record bad year for tech security 30th, December, 2005 2005 saw the most computer security breaches ever, subjecting millions of Americans to potential identity fraud, according to a report published Thursday. Over 130 major intrusions exposed more than 55 million Americans to the growing variety of fraud as personal data like Social Security and credit card numbers were left unprotected, according to USA Today. http://www.linuxsecurity.com/content/view/121129 * All the Rage: It's 2006: Do You Know Where Your Security Policies Are? 2nd, January, 2006 It's the beginning of a new year--time to review your approach to security policy. If you think implementing firewalls, IDSs and antivirus/antispam products is enough, you're sorely mistaken. No matter the size of your enterprise, you must define a framework of security policies, standards and procedures for securing valuable corporate assets. If you don't, you may be leaving your company open to a variety of vulnerabilities. http://www.linuxsecurity.com/content/view/121132 * Marriott customer data missing 29th, December, 2005 A division of the Marriott International hotel empire has notified more than 200,000 clients of back-up security tapes missing from the company's Orlando corporate offices. The breached records contained personal information of about 206,000 associates, timeshare owners and timeshare customers, the company said this week in a statement. http://www.linuxsecurity.com/content/view/121118 * Data Security Movement Back-Burnered By Lawmakers 28th, December, 2005 Despite a year's worth of highly publicized security breaches and a lot of talk in Congress this summer on ways to protect consumers, there's been too little done to protect U.S. consumers' data, Gartner research director Avivah Litan says. http://www.linuxsecurity.com/content/view/121112 * DNS Name Prediction With Google 2nd, January, 2006 As discussed in Google Hacking for Penetration Testers from Syngress publishing[1], there are many different ways to perform network reconnaissance using Google. Since the publication of that text, many different ideas and techniques have come to light. This document addresses one interesting technique, which we=E2..ll call DNS name[2] prediction. This document assumes you have some knowledge of basic network recon, and is not intended as a hand-holding approach to hacking. If you're evil, stop reading this and go work out some aggression on a sack-o-potatoes or something. http://www.linuxsecurity.com/content/view/121131 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jan 9 04:35:56 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:35:56 -0600 (CST) Subject: [ISN] U.S. gov't department details IT audit plans for 2006 Message-ID: http://www.networkworld.com/news/2006/010406-government-it-audit.html By Linda Rosencrance Computerworld 01/04/06 Richard Skinner, the inspector general of the U.S. Department of Homeland Security, plans to conduct more than 12 audits of IT programs and operations in 2006, according to a recently released performance plan. As part of that plan, the DHS's Office of Information Technology will conduct audits and evaluations of the department's information management, cyber infrastructure and systems integration activities. For example, the Office of Information Technology (OIT) plans to look at whether security controls are effective in protecting personal information for the systems supporting the Transportation Worker Identification Credentialing (TWIC) program. Under that program, which was established in December 2001, some transportation workers are issued a standardized, secure identification card that allows them unescorted access to secure areas of the nation's transportation system -- as well as access to computer-based information systems involved in the security of the transportation system. The OIT also wants to determine whether the DHS has adequate security controls in place over the Automated Commercial Environment (ACE), which collects, processes and analyzes commercial import and export data. ACE simplifies dealings between U.S. Customs and Border Patrol and the trade community by automating time-consuming and labor-intensive transactions to move goods through ports faster and cheaper. In the Science and Technology area, Skinner's office will evaluate whether that DHS agency has established security controls for the sensitive information systems and data housed at the Plum Island Animal Disease Center on New York's Long Island. The OIT also hopes to determine the status of the DHS's initiatives, applications and progress in integrating automated surveillance system technologies to respond to modern-day threats; the department's progress in research and project application related to its goals and performance measures; the issues and challenges that exist for DHS deployment of this functionality; and whether there are sufficient management controls in place or planned to ensure compliance with security, privacy laws and policies and biometric standards. The inspector general is also planning to audit DHS operations for information sharing related to critical infrastructure protection. Skinner's office hopes to determine whether DHS strategies and tools for working with private industry would be effective in the event of a failure of, or attack on, critical sector operations. In addition, the OIG is set to review just how effectively the DHS shares disaster response and counter-terrorist information with state and local governments. The OIT will also review the DHS's Infrastructure Transformation Project Strategy and Implementation, which spells out how DHS's IT infrastructure will move from a decentralized delivery model to a centralized and shared IT infrastructure services model for all of its agencies. Skinner also wants to determine whether DHS has established adequate security policies and procedures to safeguard laptop computers -- as well as the data stored in those computers. Skinner's office also plans to determine whether the DHS has effectively managed the use of RFID technology to protect mission-critical data and information systems from unauthorized data. The DHS is using RFID technology to track and identify assets, weapons and baggage on flights. In the wake of problems sharing information between various government entities after Hurricane Katrina hit the Gulf coast last year, the OIG also plans to determine how effective DHA has been at ensuring effective communications to support future disaster response and recovery. Story copyright ? 2003 Computerworld, Inc. From isn at c4i.org Mon Jan 9 04:34:48 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:34:48 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-1 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2005-12-29 - 2006-01-05 This week : 36 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Due to the seriousness of the latest vulnerability in Microsoft Windows and the lack of an available patch, Secunia have chosen to include last weeks warning again in todays issue. A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. NOTE: This vulnerability can be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer. Additionally, exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif", ".tif", and ".png" etc. Please refer to the referenced Secunia advisory for additional details and information about a temporary workaround. Reference: http://secunia.com/SA18255 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18255] Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution 2. [SA18131] Symantec AntiVirus RAR Archive Decompression Buffer Overflow 3. [SA15546] Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability 4. [SA18277] BlackBerry Enterprise Server Denial of Service Vulnerabilities 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA17498] Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution 7. [SA18250] VMware ESX Server Management Interface Unspecified Vulnerability 8. [SA17934] Mozilla Firefox History Information Denial of Service Weakness 9. [SA18162] VMware NAT Networking Buffer Overflow Vulnerability 10. [SA18261] ImageMagick Utilities Image Filename Handling Two Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA18279] eFileGo Multiple Vulnerabilities [SA18294] ArcPad ".apm" Map File Handling Buffer Overflow [SA18263] Web Wiz Products "txtUserName" SQL Injection Vulnerability [SA18286] Intel "ialmrnt5" Graphics Accelerator Driver Denial of Service Vulnerability UNIX/Linux: [SA18291] SCO OpenServer update for BIND [SA18289] SCO OpenServer update for libtiff [SA18285] Open-Xchange Webmail HTML Attachment Script Insertion Vulnerability [SA18261] ImageMagick Utilities Image Filename Handling Two Vulnerabilities [SA18290] SCO OpenServer update for cpio [SA18283] Discus Error Message Cross-Site Scripting Vulnerability [SA18287] Mandriva update for printer-filters-utils [SA18284] Gentoo pinentry Insecure Permissions setgid Binaries Security Issue [SA18266] Ubuntu update for fetchmail [SA18280] Ubuntu update for cpio [SA18278] Fedora update for cpio Other: Cross Platform: [SA18302] NKads Login SQL Injection Vulnerability [SA18268] phpBook "email" PHP Code Injection Vulnerability [SA18305] SiteSuite CMS "page" SQL Injection Vulnerability [SA18299] vBulletin "Add Reminder" Script Insertion Vulnerability [SA18297] Lizard Cart CMS "id" SQL Injection Vulnerability [SA18292] raSMP User-Agent Script Insertion Vulnerability [SA18281] MyBB Multiple Vulnerabilities [SA18277] BlackBerry Enterprise Server Denial of Service Vulnerabilities [SA18273] VEGO Web Forum "theme_id" SQL Injection Vulnerability [SA18272] VEGO Links Builder "username" SQL Injection Vulnerability [SA18271] B-net Software Script Insertion Vulnerabilities [SA18270] Chipmunk GuestBook Script Insertion Vulnerability [SA18269] PHPenpals "personalID" SQL Injection Vulnerability [SA18265] PHPjournaler "readold" SQL Injection Vulnerability [SA18264] Primo Cart SQL Injection Vulnerabilities [SA18262] TinyMCE compressor Cross-Site Scripting and File Disclosure [SA18310] Enhanced Simple PHP Gallery "dir" Cross-Site Scripting Vulnerability [SA18309] Next Generation Image Gallery "page" Cross-Site Scripting Vulnerability [SA18306] @Card ME PHP "cat" Cross-Site Scripting Vulnerability [SA18298] IDV Directory Viewer Directory Listing Disclosure Vulnerability [SA18282] BugPort Cross-Site Scripting and SQL Injection Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA18279] eFileGo Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2006-01-02 dr_insane has reported some vulnerabilities in eFileGo, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose sensitive information, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18279/ -- [SA18294] ArcPad ".apm" Map File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-04 bratax has discovered a vulnerability in ArcPad, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18294/ -- [SA18263] Web Wiz Products "txtUserName" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-02 DevilBox has reported a vulnerability in various Web Wiz Products, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18263/ -- [SA18286] Intel "ialmrnt5" Graphics Accelerator Driver Denial of Service Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-01-03 $um$id has discovered a vulnerability in Intel Graphics Accelerator Driver, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18286/ UNIX/Linux:-- [SA18291] SCO OpenServer update for BIND Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-04 SCO has issued an update for BIND. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18291/ -- [SA18289] SCO OpenServer update for libtiff Critical: Moderately critical Where: From remote Impact: System access Released: 2006-01-04 SCO has issued an update for libtiff. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18289/ -- [SA18285] Open-Xchange Webmail HTML Attachment Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Thomas Pollet has reported a vulnerability in Open-Xchange, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18285/ -- [SA18261] ImageMagick Utilities Image Filename Handling Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2005-12-30 Two vulnerabilities have been discovered in ImageMagick, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/18261/ -- [SA18290] SCO OpenServer update for cpio Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-04 SCO has issued an update for cpio. This fixes a vulnerability, which can be exploited by malicious people to cause files to be unpacked to arbitrary locations on a user's system. Full Advisory: http://secunia.com/advisories/18290/ -- [SA18283] Discus Error Message Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-02 $um$id has discovered a vulnerability in Discus, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18283/ -- [SA18287] Mandriva update for printer-filters-utils Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-02 Mandriva has issued an update for printer-filters-utils. This fixes a vulnerability, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/18287/ -- [SA18284] Gentoo pinentry Insecure Permissions setgid Binaries Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-01-04 Tavis Ormandy has reported a security issue in pinentry, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/18284/ -- [SA18266] Ubuntu update for fetchmail Critical: Not critical Where: From remote Impact: DoS Released: 2006-01-03 Ubuntu has issued an update for fetchmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18266/ -- [SA18280] Ubuntu update for cpio Critical: Not critical Where: Local system Impact: DoS Released: 2006-01-03 Ubuntu has issued an update for cpio. This fixes a vulnerability, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18280/ -- [SA18278] Fedora update for cpio Critical: Not critical Where: Local system Impact: DoS Released: 2006-01-03 Fedora has issued an update for cpio. This fixes a vulnerability, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18278/ Other: Cross Platform:-- [SA18302] NKads Login SQL Injection Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2006-01-04 SoulBlack Security Research has discovered a vulnerability in NKads, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18302/ -- [SA18268] phpBook "email" PHP Code Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in phpBook, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/18268/ -- [SA18305] SiteSuite CMS "page" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-04 Preddy has reported a vulnerability in SiteSuite CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18305/ -- [SA18299] vBulletin "Add Reminder" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 trueend5 has reported a vulnerability in vBulletin, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18299/ -- [SA18297] Lizard Cart CMS "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-04 Aliaksandr Hartsuyeu has discovered a vulnerability in Lizard Cart CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18297/ -- [SA18292] raSMP User-Agent Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Aliaksandr Hartsuyeu has discovered a vulnerability in raSMP, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18292/ -- [SA18281] MyBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Cross Site Scripting, Manipulation of data Released: 2006-01-02 Some vulnerabilities have been reported in MyBB, where some have unknown impacts and others can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/18281/ -- [SA18277] BlackBerry Enterprise Server Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-01-02 FX has reported some vulnerabilities in BlackBerry Enterprise Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/18277/ -- [SA18273] VEGO Web Forum "theme_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in VEGO Web Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18273/ -- [SA18272] VEGO Links Builder "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in VEGO Links Builder, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18272/ -- [SA18271] B-net Software Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-03 Aliaksandr Hartsuyeu has discovered some vulnerabilities in B-net Software, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18271/ -- [SA18270] Chipmunk GuestBook Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in Chipmunk GuestBook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/18270/ -- [SA18269] PHPenpals "personalID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in PHPenpals, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18269/ -- [SA18265] PHPjournaler "readold" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 Aliaksandr Hartsuyeu has discovered a vulnerability in PHPjournaler, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18265/ -- [SA18264] Primo Cart SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-01-02 r0t has reported two vulnerabilities in Primo Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/18264/ -- [SA18262] TinyMCE compressor Cross-Site Scripting and File Disclosure Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2005-12-30 Stefan Esser has reported some vulnerabilities in TinyMCE compressor, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/18262/ -- [SA18310] Enhanced Simple PHP Gallery "dir" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 preddy has discovered a vulnerability in Enhanced Simple PHP Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18310/ -- [SA18309] Next Generation Image Gallery "page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Preddy has reported a vulnerability in Next Generation Image Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18309/ -- [SA18306] @Card ME PHP "cat" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-01-04 Preddy has reported a vulnerability in @Card ME PHP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18306/ -- [SA18298] IDV Directory Viewer Directory Listing Disclosure Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information Released: 2006-01-04 A vulnerability has been reported in IDV Directory Viewer, which can be exploited by malicious people to disclose system information. Full Advisory: http://secunia.com/advisories/18298/ -- [SA18282] BugPort Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-01-02 r0t has reported some vulnerabilities in BugPort, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/18282/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Jan 9 04:35:16 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:35:16 -0600 (CST) Subject: [ISN] Open Letter on the Interpretation of "Vulnerability Statistics" Message-ID: Forwarded from: full-disclosure at lists.grok.org.uk From: Steven M. Christey To: dailydave at lists.immunitysec.com, bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk Date: Thu, 5 Jan 2006 02:12:32 -0500 (EST) Subject: Open Letter on the Interpretation of "Vulnerability Statistics" Open Letter on the Interpretation of "Vulnerability Statistics" --------------------------------------------------------------- Author: Steve Christey, CVE Editor Date: January 4, 2006 All, As the new year begins, there will be many temptations to generate, comment, or report on vulnerability statistics based on totals from 2005. The original reports will likely come from publicly available Refined Vulnerability Information (RVI) sources - that is, vulnerability databases (including CVE/NVD), notification services, and periodic summary producers. RVI sources collect unstructured vulnerability information from Raw Sources. Then, they refine, correlate, and redistribute the information to others. Raw sources include mailing lists like Bugtraq, Vulnwatch, and Full-Disclosure, web sites like PacketStorm and Securiteam, blogs, conferences, newsgroups, direct emails, etc. In my opinion, RVI sources are still a year or two away from being able to produce reliable, repeatable, and COMPARABLE statistics. In general, consumers should treat current statistics as suggestive, not conclusive. Vulnerability statistics are difficult to interpret due to several factors: - VARIATIONS IN EDITORIAL POLICY. An RVI source's editorial policy dictates HOW MANY vulnerabilities are reported, and WHICH vulnerabilities are reported. RVIs have widely varying policies. You can't even compare an RVI against itself, unless you can be sure that its editorial policy has not changed within the relevant data set. The editorial policies of RVIs seem to take a few years before they stabilize, and there is evidence that they can change periodically. - FRACTURED VULNERABILITY INFORMATION. Each RVI source collects its information from its own list of raw sources - web sites, mailing lists, blogs, etc. RVIs can also use other RVIs as sources. Apparently for competitive reasons, some RVIs might not identify the raw source that was used for a vulnerability item, which is one aspect of what I refer to as the provenance problem. Long gone are the days when a couple mailing lists or newsgroups were the raw source for 90% of widely available vulnerability information. Based on what I have seen, the provenance problem is only going to get worse. - LACK OF COMPLETE CROSS-REFERENCING BETWEEN RVI SOURCES. No RVI has an exhaustive set of cross-references, so no RVI can be sure that it is 100% comprehensive, even with respect to its own editorial policy. Some RVIs compete with each other directly, so they don't cross-reference each other. Some sources could theoretically support all public cross-references - most notably OSVDB and CVE - but they do not, due to resource limitations or other priorities. - UNMEASURABLE RESEARCH COMMUNITY BIAS. Vulnerability researchers vary widely in skill sets, thoroughness, preference for certain vulnerability types or product classes, and so on. This collectively produces a bias that is not currently measurable against the number of latent vulnerabilities that actually exist. Example: web browser vulnerabilities were once thought to belong to Internet Explorer only, until people actually started researching other browsers; many elite researchers concentrate on a small number of operating systems or product classes; basic SQL injection and XSS are very easy to find manually; etc. - UNMEASURABLE DISCLOSURE BIAS. Vendors and researchers vary widely in their disclosure models, which creates an unmeasurable bias. For example, one vendor might hire an independent auditor and patch all reported vulnerabilities without publicly announcing any of them, or a different vendor might publish advisories even for very low-risk issues. One researcher might disclose without coordinating with the vendor at all, whereas another researcher might never disclose an issue until a patch is provided, even if the vendor takes an inordinate amount of time to respond. Note that many large-scale comparisons, such as "Linux vs. Windows," can not be verified due to unmeasurable bias, and/or editorial policy of the core RVI that was used to conduct the comparison. EDITORIAL POLICY VARIATIONS --------------------------- This is just a sample of variations in editorial policy. There are legitimate reasons for each variation, usually due to audience needs or availability of analytical resources. COMPLETENESS (what is included): 1) SEVERITY. Some RVIs do not include very low-risk items such as a bug that causes path disclosure in an error message in certain non-operational configurations. Secunia and SecurityFocus do not do this, although they might note this when other issues are identified. Others include low-risk issues, such as CVE, ISS X-Force, US-CERT Security Bulletins, and OSVDB. 2) VERACITY. Some RVIs will only publish vulnerabilities when they are confident that the original, raw report is legitimate - or if they're verified it themselves. Others will publish reports when they are first detected from the raw sources. Still others will only publish reports when they are included in other RVIs, which makes them subject to the editorial policies of those RVIs unless care is taken. For example, US-CERT's Vulnerability Notes have a high veracity requirement before they are published; OSVDB and CVE have a lower requirement for veracity, although they have correction mechanisms in place if veracity is questioned, and CVE has a two-stage approach (candidates and entries). 3) PRODUCT SPACE. Some RVIs might omit certain products that have very limited distribution, are in the beta development stage, or are not applicable to the intended audience. For example, version 0.0.1 of a low-distribution package might be omitted, or if the RVI is intended for a business audience, video game vulnerabilities might be excluded. On the other hand, some "beta" products have extremely wide distribution. 4) OTHER VARIATIONS. Other variations exist but have not been studied or categorized at this time. One example, though, is historical completeness. Most RVIs do not cover vulnerabilities before the RVI was first launched, whereas others - such as CVE and OSVDB - can include issues that are older than the RVI itself. As another example: a few years ago, Neohapsis made an editorial decision to omit most PHP application vulnerabilities from their summaries, if they were obscure products, or if the vulnerability was not exploitable in a typical operational configuration. ABSTRACTION (how vulnerabilities are "counted"): 5) VULNERABILITY TYPE. Some RVIs distinguish between types of vulnerabilities (e.g. buffer overflow, format string, symlink, XSS, SQL injection). CVE, OSVDB, ISS X-Force, and US-CERT Vulnerability Notes perform this distinction; Secunia, FrSIRT, and US-CERT Cyber Security Bulletins do not. Bugtraq IDs vary. As vulnerability classification becomes more detailed, there is more room for variation (e.g. integer overflows and off-by-ones might be separated from "classic" overflows). 6) REPLICATION. Some RVIs will produce multiple records for the same core vulnerability, even based on the RVI's own definition. Usually this is done when the same vulnerability affects multiple vendors, or if important information is released at a later date. Secunia and US-CERT Security Bulletins use replication; so might vendor advisories (for each supported distribution). OSVDB, Bugtraq ID, CVE, US-CERT Vulnerability Notes, and ISS X-Force do not - or, they use different replication than others. Replication's impact on statistics is not well understood. 7) OTHER VARIATIONS. Other abstraction variations exist but have not been studied or categorized at this time. As one example, if an SQL injection vulnerability affects multiple executables in the same product, OSVDB will create one record for each affected program, whereas CVE will combine them. TIMELINESS: 8) RVIs differ in how quickly they must release vulnerability information. While this used to vary significantly in the past, these days most public RVIs have very short timelines, from the hour of release to within a few days. Vulnerability information can be volatile in the early stages, so an RVI's requirements for timeliness directly affects its veracity and completeness. REALITY: 9) All RVIs deal with limited resources or time, which significantly affects completeness, especially with respect to veracity, or timeliness (which is strongly associated with the ability to achieve completeness). Abstraction might also be affected, although usually to a lesser degree, except in the case of large-scale disclosures. Conclusion ---------- In my opinion: You should not interpret any RVI's statistics without considering its editorial policy. For example, the US-CERT Cyber Security Bulletin Summary for 2005 uses statistics that include replication. (As a side note, a causal glance at the bulletin's contents makes it clear that it cannot be used to compare Windows to Linux as operating systems.) In addition, you should not compare statistics from different RVIs until (a) the RVIs are clear about their editorial policy and (b) the differences in editorial policy can be normalized. Example: based on my PRELIMINARY investigations of a few hours' work, OSVDB would have about 50% more records than CVE, even though it has the same underlying number of vulnerabilities and the same completeness policy for recent issues. Third, for the sake of more knowledgeable analysis, RVIs should consider developing and publishing their own editorial policies. (Note that based on CVE's experience, this can be difficult to do.) Consumers should be aware that some RVIs might not be open about their raw sources, veracity analysis, and/or completeness. Finally: while RVIs are not yet ready to provide usable, conclusive statistics, there is a solid chance that they will be able to do so in the near future. Then, the only problem will be whether the statistics are properly interpreted. But that is beyond the scope of this letter. Steve Christey CVE Editor P.S. This post was written for the purpose of timely technical exchange. Members of the press are politely requested to consult me before directly attributing quotes from this article, especially with respect to stated opinion. From isn at c4i.org Mon Jan 9 04:35:33 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:35:33 -0600 (CST) Subject: [ISN] Former Cyber-Security Chief to Head CIA's Venture Capital Arm Message-ID: http://www.eweek.com/article2/0,1895,1907899,00.asp By Caron Carlson January 4, 2006 After a brief stint at the Department of Homeland Security, former cyber-security czar Amit Yoran has gone to work for the CIA. More specifically, Yoran this week was named president and CEO of In-Q-Tel Inc., the CIA's venture capital unit. In-Q-Tel, based in Menlo Park, Calif., was established in 1999 as a way for the government to invest in novel technologies by providing equity, product development funding, innovative intellectual property arrangements and contracting guidance. Yoran is the outfit's second chief executive, succeeding Gilman Louie. His experience blends private and public sector endeavors. He graduated from the U.S. Military Academy at West Point and went on to earn a master's degree from George Washington University. Yoran's venture capital knowledge dates to his founding of RipTech Inc. in 1998, which he sold to Symantec Corp. in 2002. His government expertise includes a stint as director of the National Cyber Security Division of the Department of Homeland Security and a job early in his career with the Pentagon's Computer Emergency Response Team. Yoran resigned from the Department of Homeland Security in 2004. "Amit's lifetime experience?as an entrepreneur, a venture investor and leader in commercial companies and national security?makes him the perfect fit for our organization," Louie said. "His critical understanding of key technologies and security needs will position In-Q-Tel to continue to serve as a unique tool driving innovation across the broader Intelligence Community." In-Q-Tel has invested in at least 80 companies over the last six years, generally providing between $1 million and $3 million, according to the organization's Web site. Its stated mission is to not only nurture technologies for government use, but also to look for commercial counterparts to the intelligence community's enterprise challenges. Specific areas of interest include software for search and categorization, translation and simulation, as well as wireless, security, semiconductor and nanotechnology infrastructure. Additionally, In-Q-Tel invests in biotechnology, power and sensor technologies. From isn at c4i.org Mon Jan 9 04:36:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:36:12 -0600 (CST) Subject: [ISN] Unauthorized Patch For Microsoft WMF Bug Sparks Controversy Message-ID: http://www.informationweek.com/software/showArticle.jhtml?articleID=175801150 By Larry Greenemeier InformationWeek Jan 4, 2006 Concerns over the lack of a Microsoft-issued patch have pushed the Windows Metafile/Zero-Day bug to top of mind, surpassing even tomorrow's much-anticipated Sober worm attack. The lag time between the Dec. 27 discovery of the WMF vulnerability and Microsoft's planned Jan. 10 patch availability has forced IT security departments to find alternative means for protecting their systems and prompted a non-Microsoft developer to create a patch that others could use. All of this serves to damage Microsoft's reputation as a company that can secure its own products?a reputation that only recently was beginning to improve after years of being dragged through the mud. Experts are divided over whether it's wise to use Ilfak Guilfanov's Hexblog patch to fix the WMF vulnerability, which could allow attackers to use WMF images to execute malicious code on their victims' computers. Some say it's a necessary measure to protect systems until the official Microsoft patch arrives; others say it's not worth the extra work to patch twice or to take the risk of using a third-party fix. "We're advising against this third-party patch," says Gartner VP and research fellow John Pescatore. Even if the patch works perfectly, users will have to modify their Windows environments when they deploy the patch, and then uninstall the patch by next Tuesday, leaving two opportunities for something to go wrong. Gartner advises that companies should employ workarounds that ensure that their URL-blocking capabilities are up to date, that all WMF files are blocked, and that they expedite testing and deployment of Microsoft's patch when it becomes available. But the SANS Institute's Internet Storm Center recommended Tuesday that users not wait for Microsoft's fix, but unregister a vulnerable Dynamic Link Library, or DLL, executable program modules in Windows and apply Guilfanov's patch. Either way, the WMF vulnerability has been widely acknowledged as a major security threat. The vulnerability is already being exploited, and Symantec has raised its ThreatCon to a Level 3, out of four. The company, which last placed a ThreatCon Level 3 in July 2004 because of MyDoom.M, has expressed concern over the window of time Microsoft has allowed between discovery of the vulnerability and the planned issuance of a patch. Symantec recommends that companies instruct their users to avoid opening unknown or unexpected E-mail attachments or following Web links from unknown or unverified sources, and turn off preview features on E-mail programs to prevent infection from HTML E-mails. The WMF vulnerability affects a number of different versions of Windows XP, Server 2003, ME, 98, and 2000, as well as some versions of Lotus Notes. Microsoft claims, via its Security Response Center blog, that the company is continuing to work on finalizing a security update for the vulnerability in WMF. In the blog, Security Response Center operations manager Mike Reavey acknowledges that in Microsoft's effort to "put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site." Microsoft is recommending its customers disregard the posting and wait until a fully tested patch is issued next week. Microsoft's response to the vulnerability has been particularly poor, says the assistant VP of IT security for a global financial-services firm. While Microsoft has chosen to patch the WMF vulnerability during its normal Patch Tuesday download, this comes well after it should have. "They have historically released patches on special occasions, and this is clearly one of those occasions," she says, preferring to speak anonymously on the topic of an unpatched vulnerability. She added that her company has "wasted countless man-hours" to mitigate the chance of being hit by an exploit, but that no amount of workarounds can fully replace a patch from the vendor. Third-party patches are not a new concept, but the one issued for the WMF vulnerability is particularly troubling because it raises the question of why Microsoft couldn't issue its own patch in a timely fashion. In fact, the availability of Guilfanov's Hexblog patch makes Microsoft look even worse, the financial-services assistant VP of IT security says. "If a third party can put out a stable patch, Microsoft should have been able to," she adds. "It shames Microsoft." While the popular Hexblog patch?Guilfanov's Web site was down on Wednesday morning, possibly because of bandwidth issues?is by all appearances a solid piece of coding, the financial-services firm won't download the patch because of the risk of implementing a patch that's not been properly tested, "which it isn't because it's not coming from Microsoft," the assistant VP adds. As long as Windows systems remain unpatched, companies are at risk for WMF exploits whenever their employees browse the Internet. "There's no way for you to know whether a site is dangerous for a WMF exploit," says Ken Dunham, director of VeriSign iDefense's rapid response team. Even if companies set their defenses to strip out all executable files from incoming E-mails and instant messages, attackers can disguise their executables to look like a JPG or GIF file. As of Jan. 2, VeriSign iDefense had found at least 67 hostile sites containing exploits against the WMF vulnerability, and the company is investigating another 100 sites. When users visit these malicious sites, their computers can be infected with Trojans, adware, spyware, or files that use them as a base for sending out spam to other computers. Unlike the Sober worm, which spreads spam with politically charged messages but tends not to damage systems, WMF vulnerability-inspired spam is much more malicious. VeriSign iDefense captured a WMF culprit on Dec. 28 that used the output.gif file to spam messages over the Internet from a company called Smallcap-Investors, which promote a Chinese pharmaceutical company called Habin Pingchuan Pharmaceutical. The spam message was sent out as a GIF file in an apparent attempt to evade spam filters. Using spam as the underpinning of a stock "pump and dump" scheme, Smallcap encouraged users to buy cheap stocks. As is typical in such a ruse, once the fraudster has raised the value of the stock, he or she sells off the stock, making it worthless to the victims who've been duped into investing. Another WMF exploit came in the form of the HappyNY.a worm, which looks to a user like a JPG file but is actually a malicious WMF file. The HappyNY.a worm contains Nascene.C code, which attempts to exploit the WMF vulnerability and fully compromise a user's computer. If users come to depend too much on third-party patches to avoid such scams, it could set a dangerous precedent for security. "You'll see phishing E-mails that say they offer volunteer patches," Pescatore says. "If people starting using these sites that are not from a vendor, this could be a whole new problem." Concerns over the proliferation of Microsoft-based phishing scams come as an Iowa man recently pleaded guilty to computer fraud charges arising from a phishing scheme conducted from January 2003 through June 2004 on Microsoft's MSN Internet service. The scam involved sending E-mail falsely claiming that MSN customers would receive a 50% credit toward their next bill. Meanwhile, the buzz around the WMF vulnerability has helped eclipse concerns over the upcoming Sober worm threat. "All of the antivirus guys have put out their signature updates" for the latest incarnation of Sober, and "the payload has been analyzed, so you know what DNS servers it's going to call," Pescatore says. The most important things for IT security professionals to realize is that there is a patch for Sober and that, while the attacks will start by Jan. 5, there will likely be new variants of Sober each subsequent week. On Jan. 5, the code contained in the Sober worm will start updating and sending itself out to thousands, if not millions, of computers, adds Dunham. So far, the Sober attacks have been more motivated at spreading political and social messages rather than delivering malicious payloads. "Sober has the ability to download code, but the attackers haven't done this," he adds. "Instead, they use it to send spam and clog E-mail servers and promote their agenda." Signature-based antivirus programs won't have any problems detecting known variants of Sober. New variants will prove a bit trickier, and companies should make sure executable and JPG attachments are stripped out of E-mails traversing their networks, says Shane Coursen, a senior technical consultant for antivirus software maker Kaspersky Lab. For this latest generation of Sober, companies will rely less on signature-based antivirus defenses and more on those that employ heuristic routines that flag strange behavior on the network. From isn at c4i.org Mon Jan 9 04:36:24 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:36:24 -0600 (CST) Subject: [ISN] BlackBerry squeezed by DoS security bugs Message-ID: http://www.theregister.co.uk/2006/01/04/blackberry_security_bugs/ By John Leyden 4th January 2006 Research In Motion (RIM) has warned of a trio of vulnerabilities in its popular BlackBerry software that create a means for hackers to launch denial of service attacks. Patches are available to defend against only one of the vulnerabilities, but RIM has issued advice on how to guard against attack from the other two. The most serious unfixed risk stems from a flaw in processing Server Routing Protocol (SRP) packets. This security bug creates a possible means to disrupt communication between BlackBerry Enterprise Server and BlackBerry Router, potentially disrupting service. A separate unpatched security bug in the handling of malformed Tiff image attachments creates a means for a remote hacker to launch denial of service attacks against the BlackBerry Attachment Service, providing an internal user is duped into viewing malicious files on a BlackBerry handheld. The vulnerabilities have been reported in BlackBerry Enterprise Server 4.0 as well as later versions. Domino, Exchange and Novell GroupWise versions of the platform are all affected. Exploitation of the first vulnerability means a hacker needs to be able to connect to the BlackBerry Server or Router via port 3101/TCP. Shielding BlackBerry servers behind a firewall ought to thwart these attacks. Additionally, RIM advises users to exclude the processing of Tiff images as a workaround against the second threat, pending the availability of a more complete fix. A third security bug - for which a fix has been made available - sees a BlackBerry handheld web browser vulnerable to a denial of service via a specially crafted Java Application Description (JAD) file. Users are advised to install BlackBerry device software version 4.0.2 or later to guard against attack. Details of the vulnerabilities were outlined by FX of the Phenoelit group during a presentation at the 22nd Chaos Communication Congress in Berlin last week. US CERT has produced an overview of the vulnerabilities here. In a statement, RIM said that it had "already developed software fixes for the issues identified by FX and, although there have been no customer reports of any actual problems, RIM has also provided temporary precautionary measures that can be taken in the meantime until customers are able to implement the software updates". ? From isn at c4i.org Mon Jan 9 04:36:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:36:38 -0600 (CST) Subject: [ISN] N.J. forms cyber-crime task force Message-ID: http://www.philly.com/mld/inquirer/news/local/13553073.htm By Sam Wood Inquirer Staff Writer Jan. 05, 2006 Victims of computer crime now have a powerful ally in the State of New Jersey. The Attorney General's Office announced yesterday that a Computer Crime Task Force had been formed by merging the nationally known state police cyber-crimes unit with the office's computer analysis and technology unit. The unit is designed to track down such crimes as computer hacking and child pornography. "The game plan is to pool training and experience that will lead to more prosecution of cyber crime in the state," said State Police Capt. Ken Schairer, who will be co-chief of the task force. The state police cyber-crimes unit initiated about 125 investigations in 2005 and made about 100 arrests, Schairer said. The task force is made up of about 20 investigators, said Aurora Fagan, supervising deputy attorney general, who will also serve as co-chief. "There should be less overlap now that we're both aware of the investigations that we're both doing," said Fagan, who previously led the computer analysis unit in the Attorney General's Office. She said many computer crimes went uninvestigated because victims did not know where to report them. -=- More Information To report cyber crime, call the Computer Crime Task Force at 1-888-648-6007. To learn more about the task force or fill out an online incident form, visit www.cctf.nj.gov From isn at c4i.org Mon Jan 9 04:37:21 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:37:21 -0600 (CST) Subject: [ISN] RECON 2006 - Call for papers Message-ID: Forwarded from: Hugo Fortier RECON 2006 - Call for papers - 06/01/06 Montreal, Quebec, Canada 16 - 18 June 2006 We are pleased to announce the second annual RECON conference, which will take place in Montreal from the 16th to the 18th of June 2006. We are looking for original technical presentations, in the fields of reverse engineering and/or information security. Presentations should last no longer than 50 minutes and be presented in english. We will be accepting talk proposals until the 31st of March, 2006. All submitted presentations will be reviewed by the RECON program committee. Preferred topics Reverse engineering (Software, Protocols, Hardware, Social) Exploit development and vulnerability assessment Data analysis and visualization techniques Crypto and anonymity Physical security countermeasures Cool network stuff Please include the following with your submission 1) Speaker name(s) and/or handle 2) Contact information (Email and Cell phone) 3) Brief biography 4) Motivations for presentation (500 words max.) 5) Presentation abstract (500 words max.) 6) If your presentation references a paper or piece of software that you have published please provide us with either a copy of the said paper or software or, an URL where we can obtain them. Please send the above information to cfp (at) recon.cx RECON program committee C?dric Blancher Nicolas Brulez Guillaume Duteille Hugo Fortier Jason Geffner Ryan Russel Mathieu Sauv?-Frankel Visit http://recon.cx for more information. From isn at c4i.org Mon Jan 9 04:37:36 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 9 Jan 2006 03:37:36 -0600 (CST) Subject: [ISN] Web extra: DOD, orgs: SANS survey findings not dire Message-ID: http://www.fcw.com/article91890-01-09-06-Web By Michael Arnone Jan. 9, 2006 Survey respondents say several popular certifications don't prepare employees to handle information security as well as vendor-specific certifications do. Providers of a number of popular information security certifications are calling findings from the SANS Institute survey a case of apples and oranges. SANS is a nonprofit training and education organization for security professionals. The institute's survey finds that respondents with certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems Security Certification Consortium - also known as (ISC)2 - and the Information Systems Audit and Control Association (ISACA) think that their training does not give them a strong advantage in performing hands-on security jobs. Those organizations' certifications don't improve holders' ability to protect computer systems as much as the SANS Institute's Global Information Assurance Certification and vendor-specific certifications do, said Alan Paller, SANS' director of research. But officials with the other organizations said they are not surprised that SANS put its certifications ahead of theirs for hands-on security. The survey illustrates the division of emphasis among security certification providers, said Lynn McNulty, (ISC)2's director of government services. ISACA aims for IT security governance, McNulty said. CompTIA courts entry-level employees, and (ISC)2 concentrates on policy and management training. All three are vendor-neutral. Certifications set a baseline of technical experience and knowledge, but holders must keep their skills current by other means to stay effective, said Everett Johnson, president of ISACA's International Board of Directors. The survey's findings indicate that "the certifications are doing the job they are intended to do," Johnson said. "The certifications are for different purposes." Paller said he is especially worried because the Defense Department requires its frontline information assurance employees to have those nontechnical certifications. DOD officials are confident in their choice of certifications, said Bob Lentz, director of information assurance in the DOD chief information officer's office. The department has codified security competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management." Frontline security employees must have certifications from CompTIA or (ISC)2 but not SANS or vendors. "The key error is that [DOD officials] took security managers who never had hands-on security experience to design a security certification," Paller said. "If all you've ever done is write policy, how would you know what to do to secure a Unix box?" The required certifications are fine for low- and midlevel security employees, but SANS training should dominate the certifications that technical staff members receive, said Robert Ashworth, a contractor at Government Solutions Group working on information assurance at the Navy's Space and Naval Warfare Systems Command. Ashworth holds eight professional certifications, including (ISC)2's Certified Information Systems Security Professional (CISSP) and ISACA's Certified Information Security Manager. Under DOD's directive, someone with CISSP certification could get any technical or managerial position, even though CISSP should not qualify people for technical positions because it is more analytical, Ashworth said. Officials might have chosen CISSP because many people hold that certification, which could make it easier for DOD to fill positions, Ashworth said. To improve frontline security, DOD and certification vendors must create progressively harder, platform-specific security tests to evaluate low-level security employees, Paller said. Once they do, Paller predicts that the rest of the government and industry will follow suit, improving security for everyone. From isn at c4i.org Tue Jan 10 01:33:48 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:33:48 -0600 (CST) Subject: [ISN] Ex-UD student faces hacking charges Message-ID: http://www.delawareonline.com/apps/pbcs.dll/article?AID=/20060109/NEWS/601090322/-1/NEWS01 By ESTEBAN PARRA The News Journal 01/09/2006 A former University of Delaware student could face up to 36 years in prison on charges of hacking into a professor's computer to try to change an exam date. Marc J. Simpson, of Toms River, N.J., is accused of using a software program that could spy on other computers via a wireless connection. The software, court documents said, gave Simpson the ability to gain his professor's password as the instructor typed it during a class. But in the end, UD police said, the 20-year-old's scheme was undone by an anonymous tip delivered the old-fashioned way -- on a piece of paper. Simpson, who had been a computer engineering student, is charged with two counts each of identity theft, unauthorized access of a computer and misuse of computer system information. Simpson could not be reached, but his attorney, Mark D. Sisk, said his client is not guilty. UD spokesman Martin Mbugua said the school would not comment. The case is pending in Superior Court. According to court records, several of associate professor Michael Shay's students complained after he scheduled a physics exam for Oct. 7, the same date as an exam another professor was giving. They asked Shay to reschedule his exam, but he refused. A day before the test, however, students in the class received an e-mail from Shay's account telling them the exam had been rescheduled. Later that day, Shay found out what had happened. He tried to log on to his e-mail server three times, but discovered his password had been changed. He also saw that the class Web page had been accessed and edited to indicate the exam was rescheduled. With the help of the department's computer technician, Shay gained access to his account. But when he tried to correct the Web page, he found a code had been installed that changed it back to the altered version. The code eventually was disabled. Shay contacted the students, told them what happened and said the exam still would be Oct. 7. He also contacted university police, who determined Shay's account was accessed from a Comcast account in the 100 block of Main St. Then, on Oct. 19, Shay told police he received an anonymous letter that identified Simpson as the hacker and explained how he did it. "He obtained your password by running a program on his laptop during class that picks up keystrokes on linked computers," the letter said. "He linked his laptop to yours wirelessly and undetected during class and obtained your password while you were typing it." The letter also said Simpson, who was arrested last year, used a wireless network in the 100 block of Main St. Police said Simpson took a laptop to a restaurant and used a wireless network belonging to residents living above the business. This made it harder to trace the hacking, police said. The case occurred during what computer experts call the worst year ever for known computer-security breaches. At least 130 were reported, exposing more than 55 million Americans to potential identity theft. It is difficult to measure the actual number of break-ins, however, since many companies are unaware they were hacked. Those that disclosed breaches include Marriott International, Ford Motor Co. and Sam's Club. USA Today contributed to this article. Copyright ? 2006, The News Journal. From isn at c4i.org Tue Jan 10 01:32:54 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:32:54 -0600 (CST) Subject: [ISN] Web extra: DOD, orgs: SANS survey findings not dire Message-ID: Forwarded from: Dennis Kezer SANS seems to have completely missed the part that says technical people must also be certified in the vendor specific technologies they support. The CAPS are from the guidance, not from me. They wisely chose not to attempt to list these out as there are so many vendors out there such a list would be all but impossible to compile or maintain. C3.2.4.8.7. In addition to the baseline IA certification requirement for their level, IATs with privileged access MUST OBTAIN APPROPRIATE COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s) they support as required by their employing organization. This requirement ensures they can effectively apply IA requirements to their hardware and software systems. -----Original Message----- Paller said he is especially worried because the Defense Department requires its frontline information assurance employees to have those nontechnical certifications. DOD officials are confident in their choice of certifications, said Bob Lentz, director of information assurance in the DOD chief information officer's office. The department has codified security competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management." Frontline security employees must have certifications from CompTIA or (ISC)2 but not SANS or vendors. "The key error is that [DOD officials] took security managers who never had hands-on security experience to design a security certification," Paller said. "If all you've ever done is write policy, how would you know what to do to secure a Unix box?" Under DOD's directive, someone with CISSP certification could get any technical or managerial position, even though CISSP should not qualify people for technical positions because it is more analytical, Ashworth said. Officials might have chosen CISSP because many people hold that certification, which could make it easier for DOD to fill positions, Ashworth said. To improve frontline security, DOD and certification vendors must create progressively harder, platform-specific security tests to evaluate low-level security employees, Paller said. Once they do, Paller predicts that the rest of the government and industry will follow suit, improving security for everyone. From isn at c4i.org Tue Jan 10 01:33:18 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:33:18 -0600 (CST) Subject: [ISN] Hackers use Yale name Message-ID: http://www.yaledailynews.com/article.asp?AID=31167 BY ROSS GOLDBERG Staff Reporter January 9, 2006 A forged Yale e-mail address has been used to spread a security exploit that infected over one million computers in the last two weeks, including some on the University network. The exploit, which attacks a weakness in the Windows operating system, can allow hackers to remotely control a computer that downloads it. In one version circulating in the United Kingdom, victims are tricked into clicking on a link in an e-mail purportedly sent by a Yale professor. Yale Information Security Officer Morrow Long said the University received about 30 complaints from British citizens, but given that victims of hackers rarely bother to complain, many more were likely infected. "We got some e-mails here from people who thought we were somehow behind it," Long said. "We weren't happy that we would have our name dragged through the mud in some major virus attacks." The Yale forgery is one of more than 200 versions of the bug, which takes advantage of a vulnerability in the way computers render Windows Meta File images. Several versions of WMF attacks -- though not the one using the University domain name -- successfully infiltrated about 10 Yale computers and attempted to infect 20 more, Long said. University officials first detected an attack on the network on Dec. 29, but Windows did not release a patch to fix the problem until a week later. Long said that given the exploit's severity, the computers could have been completely destroyed. "It's very critical," he said. "Basically, if somebody clicks on it, it can take over your system and do whatever it wants." Officials are urging students to download the patch with Windows Update to avoid a resurgence as they return to school. The Yale version of the bug is carried in an e-mail from a nonexistent "Professor Robert Gordens." The message announces that the University suffered graffiti damage and broken windows over New Year's, and it asks recipients to click on a link to see if they can "recognise [sic] the culprit's work." The link automatically downloads the exploit to victims' computers. Long said members of the Yale community are frequently sent e-mails with viruses attached from hackers forging the university domain name, but attacks on outsiders are unusual. Computer security experts said Yale may have been chosen due to its international prestige. "What you're trying to do in a social engineering attack is generate trust," said Alan Paller, director of research at the SANS Institute, which provides computer security training and research. "The idea of a university being a sleazy organization just doesn't compute in people's minds." Though no one at Yale has been linked to the WMF attacks in Britain, Paller said he hopes the incident will alert faculty to the dangers of reckless network use, which he said is a chronic problem on university campuses. "Probably the best effect is it will wake your faculty to the idea that they have a role to play here," Paller said. "When they don't keep their systems safe, they put the whole community at risk." Paller said faculty usually resist attempts to secure their networks with Web site restrictions, but Yale Chief Information Officer Philip Long said Yale has introduced netblocks on the primary sites involved in the attacks. Since Jan. 1, administrators have also blocked all e-mails with "Happy New Year" written in the subject line to protect against another version of the exploit. Officials said they expect that the e-mail block likely thwarted a number of innocent e-mails. "We knew it would affect people, but we weighted that against the risk of a lot of people getting infected," Morrow Long said. But Philip Long said administrators were unable to filter data with ".wmf" file extensions -- a step that Paller said was essential but largely ignored by most universities. Yale can take legal action against the hackers who forged its domain name, Morrow Long said, but law enforcement will likely be unable to identify the perpetrators given that the attacks cross several national boundaries. From isn at c4i.org Tue Jan 10 01:33:33 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:33:33 -0600 (CST) Subject: [ISN] Two new WMF bugs found Message-ID: http://www.networkworld.com/news/2006/010906-microsoft-wmf-bug.html By Robert McMillan IDG News Service 01/09/06 Just days after Microsoft patched a critical vulnerability in the way the Windows operating system renders certain types of graphics files, a hacker has published details of two new flaws that affect the same part of the operating system. The new vulnerabilities were posted to the Bugtraq security mailing list on Monday by a hacker going by the name of "cocoruder." All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some computer-aided design applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch to the problem, ahead of its monthly security software update. While the patched flaw was being exploited by attackers to take control of Windows machines, the latest vulnerabilities appear to pose the risk of simply crashing the WMF-viewing software, typically Internet Explorer. However, users would first need to trick a victim into viewing a specially crafted WMF image in order for this to happen, security experts say. The vulnerabilities can be found in a number of versions of Windows, including Windows XP, Service Pack 2, Windows Server 2003, Service Pack 1, and Windows 2000, Service Pack 4, according to cocoruder's Bugtraq posting. Because of the inherent complexity of image formats, there are plenty of opportunities for attackers to find bugs similar to the two that were revealed Monday, said Russ Cooper, senior information security analyst for Cybertrust. Cooper said that the new WMF vulnerabilities are not a major cause of concern. "New malformed images that simply crash things aren't really that important unless they can be shown to cause code to execute," he said via instant message. "This is only getting any attention because its WMF and Microsoft just released a WMF patch." Johannes Ullrich, chief research officer for the SANS Institute, agreed that these type of image problems are fairly common, but he said that the fact that so many WMF vulnerabilities have popped up of late -- Microsoft fixed three other WMF bugs in November -- indicates that the software vendor could be doing a better job of predicting where its security problems might lie. Microsoft should have been able to catch these latest flaws and fix them with its November patch, Ullrich said. "They really seem to have a problem thinking offensively," he said of Microsoft. "If you don't really look for these vulnerabilities with this offensive mindset, but if you instead look at it from a programmers perspective ... you just don't find a lot of these things." "Every month they have one or two image problems they fix," Ullrich added. "It's actually kind of surprising they don't get exploited more." A spokeswoman from Microsoft was unable to provide comment for this story. From isn at c4i.org Tue Jan 10 01:34:05 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 10 Jan 2006 00:34:05 -0600 (CST) Subject: [ISN] ISPs told to help eradicate Sober Message-ID: http://news.zdnet.co.uk/0,39020330,39246203,00.htm Tom Espiner ZDNet UK January 09, 2006 Infected PCs should be cut off from the Internet by their service providers, say some; AOL says it prefers to focus on prevention ISPs were urged on Monday to check their user traffic patterns to locate and shut down machines infected with the mass-mailing Sober worm. Although Sober is no longer trying to replicate, antivirus company F-Secure believes ISPs must warn infected customers so they can disinfect themselves. Infected PCs had been programmed to download new instructions from the Internet last week, which would have heralded another attack. As previously reported, this update did not actually appear online, but infected machines are still trying to download it. "ISPs: we urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Contact these users and let them know they are likely to be infected with Sober and they should clean up their act," F-Secure said on its blog. Computers infected by Sober are likely to contain spyware, or could have been turned into zombie PCs and used to send spam or launch denial-of-service attacks. They could also download a Sober update in the future, sparking another mass-mailing attack. F-Secure said ISPs should let customers know they have been infected automatically, and redirect users to sites so they can disinfect their machines. "Most affected computers belong to home users, who have no idea they've been infected. ISPs are in the best position to distinguish infected users." Mikko Hypp?nen, director of antivirus research at F-Secure, told ZDNet UK. "Service providers can automatically shut down a user connection, and specify that to get back online users have to follow certain steps, for example, by visiting the Microsoft site for the latest updates. ISPs can automatically shut down what they want, and can still connect users to Microsoft," said Hypp?nen. ISPs have an economic motive to overcome reluctance to inform users that their machines have been compromised, Hypp?nen argued. "It might be hard for ISPs to find the motivation to do it, because it's a lot of work and a thankless job as no-one wants to hear they are infected. However, ISPs are losing money because of the huge amounts of traffic generated by infected machines," Hypp?nen said. But AOL said it would not be contacting users, as it put more emphasis on prevention of infection through email filtering, and blocking links to certain Web sites. Users who had been infected had access to McAfee antivirus services, AOL said. "We have on occasion made outbound contact with members in specific situations, such as the Mydoom worm, but have no plans to do so in this instance as we focus our efforts on prevention," said Jonathan Lambeth, director of communications for AOL UK. "Our anti-spam systems, which block more than 1.5 billion spam emails each day, block a large number of emails containing links to the Sober virus in the first place. Links are default-disabled on ema