From isn at c4i.org  Wed Jul  5 01:08:46 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:08:46 -0500 (CDT)
Subject: [ISN] IT security crucial to UAE
Message-ID: <Pine.LNX.4.44.0607050008350.25965-100000@idle.curiosity.org>

http://www.khaleejtimes.com/DisplayArticleNew.asp?xfile=data/business/2006/July/business_July40.xml&section=business

BY JAMILA QADIR
2 July 2006

DUBAI - IT security is crucial to the UAE financial markets, as the
financial sector in particular has always been a target for fraud
worldwide, according to Khalfan Al Mazrouei, IT manager, Abu Dhabi
Securities Market (ADSM).

The dramatic growth in Internet and email use has helped and hindered
financial markets. Internet and email gives investors instant access
to financial markets all over the world. But both have also opened up
new opportunities for hackers to exploit, he explained.

Pressures on security come from within a corporation as well as
outside. Up to 70 per cent of all IT security fraud is internal. "No
matter how advanced our systems are, we are always vulnerable," he
said.

Since it was established in November 2000 ADSM has made IT security
one of its top priorities as part of its international best practices
programme. ADSM is playing a leading role in promoting security
awareness across the market. It has already improved and broadened its
trading and registry reporting services to shareholders through voice,
Internet and mobile systems.

"We have also introduced e-trading for brokers. In fact, the majority
of them now operate remotely which poses a huge security challenge for
our IT systems. We have enhanced transparency by introducing
International Financial Reporting Standards (IFRS) compliance and
quarterly reporting from all ADSM listed companies."

The UAE is the first country in the Middle East to be awarded an XBRL
(eXtensible Business Reporting Language) provisional jurisdiction. It
allows companies to compile and publish financial data in a format
that can be better understood and analysed than the current process.  
This will enhance transparency in the market, he said.

ADSM, with the UAE XBRL steering committee, has been instrumental in
this move. "We will be taking a lead in encouraging all UAE listed
companies to adopt XBRL to improve both transparency and efficiency in
the market. Our IT systems have had to evolve to deal with new office
openings, a huge increase in the number of brokerage firms and new
links with foreign exchanges."

National investors should be able to trade foreign stocks from ADSM.  
They should not have to expose themselves to the risk of trading
directly on a foreign exchange, he said, adding that was the reason
why ADSM has created links with other foreign exchanges.

"We currently have an electronic link with Muscat and we are
introducing another one with Doha. We also have cross-listing
agreements in place with the Cairo & Alexandria (CASE) and Khartoum
exchanges. We look forward to further links with other exchanges in
the near future," Al Mazrouei said.

The number of trades on ADSM this year goes up each month compared to
2005. Since the inception, it has opened four regional branches
throughout the UAE and will be opening a further two this year.

ADSM now has over 60 broker firms operating in its market. Almost half
of these opened in the first quarter of this year alone, he said. One
of ADSM's current aims is to become the first exchange in the UAE to
achieve ISO 17799 certification, which will enhance the security
procedures between the brokers, registrars and investors, he added.




From isn at c4i.org  Wed Jul  5 01:09:10 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:09:10 -0500 (CDT)
Subject: [ISN] DEF CON 14: Speakers Selected and more.
Message-ID: <Pine.LNX.4.44.0607050008490.25965-100000@idle.curiosity.org>

Forwarded from: The Dark Tangent <dtangent at defcon.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone, I want to make some announcements surrounding DEF CON 14.

It's about that time to briefly lay down the inf0z, so here it goes.

- - Speakers have been selected, and are now listed on-line:
http://www.defcon.org/html/defcon-14/dc-14-schedule.html

They include an assistant Secretary of Defense, an FBI agent, Scary Hackers,
privacy fanatics, security studs, and a hardware hacking ninja.

- - The con hotel is sold out, but overflow exists here:
http://www.defcon.org/html/defcon-14/dc-14-hotel.html

- - Need a ride or got a room to spare? Check out the ride and room section of
the DEF CON Forums
https://forum.defcon.org/forumdisplay.php?f=26

- - There are a lot of new contests, and some old ones that are no more (We'll
miss you WiFi Shootout!) I'd mention them all, but it takes up too much space.
To get a good grip on what is happening I'd suggest reading the contest area of
the forums:
https://forum.defcon.org/forumdisplay.php?f=102

- - Black and White Ball is two nights this year, with some great bands and DJs
including Regenerator, The Minibosses, DJ Jackalope, Catharsis and DJ
Wintamute.

- - DEF CON 13 Audio and Video is now on-line for DOWNLOAD. Yep, you saw that
right. We are phasing out the real media server and going to download mode. The
audio is in .mp3, and the video is in H.264 2-pass 192k .mp4, optimized for the
iPod video screen size. Right now you gotta subscribe to the rss feed, but the
web site will soon sport the direct links. We hope to have DC-12 on-line in the
next week.
http://www.defcon.org/defconrss.xml

Notes:
This year we are at a  new hotel, the Rivera. I did this because DEF CON was
going to stagnate and die if it stayed at the Alexis Park any longer. The
benefits of the new hotel are that the speaking rooms are larger, there is air
conditioning, and we have room to grow. This year we get about 1/2 the space,
and next year we should get 3/4 of the space. That extra room will allow us to
offer break out classes, get togethers, and an additional track of speaking.
Things we could only dream of before, but now are possible. It will take us all
a year or two to learn what to do with all the space, but those are the kinds
of problems I can live with. Did I mention the sky boxes?

General hang out site: http://forum.defcon.org/

Remember DEF CON is what you make of it, and we have been lucky over the years
to have a great group of people supporting us. The line up this year looks
great, and the rest is up to us. 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBRKW+ow6+AoIwjTCUAQL0Sgf/QNO9SSsS0rI+cMbqX9TzKGk3+m+NyHj2
z0bB2WCAWftMT75HECyw88npvqTB01sdZaj8SeDqFq0ghD8dHq9NYEJZLqtqtEKz
ry/2DKQhZe7gfhVWGtiYqAJF12yV4bPkKFhaD2bxFwY6GJx/OR00Ac5ylMC93/h6
GV7dx0IJfl6rDExQQ8asZXeGQ7j3a4Fnv6bvQp6C8OSc23ZpmGBGSeVzW1wHPn19
/EJyaBXnOcoVlG5gidgOwj8xkvkVthRAU7E0MS8JlhfrzRxBNFfHyqTfdYiSZ5mC
GvI5Q+yeAHX7TeUrg9yWMuXvPtFjDsk3P0+x6yxZxO339ZCWHVBiEQ==
=TYEC
-----END PGP SIGNATURE-----




From isn at c4i.org  Wed Jul  5 01:09:37 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:09:37 -0500 (CDT)
Subject: [ISN] IntellNet is back!
Message-ID: <Pine.LNX.4.44.0607050009160.25965-100000@idle.curiosity.org>

Forwarded from: Brooks Isoldi <bisoldi at intellnet.org>

To all who may be concerned:

	After a nearly 24 month hiatus, it is with great pride and
honor that I announce the re-lauch of IntellNet.org
(http://www.intellnet.org).

	Founded in early 2000 as a private project to more easily
disseminate information, during the 4 years since its creation
IntellNet proved itself to be a great source of knowledge.  With
today's re-launch, The Intelligence Network will stand upon the
shoulders of giants in order to see further and push higher; expanding
upon the very foundations of the U.S. Open Source Intelligence (OSINT)
community.  Our potential knows no boundaries and can only ever be
limited by our imaginations.

	It is by no means a mere figure of speech that I referenced
Sir Isaac Newton.  It is with both humility and courage that we
acknowledge those that not only came before, but after as well in what
has become a global effort to achieve synergy with the flow of
information.  In the coming months, we will unveil initiatives
designed to enhance and develop current and new capabilities as well
as extend our reach into both existing and unchartered territories.  
In line with these developments, I have placed the IntellNet website
and The OSINT Group under the umbrella of The Intelligence Network
where they will be autonomous divisions with similar methods and
common goals.  New divisions will be created as more initiatives are
deployed and we will be increasingly in need of intelligent, saavy and
thougtful individuals to staff them.  Additionally, The Intelligence
Network will maintain an open door policy to any similar organizations
willing to collaborate, on any level in order to further our common
goals.

	Please feel free to pass this email around and if there is
anyone who wishes to contribute to the organization or has any
questions or comments, please to contact me.  Finally, it is with
those predictions and self-imposed challenges, that we invite you all
to become loyal viewers and to make IntellNet what it once was.

	Thank you.


Brooks Isoldi
The Intelligence Network




From isn at c4i.org  Wed Jul  5 01:10:05 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:10:05 -0500 (CDT)
Subject: [ISN] ITL Bulletin for June 2006
Message-ID: <Pine.LNX.4.44.0607050009450.25965-100000@idle.curiosity.org>

Forwarded from: Elizabeth Lennon <elizabeth.lennon at nist.gov>

ITL Bulletin for June 2006

DOMAIN NAME SYSTEM (DNS) SERVICES: NIST RECOMMENDATIONS FOR 
SECURE DEPLOYMENT

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Domain Name System (DNS) services have an important function in
helping users readily access the many resources that are available
through the Internet. DNS services make communications convenient for
the user by translating the unique resource identifier that is known
as the Internet Protocol (IP) address into a domain name that is easy
for the user to remember. The IP address to which a user wishes to be
connected is represented by four groups of numbers separated by dots,
such as123.67.43.254. The computers in the network route communication
packets across the Internet based on the IP addresses of the packets.
However, when accessing websites and using e-mail services, the user
can simply employ a domain name such as nist.gov, which is easier to
remember than the full IP address. The DNS transforms human-readable
domain names into machine-readable IP addresses and also does the
reverse process, taking a query with an IP address and returning the
domain name associated with it.

The DNS infrastructure, which carries out the domain name translation,
is made up of computing and communication entities that are
geographically distributed throughout the world. There are more than
250 top-level domains, such as gov and .com, and several million
second-level domains, such as nist.gov and ietf.org. As a result,
there are many name servers in the DNS infrastructure that contain
information about only a small portion of the domain name space. The
different servers work together to provide DNS services. The domain
name data provided by DNS is intended to be publicly available to any
computer located anywhere in the Internet.

While DNS services are not the primary target of most attacks on
information systems today, the DNS infrastructure is expected to
become more vulnerable as more applications use DNS for network
operations. NIST's Information Technology Laboratory (ITL) has
developed guidance to help organizations protect their DNS components,
prevent possible future attacks on domain name information, and
maintain the availability of DNS services and data.

NIST Special Publication (SP) 800-81, Secure Domain Name System (DNS)
Deployment Guide

NIST SP 800-81, Secure Domain Name System (DNS) Deployment Guide,
presents NIST's recommendations to help organizations analyze their
operating environments and the threats to their DNS services, and to
apply appropriate risk-based security measures for all DNS components.  
Written by ITL's Ramaswamy Chandramouli and Scott Rose, the
publication provides guidelines for the secure deployment of each DNS
component through the use of configuration options and checklists that
are based on policies or best practices. Development and publication
of the guide were carried out in collaboration with the Department of
Homeland Security (DHS).

NIST SP 800-81 explains the structure and operations of DNS data,
software, and transactions and discusses the threats, the security
objectives, and the security approaches that can be employed.
Extensive guidance is provided on maintaining data integrity and
performing source authentication, and on configuring DNS deployments
to protect the availability of DNS services and prevent denial of
service attacks. Other topics covered include how to secure DNS query
and response activities, how to minimize information exposure through
DNS data content control, and how to maintain secure operations. The
appendices explain the technical terms and the acronyms used in the
publication and contain extensive references to publications and
websites with additional information.

The publication is available on NIST's web pages at:  
http://csrc.nist.gov/publications/nistpubs/index.html.

The Domain Name System Infrastructure

The Domain Name System is composed of several components.  Users enter
domain names to access Internet resources, through a program such as a
web browser. The browser calls the DNS to provide the IP address for
the appropriate web server and web page. This function of mapping
domain names to IP addresses is name resolution, and the client system
uses the DNS protocol to perform the name resolution function. The DNS
has a data repository where the domain names and their associated IP
addresses are stored.  Software manages this data repository, which
may be distributed, and provides name resolution service. This
function is the name server. The function, which accesses the services
provided by a DNS name server on behalf of user programs, is called
the resolver. The DNS infrastructure is composed of the communication
protocol, the various DNS components, the policies governing the
configuration of these components, and procedures for creation,
storage, and usage of domain names.

Securing the Domain Name System

The primary security goals for DNS are data integrity and source
authentication, which are needed to ensure the authenticity of domain
name information and to maintain the integrity of domain name
information in transit. The availability of DNS services and data is
also very important; DNS components are often subjected to denial of
service attacks intended to disrupt access to the resources whose
domain names are handled by the attacked DNS components. Misdirection
of DNS data to a malicious site is another major security concern.

DNS Vulnerabilities

The DNS is susceptible to many of the same vulnerabilities as other
distributed computing systems. These include vulnerabilities at the
platform, software, and network levels. For most distributed systems,
the security objectives of confidentiality, integrity, and
availability of information apply. A loss of confidentiality is the
unauthorized disclosure of information. A loss of integrity is the
unauthorized modification or destruction of information. A loss of
availability is the disruption of access to or use of information or
an information system.

However, because the DNS serves as an infrastructure system for the
global Internet, it has the following special characteristics not
found in many distributed computing systems.

* There are no well-defined system boundaries.  Participating entities
  are not subject to geographic or topologic confinement rules.

* There is no need for data confidentiality, one of the three security
  objectives for information. Public DNS data should be accessible to
  any entity regardless of the entity's location or affiliation.

Because of these special characteristics, conventional network-level
attacks, such as masquerading and message tampering, and attacks that
tamper with the integrity of the hosted and disseminated data, can
have significant functional impacts on the entire Internet and on its
users.

For example, a masquerader who spoofs the identity of a DNS node can
deny access to services to the entire collection of Internet resources
for which the node provides information. All of the domains served by
the node would be affected, and the denial of service would impact all
clients needing access to the resources.

False DNS information provided by a masquerader or intruder can
corrupt the information cache of the DNS node providing that subset of
DNS information. The name server providing Internet access service to
the organization's users would be affected, and all users would be
denied services and access to the resources provided by the server.

When the integrity of DNS information is attacked, the entire
information retrieval process would be broken. The information
maintained by the authoritative system or the information cache of an
intermediary that has accumulated information from several historical
queries would be affected. This situation can cause a denial of
service for the DNS name resolution function or a misdirection of
users to the wrong resources.

If the name resolution data hosted by the DNS system is inaccurate,
there could be an increased workload on the DNS system or the
provision of obsolete data that could result in denial of service to
Internet resources. For most software, such as conventional database
management systems (DBMS), the independence of the program data acts
as a buffer to protect against the adverse impacts due to erroneous
data. In the case of DNS, the data content determines the integrity of
the entire system.

NIST Recommendations

NIST recommendations to protect DNS information are based on
specifications developed by the Internet Engineering Task Force
(IETF), an open international community of network designers,
operators, vendors, and researchers concerned with the evolution of
the Internet architecture and the smooth operation of the Internet.
See the More Information section below for information about the
IETF's Domain Name System Security Extensions (DNSSEC)  
specifications, Transaction Signature (TSIG) specification, and for a
link to IETF web pages.

Because of the functional impacts of attacks on the DNS, NIST
recommends that organizations take the following actions to protect
their DNS services:

* Implement appropriate system and network security controls for
  securing the DNS hosting environment, such as operating system and
  application patching, process isolation, and network fault
  tolerance.

* Protect DNS transactions such as the update of DNS name resolution
  data and data replication that involve DNS nodes within the
  organization's control. The transactions should be protected using
  hash-based message authentication codes based on shared secrets, as
  outlined in the IETF TSIG specification. Message authentication
  codes (MACs) are cryptographic functions that provide assurance to
  the receiver of data that the sender of the data is truly the sender
  and that the data has not been modified since it was authenticated.
  A hash function is a one-way function that produces a short
  representation of a longer message and is used to determine whether
  or not data has been changed after it was transmitted.

* Protect the ubiquitous DNS query/response transaction that could
  involve any DNS node in the global Internet using digital signatures
  based on asymmetric cryptography, as outlined in IETF's DNSSEC
  specification.

* Enforce content control of DNS name resolution data using a set of
  integrity constraints that are able to provide the right balance
  between performance and integrity of the DNS system.

NIST recommends that organizations secure their DNS name server
through the deployment of the DNSSEC for zone information. A zone may
be either an entire domain or a domain with one or more sub-domains. A
zone is a configurable entity within a name server under which
information on all Internet resources pertaining to a domain and a
selected set of sub-domains is described.  Zones are administrative
building blocks of the DNS name space, just as domains are the
structural building blocks.

Protection approaches for DNS software include choice of version,
installation of patches, running the version with restricted
privileges, restricting other applications in the execution
environment, dedicating instances for each function, controlling the
set of hosts where software is installed, placing the software
properly within the network, and limiting information exposure by
logical/physical partitioning of zone file data or running two name
server software instances for different client classes. The latest
version of name server software should be used.

Organizations should:

* Install a DNSSEC-capable name server implementation.

* Check zone file(s) for any possible integrity errors.
  NIST SP 800-81 details the technical steps that a DNS
  administrator can take in generating a zone file to keep
  network exposure to a minimum. This process should be done
  prior to signing a zone to authenticate security. Network
  information that should be kept absolutely private
  should not be published in DNS at all.

* Generate an asymmetric key pair for each zone and include them in
  the zone file. The DNSSEC specifies generation and verification of
  digital signatures using asymmetric keys.  This requires generation
  of a public key-private key pair.  Although the DNSSEC specification
  requires the use of just one key pair, experience from pilot
  implementations suggests that at least two different types of keys
  are needed for easier routine security administration operations
  such as key rollover (changing of keys) and zone re-signing.
  NIST SP 800-81 provides guidance on the use of NIST-approved
  algorithms for digital signatures and for hash algorithms to
  be used as part of the algorithms suite for generating digital
  signatures.

* Sign the zone. The process for signing a zone file consists of
  generating a hash, generating a signature, and capturing the
  signature information in a file.

* Load the signed zone onto the server.

* Configure name servers that deploy DNSSEC-signed zones or
  query-signed zones to perform DNSSEC processing. NIST SP 800-81
  discusses the mechanisms involved in the DNSSEC approach, the
  operations that those mechanisms entail, and a secure way of
  performing those operations by using checklists.

Other NIST recommendations deal with the basic steps of DNSSEC
deployment for caching name servers.

* Install a DNSSEC-capable resolver implementation.

* Obtain one or more trust anchors for zones that the administrator
  wants to be validated. Until all zones become signed zones, there
  could be a situation in which a zone is signed but its parent zone
  is not signed. A chain of trust should be established through all of
  the zones in the DNS tree to assure the authenticity of the public
  key of a zone signer.

* Configure the resolver to turn on DNSSEC processing.

Other recommendations in the guide deal with the secure configuration
and the operations of name servers.

More Information

NIST recommendations for securing the DNS are based on the following
primary security specifications that were developed by the IETF, an
open international technical group:

* Internet Engineering Task Force (IETF) Domain Name System Security
  Extensions (DNSSEC) specifications, covered by Request for Comments
  (RFCs) 4033, 4034, 4035, and 3833; and

* IETF Transaction Signature (TSIG) specifications, covered by RFCs
  2845 and 3007.

Documents produced by the Internet Engineering Task Force are
referenced in Appendix C of NIST SP 800-81. General information about
IETF is available at http://www.ietf.org/.

The IETF community's ultimate goal is for DNSSEC to be fully deployed
across the entire domain tree on the infrastructure side, and
implementation in applications that can demand the services provided
by DNSSEC. At present, there are no operational nodes in the DNS
domain tree that provide DNSSEC capabilities. The first step towards
full deployment is to provide DNSSEC capability for domain sub-trees
that have high security needs. Once DNSSEC capabilities become widely
available in the infrastructure, application developers will be able
to develop DNSSEC applications and use DNSSEC as a means for network
security. In the future, all DNS name servers and clients should be
able to perform at least some of the operations detailed in the DNSSEC
specifications and in NIST SP 800-81.

NIST publications assist organizations in planning and implementing a
comprehensive approach to IT security. For information about NIST
standards and guidelines that are referenced in the DNS guide, as well
as other security-related publications, see
http://csrc.nist.gov/publications/index.html.

Recent standards and guidelines of particular interest to the federal
community address the process that federal agencies should apply in
determining appropriate and effective security controls for their
systems. Federal Information Processing Standard (FIPS) 199, Standards
for Security Categorization of Federal Information and Information
Systems, requires agencies to categorize their information systems as
low-impact, moderate-impact, or high-impact for the security
objectives of confidentiality, integrity, and availability. FIPS 200,
Minimum Security Requirements for Federal Information and Information
Systems, specifies the minimum security requirements for information
and information systems in seventeen security-related areas. Federal
agencies must meet the minimum security requirements through the use
of the security controls in accordance with NIST SP 800-53,
Recommended Security Controls for Federal Information Systems. NIST SP
800-53 has been revised to include safeguards and countermeasures for
information systems that reflect the state of the practice, including
DNSSEC.  Information about the proposed revision and the public review
period is available from the NIST publications website.

Disclaimer
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply
recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.


Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378




From isn at c4i.org  Wed Jul  5 01:10:22 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:10:22 -0500 (CDT)
Subject: [ISN] Companies safeguard against growing risk of laptop
	'dumpster-diving'
Message-ID: <Pine.LNX.4.44.0607050010090.25965-100000@idle.curiosity.org>

http://www.palmbeachpost.com/business/content/business/epaper/2006/07/02/a1f_Laptops_0702.html

By Stephen Pounds
Palm Beach Post Staff Writer
July 02, 2006

Laptops have become the latest loose-lipped losers of personal and
corporate data.

The electronic documents opened on a stolen laptop computer can
jeopardize sensitive corporate and personal information and force
firms to issue embarrassing statements to those who might be harmed by
the data breach.

Now high-tech managers are looking to reduce their risk of data loss ?
not to mention damage control ? resulting from pilfered notebook PCs
tethered to company mainframes and critical servers.

"Companies go into crisis mode," said Pete Nicoletti, vice president
of secure information systems at Terremark Worldwide Inc., a network
services and real estate company in Miami. "With interconnected
networks, the entire world can dumpster-dive in your computers."

Today's laptops are lighter, cheaper and more powerful than ever
before. With a wireless Internet card, users can access the Web from
anywhere, making them ideal for remote work from home or while
traveling.

But that same portability has made them more attractive to thieves.

In the past year, business and government laptops have been yanked
from homes, cars, aircraft and hotel rooms or lost to owner
fumble-itis in 29 instances, says the San Diego-based Privacy Rights
Clearinghouse. Those losses put the personal information of tens of
millions of people at risk.

In one of the largest data breaches ever, a laptop carrying the
personal information of 26.5 million veterans discharged since 1975
was stolen in May from the home of a Department of Veterans Affairs
analyst. The VA announced Thursday the laptop has been recovered, with
no evidence of identity theft.

And just last month, the Federal Trade Commission, the government's
standard-bearer against data theft, revealed that two laptop computers
containing personal and financial data it had gathered in
investigations on 110 people had been stolen from an employee's car.

"Laptops are a significant (cause) of data theft," said Beth Givens,
director of the Privacy Rights Clearinghouse. "It is symptomatic of
people taking their work with them everywhere they go."

If data has been compromised, 24 states require companies to notify
those who could be harmed; eight more states have enacted laws that
will go into effect in the next six months. All of this is forcing
tech managers to bolster laptop security.

First, they are training employees on laptop management, starting with
common sense: Employees are to carry their laptops at all times or to
lock them up.

After a data breach last November involving a stolen laptop with data
on 160,000 employees at the Boeing Co. in Chicago, the company began
requiring human-resource and payroll employees who take a laptop home
or on travel to physically lock them to a desk while using them. The
company also has begun random audits of laptops to check for old and
forgotten data files.

"If you have information on your laptop, it should be encrypted and
the computer is supposed to be secured," said Boeing spokesman Tim
Neale.

Companies also are disabling extra USB ports and writeable CD-ROM
drives to keep employees from copying information to thumb drives,
compact disks and other portable storage devices. They are restricting
some files only to their secure networks and banning employees from
taking pictures of documents with camera phones.

And if a laptop is stolen, they are to report it to the company and to
authorities immediately, said Bob McConnell, a security consultant who
worked with Alpharetta, Ga.-based ChoicePoint Inc. last year when the
data broker suffered a major breach of its databases.

"Almost all companies that travel will have to become sensitive to it
because of what they've seen in the media," McConnell said of laptop
security. "They can't afford the fallout of compromised data."

Damage control could be costly and distracting. Already, the VA has
spent $14 million just to notify veterans of the breach. The
government also has agreed to provide free credit monitoring to the
veterans whose personal information may have been compromised, a move
expected to cost millions more. Even so, five veterans groups have
filed a class-action lawsuit seeking damages for violation of privacy.

A report last year by the Elk Rapids, Mich.-based Ponemon Institute
found it costs a company about $5 million to notify victims of a data
breach, or about $138 a victim. It can be much more for firms such as
data brokers and banks and financial services.

But the real loss may be in disenchanted customers. Even when
companies made the effort to notify consumers of a data breach, 19
percent of survey respondents said they would discontinue their
business with the company, or already had, the Ponemon study showed.

"Customers may churn rather than work with a company that has a bad
reputation. A data breach is a signal that a company is just not
well-controlled," said Larry Ponemon, the firm's chairman.

Some companies say the best way to protect data is to take the risk
out of employees' hands. They have added more layers of laptop access
control, allowing sensitive data to leave the building with only a
chosen few.

If employees are authorized remote access to a company's computer
network, they'll need either a password, smart card, rolling digital
number from a key fob, biometric identification such as a thumbprint,
or more than one of these to get in.

"If you don't have a password, you can't get the laptop up and
running," said Jacob Rice, a spokesman for Siemens Communications Inc.  
in Boca Raton. "You need another password to get into the VPN."

A VPN, or virtual private network, allows companies to transmit data
across a public network such as telephone lines or the Internet using
encryption and other security mechanisms to protect it.

Interfuse Technologies Chief Executive Phil Viscomi is a believer in
encryption. His Boca Raton-based company sells a software program that
not only encrypts a document or e-mail but restricts the receiver from
copying it, cutting and pasting parts of it to another document, or
disseminating it.

With Interfuse's OfficeLock program, data is scrambled and transmitted
to someone collaborating with the sender. But the receiver must have
decoding software and a password to unscramble it. After reading it,
he is simply restricted to closing it.

"If you lose your laptop, the information becomes inaccessible,"  
Viscomi said. "Data is meant to be shared. It's normal... to send
information to the wrong person. But they won't be able to use it."

One Interfuse customer, Verasys Inc. of Miami, uses encryption
software but also recommends clients consider it as an extra layer of
protection to access control by passwords and biometric means, said
Verasys partner D.C. Page.

"Once you check your thumbprint or iris, you've opened the door. It
doesn't go far enough. It's at the perimeter. You still need to
communicate securely," Page said.

Despite these measures, most tech managers don't think their companies
are meeting the computer security threat adequately.

In a survey by Deloitte & Touche USA LLP of 150 chief security
officers from technology, media and telecommunications companies in 30
countries earlier this year, only 4 percent said they believe they are
doing enough to address the problem. Still, 74 percent said they would
spend more time dealing with information security in the next year
because of stiffer privacy regulations in many states.

Stacy Cannady, director of client security for Raleigh, N.C.-based
Lenovo Group, said tech managers opted for free encryption software
off the Internet a year ago. But lately, they've switched to
multi-level laptop security that includes a combination of file,
hard-drive and operating-system encryption after many states demanded
public notification of personal data breaches.

"No business wants that. It's a huge expense," Cannady said.  
"Customers don't trust you. The press is all over you. And you look
like an idiot."




From isn at c4i.org  Wed Jul  5 01:10:35 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:10:35 -0500 (CDT)
Subject: [ISN] VA Laptop Sold From Back of a Truck
Message-ID: <Pine.LNX.4.44.0607050010260.25965-100000@idle.curiosity.org>

http://redtape.msnbc.com/2006/07/what_happened_t.html

By Bob Sullivan
July 3, 2006

We have a few more details on what happened to the nation's most
famous runaway laptop computer during those mysterious two months it
was missing, courtesy of NBC's Pete Williams. We're talking about the
computer and hard drive that were stolen from a Department of Veterans
Affairs employee in May, an incident that made headlines because the
hardware contained private information on 26.5 million veterans and
current GIs. Last week, VA chief Jim Nicholson announced in dramatic
fashion [1] that the prodigal computer had been found, but details
about the return were sparse.

NBC's Williams has been able to fill in some of the blanks after 
talking to law enforcement officials investigating the incident.

Both the laptop and hard drive ended up for sale at a black market 
just north of Washington D.C., near a subway station outside the 
Beltway near Wheaton. We're talking about the kind of market that is 
literally run out of the back of a truck, one official said. 
Fortunately, a buyer purchased both components at this black market, 
keeping the missing hardware together.

The male buyer, who has not been publicly identified, later spotted 
fliers posted at a nearby supermarket seeking the return of the 
equipment. After matching the serial numbers on the flier with those 
on the equipment, the buyer decided to turn in the equipment. No 
doubt, a posted $50,000 reward helped encourage that decision.

He had a friend in the U.S. Park Police who brokered the exchange with 
the FBI, Williams was told.

At that point, the FBI ran forensics tests on the equipment and 
concluded the sensitive data - such as veterans' Social Security 
numbers -- had not been accessed. (Read more details about those tests 
here). Knowing more about the secret life of the disappearing hardware 
should make veterans a little more comfortable that their personal 
information was not compromised during the incident.

But not all questions have been answered yet. The obvious missing 
puzzle piece is this: How did the hardware get from the VA employee's 
home in Aspen Hill, Md., to the back of a truck in Wheaton, about 4 
miles away? And what happened during the trip?

[1] http://www.msnbc.msn.com/id/13613727/




From isn at c4i.org  Wed Jul  5 01:10:49 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:10:49 -0500 (CDT)
Subject: [ISN] State's laptops vulnerable?
Message-ID: <Pine.LNX.4.44.0607050010380.25965-100000@idle.curiosity.org>

http://www.columbusdispatch.com/news-story.php?story=dispatch/2006/07/03/20060703-C1-00.html

By Randy Ludlow
THE COLUMBUS DISPATCH 
July 03, 2006

Data thieves don't always sneak in through a digital back door.

Sometimes, their work is decidedly low-tech, such as strolling through
a real door and snatching a laptop computer.

In Ohio, some state agencies and universities appear to be lagging the
technological curve as the federal government tightens the security of
data on portable computers.

The feds' action was prompted by the lifting of a laptop and external
hard drive, recovered

The Department of Job and Family Services and Department of
Administrative Services are planning to encrypt data, but are not
there yet.

Ohio State University and Ohio University also do not use scrambling
software on portable devices, but appear to be on the verge.

Securing portable data appears to have evolved slowly in Ohio, said
Marc Mezibov, a Cincinnati lawyer who is suing OU and the Department
of last week, that held the Social Security numbers of about 26.5
million military veterans.

New security guidelines require civilian agencies to encrypt sensitive
data to make it nearly impossible to steal identities should laptops
and handhelds disappear.

Among a sampling of state agencies handling personal information on
millions of Ohioans, only the Department of Taxation boasts of nearly
impenetrable data encryption. Veterans Affairs over data thefts.

"I'm sure there will be a lot of finger-pointing and wondering why
some of these institutions and organizations are behind the curve," he
said.

State agencies and contractors have been handed a financial incentive
to encrypt data under a state law that took effect early this year.  
They can escape mandatory, costly noti- fication of data-theft victims
if the data is encrypted.

The Ohio Office of Information Technology prescribes minimum security
standards for state computers and encourages that they be exceeded,
but does not require the use of encryption software.

With Social Security numbers and employment, investment and income
information, the tax collectors hold the most far-reaching personal
information of any agency.

The data, says taxation spokesman Gary Gudmundson, is encrypted with
state-ofthe-art software on both servers and laptops, and is
considered virtually hack-proof.

Four state laptops used by taxation employees were stolen during the
past three years, but only one contained data on individual taxpayers,
he said. That computer held information on an audit of one taxpayer,
but it was deemed inaccessible because of encryption, he said.

The Department of Jobs and Family Services works with personal data
involving welfare, Medicaid, child-support and unemployment
recipients.

Plans call for installing dataencryption software on portable devices
before the end of the year, spokesman Dennis Evans said.

Only one department laptop with personal information - on 20 Medicaid
recipients - has been stolen. It was taken from an employee's car in
December 2004, prompting a directive not to leave computers in
vehicles, he said.

The Department of Administrative Services functions as the centralized
human-resources office for the state and handles other sensitive
material involving state contracts and bidding.

It, too, is moving to add encryption software to its list of security
features protecting laptops, said spokesman Ben Piscitelli. No
computers with personal data have gone missing.

Ohio State and OU do not require encryption software to protect
sensitive information on laptops, but are studying a move toward such
protection, officials said.

OSU is working with a consortium of Big Ten and other universities to
identify best practices, likely to include stepped-up security, said
Robert Kalal, director of information technology policy and services.

OU has made headlines with a series of computer security breaches in
which hackers stole vast amounts of personal information, including
Social Security numbers on more than 173,000 students, alumni, faculty
and others.

Neither university has experienced the theft of laptops containing
personal data, officials said.

What about the Bureau of Motor Vehicles and its voluminous files on
drivers and online vehicle registrations involving banking
information?

The bureau does not allow any sensitive information to be stored on
laptop computers or other portable devices, spokesman Fred Stratmann
said.




From isn at c4i.org  Wed Jul  5 01:11:35 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 5 Jul 2006 00:11:35 -0500 (CDT)
Subject: [ISN] REVIEW: "Practical VoIP Security", Thomas Porter et al
Message-ID: <Pine.LNX.4.44.0607050011120.25965-100000@idle.curiosity.org>

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade at shaw.ca>

BKPVOIPS.RVW   2060602

"Practical VoIP Security", Thomas Porter et al, 2006, 1-59749-060-1,
U$49.95/C$69.95
%A   Thomas Porter
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-060-1
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 amy at syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597490601/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1597490601/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597490601/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   563 p.
%T   "Practical VoIP Security"

VoIP (Voice over Internet Protocol) is something of the new kid on the
technology block, and computer folks may have limited experience with
telephony.  It therefore seems a bit strange that chapter one, as an
introduction to VoIP security, starts out by talking about computer
security and attacks.  However, the structure of the book is rather
odd in any case.  The basics of telephony, and the Public Switched
Telephone Network (PSTN), are not covered until chapter four.  Even
then, while there is some useful trivia, most of the content is a list
of telephony protocols.  Chapter three covers some of the basic
hardware and element information, discussing PBX (Private Branch
eXchange) systems, VoIP components, and even power supplies.  That
material, in turn, would be helpful to those who try to understand
chapter two, which is supposed to be about the Asterisk PBX software
package.  Although the text purports to deal with configuration and
features of Asterisk, most of the section's content covers PBX
operations and functions, dial plans, telephony numbering plans, and
even a terse piece on the vital aspect of circuit versus packet
switching.

With chapter five, the book moves into some of the specifics of VoIP,
discussing H.323, a protocol to specify data formats that is used
extensively in commercial IP telephony products.  SIP, the Session
Initiation Protocol (used to negotiate interactive sessions over the
net), gets a more detailed treatment (along with examination of
related protocols) in chapter six.  Other IP telephony architectures
are briefly listed in chapter seven: the very popular Skype, H.248,
IAX (Inter Asterisk eXchange), and Microsoft's Live Communications
Server 2005 (MLCS).  Diverse protocols used in support of VoIP are
discussed in chapter eight.  Most of these are commonly used in other
Internet applications: some; such as RSVP (Resource reSerVation
Protocol), SDP (Session Description Protocol), and Skinny; are more
specialized.  All the listed protocols have some review of security
implications, which marks the first time in the book that security
seems to be a major issue.

Chapter nine examines specific threats and attacks, mostly related to
denial of service and hijacking.  Securing the infrastructure used for
VoIP is important, although the material in chapter ten is fairly
standard information security.  Chapter eleven reviews a number of
ordinary authentication tools that are frequently used in VoIP. 
"Active Security Monitoring," in chapter twelve, is the traditional
intrusion detection and penetration testing, and has nothing specific
to IP telephony applications.  Similarly, chapter thirteen examines
normal traffic management and LAN segregation issues: the only
telephony related content is in regard to VoIP aware firewalls.  The
IETF (Internet Engineering Task Force) has recommended certain
existing security protocols in regard to IP telephony, and one
addition (SRTP, Secure Real-time Transfer Protocol): these are
outlined in chapter fourteen.  Chapter fifteen lists various (United
States) data security related regulations and the European Union
privacy directive.  The IP Multimedia Subsystem (IMS) structure is
reviewed in chapter sixteen.  Chapter seventeen repeats the
recommendations made in chapters ten through fourteen.

It is handy to have a number of the issues related to VoIP addressed
in one work.  There is some depth to the content of the text as well,
and those dealing with system internals may find that useful. 
However, for those who need to manage or make policy or purchasing
decisions in regard to VoIP, this book may not have the forcefulness
of complete analysis, or a structure that would assist in learning the
background.  While there is a considerable amount of helpful
information, it reads more like an accumulation of miscellaneous facts
than a directed study.

copyright Robert M. Slade, 2006   BKPVOIPS.RVW   2060602


======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
An Englishman, even if he is alone, forms an orderly queue of one
                                                      - George Mikes
Dictionary Information Security     www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm




From isn at c4i.org  Thu Jul  6 01:21:19 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:21:19 -0500 (CDT)
Subject: [ISN] Air Force to change network structure
Message-ID: <Pine.LNX.4.44.0607060021090.28448-100000@idle.curiosity.org>

http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20060705/BREAKINGNEWS/60705008

By John Andrew Prime
jprime @ gannett.com
July 5, 2006

A reorganization of war-fighting network operations that begins today
will touch 8th Air Force, headquartered at Barksdale Air Force Base.

A release from 8th Air Force headquarters says the change, which will
place ... under the command of 8th Air Force commander Lt. Gen. Robert
J. "Bob" Elder J., will better allow the service to "deliver sovereign
options for the defense of the United States of America and its global
interests - to fly and fight in Air, Space, and Cyberspace."

The change will consolidate Air Force Network Operations under Elder,
the release said. That will take place with a ceremony at 2 p.m. on
the base. The change will put all Air Force units charged with network
operations under Elder's command. These responsibilities had
previously been spread among 10 major command Network Operations and
Security Centers as well as the 8th Air Force, the Air Intelligence
Agency, the Operations and Sustainment Systems Group and the Air Force
Communications Agency.

In order to implement this change, the 67th Information Operations
Wing at Lackland Air Force Base, Texas, has been reorganized and will
be redesignated as the 67th Network Warfare Wing. It will oversee the
stand-up of two Integrated Network Operations and Security Centers.  
One will be at Langley Air Force Base, Va., and the other at Peterson
Air Force Base, Colo.

Reorganization is expected to take several months to fully implement,
8th Air Force headquarters said.

? The Times




From isn at c4i.org  Thu Jul  6 01:21:34 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:21:34 -0500 (CDT)
Subject: [ISN] Alums just told of computer breach
Message-ID: <Pine.LNX.4.44.0607060021230.28448-100000@idle.curiosity.org>

http://www.suntimes.com/output/news/cst-nws-westernhack05.html

BY DAVE NEWBART
Staff Reporter  
July 5, 2006

A computer hacker accessed computer systems containing confidential
personal data of Western Illinois University alumni a full month ago,
but some of the more than 180,000 people affected only learned of the
problem this week.

That response time, school spokesman John Maguire said Tuesday, was
too slow, and the school is looking at changing its procedures to make
sure notification happens faster.

Maguire emphasized that although Social Security numbers and some
credit card information were kept in the breached systems, the school
has no evidence that any information has been used maliciously.

"We strongly think it unlikely that anything was copied or
compromised,'' Maguire said.


Academic files not affected

In notices sent beginning June 26, the university told alums and
others that the security breach happened June 5.

A hacker or hackers accessed "several Electronic Student Services
systems,'' according to information posted on the school's Web site
Sunday.

Personal data, names, Social Security numbers, addresses and phone
numbers for anyone who took a course at the school since 1983 were
kept on the computer system. An additional 1,000 records from students
who attended between 1978 to 1982 were also kept on the compromised
system.

Even data from some applicants who did not attend Western might have
been accessed because the school keeps those records for at least a
year, in case the student were to reapply.

Credit card account numbers for people who bought merchandise through
the school's Web site or who stayed at the University Union hotel
might also have been accessed. No academic files were accessed,
officials said.

The school learned of the breach the same day it happened, and it
immediately fixed the breach and beefed up security. The school's
public safety office has been in touch with the FBI, but no arrests
have been made, Maguire said.

At first, the school thought as many as 240,000 people were affected,
but the number was revised after weeding out old or duplicate records.


Keep an eye on credit reports

Maguire said about 40,000 e-mails were also sent out beginning last
week, but the overall response time was not acceptable.

"In terms of trying to notify somebody by mail, we are looking at
those procedures,'' he said. "We realize that is one of the
criticisms, and we are trying to be responsible to that.''

Although officials have received no reports of records being copied or
tampering with, they urged anyone potentially affected to monitor
credit reports closely and consult the Federal Trade Commission or
state attorney general for tips on how to protect yourself.

There have been security breaches at 29 universities or colleges in
the last six months, Western officials said. In March 2005, hackers
accessed a server run by the Kellogg School of Management at
Northwestern, potentially learning user names and passwords to more
than 21,000 computer accounts held by students, staff and alumni. At
the time, NU officials said they didn't think any personal data was
stolen.

More information is available at (877) 556-4100 or at
www.wiu.edu/securityalert.




From isn at c4i.org  Thu Jul  6 01:21:53 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:21:53 -0500 (CDT)
Subject: [ISN] Consultant Breached FBI's Computers
Message-ID: <Pine.LNX.4.44.0607060021400.28448-100000@idle.curiosity.org>

http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489.html

By Eric M. Weiss
Washington Post Staff Writer
July 6, 2006

A government consultant, using computer programs easily found on the
Internet, managed to crack the FBI's classified computer system and
gain the passwords of 38,000 employees, including that of FBI Director
Robert S. Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant
access to records in the Witness Protection Program and details on
counterespionage activity, according to documents filed in U.S.  
District Court in Washington. As a direct result, the bureau said it
was forced to temporarily shut down its network and commit thousands
of man-hours and millions of dollars to ensure no sensitive
information was lost or misused.

The government does not allege that the consultant, Joseph Thomas
Colon, intended to harm national security. But prosecutors said
Colon's "curiosity hacks" nonetheless exposed sensitive information.

Colon, 28, an employee of BAE Systems who was assigned to the FBI
field office in Springfield, Ill., said in court filings that he used
the passwords and other information to bypass bureaucratic obstacles
and better help the FBI install its new computer system. And he said
agents in the Springfield office approved his actions.

The incident is only the latest in a long string of foul-ups, delays
and embarrassments that have plagued the FBI as it tries to update its
computer systems to better share tips and information. Its computer
technology is frequently identified as one of the key obstacles to the
bureau's attempt to sharpen its focus on intelligence and terrorism.

An FBI spokesman declined to discuss the specifics of the Colon case.  
But the spokesman, Paul E. Bresson, said the FBI has recently
implemented a "comprehensive and proactive security program'' that
includes layered access controls and threat and vulnerability
assessments. Beginning last year, all FBI employees and contractors
have had to undergo annual information security awareness training.

Colon pleaded guilty in March to four counts of intentionally
accessing a computer while exceeding authorized access and obtaining
information from any department of the United States. He could face up
to 18 months in prison, according to the government's sentencing
guidelines. He has lost his job with BAE Systems, and his top-secret
clearance has also been revoked.

In court filings, the government also said Colon exceeded his
authorized access during a stint in the Navy.

While documents in the case have not been sealed in federal court, the
government and Colon entered into a confidentiality agreement, which
is standard in cases involving secret or top-secret access, according
to a government representative. Colon was scheduled for sentencing
yesterday, but it was postponed until next week.

His attorney, Richard Winelander, declined to comment.

According to Colon's plea, he entered the system using the identity of
an FBI special agent and used two computer hacking programs found on
the Internet to get into one of the nation's most secret databases.

Colon used a program downloaded from the Internet to extract "hashes"  
-- user names, encrypted passwords and other information -- from the
FBI's database. Then he used another program to "crack" the passwords
by using dictionary-word comparisons, lists of common passwords and
character substitutions to figure out the plain-text passwords. Both
programs are widely available for free on the Internet.

What Colon did was hardly cutting edge, said Joe Stewart, a senior
researcher with Chicago-based security company LURHQ Corp. "It was
pretty run-of-the-mill stuff five years ago," Stewart said.

Asked if he was surprised that a secure FBI system could be entered so
easily, Stewart said, "I'd like to say 'Sure,' but I'm not really.  
They are dealing with the same types of problems that corporations are
dealing with."

Colon's lawyer said in a court filing that his client was hired to
work on the FBI's "Trilogy" computer system but became frustrated over
"bureaucratic" obstacles, such as obtaining written authorization from
the FBI's Washington headquarters for "routine" matters such as adding
a printer or moving a new computer onto the system. He said Colon used
the hacked user names and passwords to bypass the authorization
process and speed the work.

Colon's lawyers said FBI officials in the Springfield office approved
of what he was doing, and that one agent even gave Colon his own
password, enabling him to get to the encrypted database in March 2004.  
Because FBI employees are required to change their passwords every 90
days, Colon hacked into the system on three later occasions to update
his password list.

The FBI's struggle to modernize its computer system has been a
recurring headache for Mueller and has generated considerable
criticism from lawmakers.

Better computer technology might have enabled agents to more closely
link men who later turned out to be involved in the Sept. 11, 2001,
attacks, according to intelligence reviews conducted after the
terrorist strikes.

The FBI's Trilogy program cost more than $535 million but failed to
produce a usable case-management system for agents because of cost
overruns and technical problems, according to the Government
Accountability Office.

While Trilogy led to successful hardware upgrades and thousands of new
PCs for bureau workers and agents, the final phase -- a software
system called the Virtual Case File -- was abandoned last year. The
FBI announced in March that it would spend an additional $425 million
in an attempt to finish the job. The new system would be called
"Sentinel."

? 2006 The Washington Post Company




From isn at c4i.org  Thu Jul  6 01:22:20 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:22:20 -0500 (CDT)
Subject: [ISN] Hacker attacks hitting Pentagon
Message-ID: <Pine.LNX.4.44.0607060022000.28448-100000@idle.curiosity.org>

http://www.baltimoresun.com/news/nationworld/bal-te.nsa02jul02,0,754404.story?coll=bal-home-headlines

By Siobhan Gorman
sun reporter
July 2, 2006

Sun exclusive

WASHINGTON -- The number of reported attempts to penetrate Pentagon
computer networks rose sharply in the past decade, from fewer than 800
in 1996 to more than 160,000 last year - thousands of them successful.  
At the same time, the nation's ability to safeguard sensitive data in
those and other government computer systems is becoming obsolete as
efforts to make improvements have faltered and stalled.

A National Security Agency program to protect secrets at the Defense
Department and intelligence and other agencies is seven years behind
schedule, triggering concerns that the data will be increasingly
vulnerable to theft, according to intelligence officials and
unclassified internal NSA documents obtained by The Sun.

When fully implemented, the program would build a new encryption
system to strengthen protections on computer networks and would more
effectively control the access of millions of people to government
computer systems and buildings.

Launched in 1999, the program was to have been completed last year,
but it fell behind in part because of differences between the NSA and
the Pentagon. The NSA is trying to revamp the program, although the
deadline has slid to 2012, with the most substantive security
improvements planned for 2018.

An internal NSA report in April 2005 described the problem as
"critical," noting that 30 percent of the agency's security equipment
does not provide "adequate" protection; another 46 percent is
approaching that status.

"Much of the existing cryptographic equipment is based on ...  
technologies that are 20-30+ years old," said the report from the
agency's information security directorate. At the same time, it noted,
technology for breaking into computer systems has improved, which
"gives our adversaries enhanced capabilities."

Pentagon computers, in particular, are under constant attack.  
Recently, Chinese hackers were able to penetrate and steal data from a
classified computer system serving the Joint Chiefs of Staff,
according to two sources familiar with the incident. A security team
spent weeks eliminating the breach and installing additional
safeguards.

The Pentagon declined interview requests for two information security
officials, but a spokesman said in a written statement that the NSA is
continually assisting the Pentagon to "maintain best security
practices" and raise the level of information security.

NSA spokesman Don Weber said in a statement that because information
security is a core mission of the agency, "any speculation that we,
along with our partners would leave national security systems
vulnerable, is unfounded."

Among 18 current and former officials and security experts interviewed
for this article, several would speak only on condition of anonymity
because many details of the program are sensitive and reveal
vulnerabilities in the nation's defenses.

Encryption, which is an electronic lock, is among the most important
of security tools, scrambling sensitive information so that it can
ride securely in communications over the Internet or phone lines, and
requiring a key to decipher.

Powerful encryption is necessary for protecting information that is
beamed from soldiers on the battlefield or that guards data in
computers at the NSA's Fort Meade headquarters. Without updated
encryption, sensitive information could be stolen by China or other
countries that have regularly tried to break into U.S. government
systems to steal military and intelligence secrets. There are emerging
concerns about Iran's desire to do so, as well.

"This stuff is enormously important," said John P. Stenbit, the
Pentagon's chief information officer until 2004. "If the keys get into
the wrong hands, all kinds of bad things happen. You don't want to
just let a hacker grab the key as it's going through the Internet."

The NSA report warned that "serious risks" in the Pentagon's security
system jeopardize its ability to execute its missions effectively. A
December 2005 NSA planning document described the program as crucial
for ensuring adequate protection for all national security programs.

"It's a pretty critical thing to do right ... because the government
relies on confidential communications so heavily," said Martin Roesch,
founder of Sourcefire, a computer security company in Columbia, Md.  
"It's kind of a fundamental capability."


A growing threat

As the program, known as Key Management Infrastructure, has faltered,
the potential for penetrating government computers has grown.  
Intelligence officials have said that as many as 100 countries pose
legitimate threats to U.S. government computers and those of companies
doing government work.

In the past decade, reported attempts to hack into Pentagon computers
have grown 200-fold, according to the Pentagon.

"Numerous states, terrorist and hackers groups, criminal syndicates,
and individuals continue to pose a threat to our computer systems,"  
Maj. Gen. Michael D. Maples, director of the Defense Intelligence
Agency, warned Congress this year. "Over the last few years, hackers
have exploited thousands of [Department of Defense] systems."

In addition to the NSA's aging security technology, some of the tools
required for encrypting data lack security protections and are
vulnerable, so an infiltrator could uncover and possibly replicate the
tools to access government data, according to the NSA's December 2005
planning document.

Intelligence specialists say potential attacks could include foreign
governments snooping for U.S. intelligence and military secrets and
using identity information to create false IDs, which could enable
them to gain access to military or intelligence facilities, computers
and even weapons systems, they said.

"What's at stake here is the security of the nation, because we are
under monster attack from China, Russia, Israel, France and so on," a
former government official said.

News reports last year revealed a major Chinese campaign called Titan
Rain that targeted unclassified Pentagon computer networks and others
at the Energy and Homeland Security departments. In a Miami case, the
Justice Department charged two men this year with channeling military
technology secrets to China that were obtained through hacking. It
brought similar charges against three others last fall in a case in
Los Angeles.

"The threat is much larger than we ever thought it was," said David
Szady, a former top counterintelligence official at the FBI and the
CIA. The Chinese "have been able to develop their military and their
systems on the backbone of United States technology."

Another country emerging as a concern is Iran. "They certainly are
able to, and would have an interest in doing it," said one former
senior intelligence official.

Cracking the government's aging encryption system would require a high
level of training of the type most likely occurring in countries such
as China or Russia.

But as commercial code-breaking technology improves, intelligence
experts said, it is possible that a technically astute terrorist or
even an unusually focused teenage hacker could infiltrate government
computers.

If hackers can break through weak encryption systems on government and
contractors' computers, they can hunt through different networks for
bits and pieces of information to thread together and assemble a
fairly good idea of U. S. defense capabilities - with the intent of
either copying them or devising a system to defeat them, said one
former NSA employee.

The new system would address a number of the security challenges that
exist with the explosion of wireless, networked communication devices,
according to internal NSA documents. The most sensitive data is
generally held in internal systems that are not exposed to the
Internet. But the Pentagon and other government agencies are
increasingly using Internet-based communications.

And as the demand grows for "smart" identification cards with computer
chips that verify the card holder's identity, so does the need for
sophisticated ways to manage who is being assigned cards, so that the
cards do not end up in the wrong hands, said Stephen Kent, a chief
scientist at BBN Technologies who has chaired government panels on
information security.


False starts

Sprawled across several government agencies, but centered at the NSA,
the Key Management Infrastructure program is actually a compilation of
about 25 programs; its costs, which are classified, are difficult to
gauge. One estimate pegs spending so far at $2 billion or more, said a
former government official familiar with the program. Other estimates
are in the hundreds of millions.

A critical problem with the project, according to several current and
former intelligence officials, is one that has afflicted other large
programs at the agency: poor management.

Like other major NSA efforts - such as the failed Trailblazer program
to rapidly sift out threat information, and the troubled Groundbreaker
program aimed at upgrading the agency's computer networks - an
ever-changing game plan has caused many of the project's problems,
current and former senior intelligence officials said.

One former senior intelligence official said that the NSA had
unrealistic expectations from the start and repeatedly opted for
delays to try to perfect the program. That left the government with
aging security protections in the quest for security nirvana, the
official said.

"NSA often will say, 'Well, this is not totally secure, so you can't
use it,' when the only alternative is nothing," the former official
said. "My worry is this push for perfect security is the enemy of good
security.

NSA officials have also had a difficult time forging consensus among
the agencies involved with the project, especially the Pentagon,
according to former officials familiar with the conflict.

"Anybody who doesn't like the way you're doing it can essentially
withdraw," the former senior intelligence official said. "It's a
program that is actually planned for failure."

After several false starts, the first phase of the program was
canceled in 2003, and its replacement has been in the planning stages
since then.

The NSA is re-evaluating the program, intelligence officials said.  
That reassessment - owed at least in part to pressure from Maj. Gen.  
Dale W. Meyerrose, the chief technology officer under spy chief John
D. Negroponte and the Pentagon - is expected to produce a new
blueprint, Meyerrose said in an interview. It also coincided with
incoming NSA Director Lt. Gen. Keith B. Alexander's agency-wide
review.

Under the current plan, the initial phase will be completed in 2012.  
Even then, it would at best provide only a level of security
equivalent to the existing system, current and former government
officials said. The agency would, however, be able to upgrade the
revised system, which is not possible now, they said.

Meyerrose acknowledged that the project has taken "a little longer
than we thought." He chalked it up to a lack of leadership in the
intelligence community to get behind the program, which he said would
change under the new spymaster. The program's planners, he said,
underestimated how difficult it would be to "synchronize" all the
moving parts of the program.

After the first false start, the NSA asked the consulting firm Booz
Allen Hamilton, which was involved in aspects of the project, to take
on a broader role to get the program's many segments working together.  
But the NSA is unhappy with the firm's performance, which it deemed
slow and rigid, one former government official said. A spokesman for
Booz Allen declined to comment, citing confidentiality agreements.

Booz Allen's contract is slated to end in October, and the NSA plans
to do the work on its own, probably with assistance from a new
contractor, the former official said.

Although Richard C. Schaeffer, in charge of the NSA's information
security division, characterized the current timetable for the program
as "aggressive" in a statement to The Sun, some officials are
concerned that the schedule is sliding again, according to a former
government official familiar with the program. The NSA was supposed to
award a contract for the revamped program last December, but that
shifted to June and then to October.

"It's pretty scandalous. It certainly has been a start, restart,
start, restart," said one former intelligence official. "It seems
stunning to me."

Meanwhile, given the pace of technology, every year that the project
slips, it becomes less relevant, said a former government official
familiar with the project.

"You're going to introduce something that is completely obsolete," he
said.

While 2012 is the target date for wrapping up the current phase of the
program, Meyerrose said, some portions will be implemented in the
interim.

But some intelligence officials said they are concerned that
components of the program could be delayed until 2018, when the next
phase of more substantive security changes is to be completed, and the
April 2005 NSA report highlights this possibility.

The program's delay also is likely to hold up some major Pentagon
efforts that rely on secure information, such as the Global
Information Grid, a network under development that aims to manage all
national security information around the world, former intelligence
officials said. Both the NSA report and planning documents emphasize
the dependency of this network and other defense programs on the key
management program.

"If you can't communicate securely, the enemy has the potential to
know what you're doing," one former official said. "Information
security is Job One."

siobhan.gorman (at) baltsun.com

Copyright ? 2006, The Baltimore Sun




From isn at c4i.org  Thu Jul  6 01:22:55 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:22:55 -0500 (CDT)
Subject: [ISN] Identity Thief Finds Easy Money Hard to Resist
Message-ID: <Pine.LNX.4.44.0607060022290.28448-100000@idle.curiosity.org>

http://www.nytimes.com/2006/07/04/us/04identity.html

By TOM ZELLER Jr.
July 4, 2006

By the time of Shiva Brent Sharma's third arrest for identity theft,
at the age of 20, he had taken in well over $150,000 in cash and
merchandise in his brief career. After a certain point, investigators
stopped counting.

The biggest money was coming in at the end, postal inspectors said,
after Mr. Sharma had figured out how to buy access to stolen credit
card accounts online, change the cardholder information and reliably
wire money to himself - sometimes using false identities for which he
had created pristine driver's licenses.

But Mr. Sharma, now 22, says he never really kept track of his
earnings.

"I don't know how much I made altogether, but the most I ever made in
a quick period was like $20,000 in a day and a half or something," he
said, sitting in the empty meeting hall at the Mohawk Correctional
Facility in Rome, N.Y., where he is serving a two- to four-year term.  
"Working like three hours today, three hours tomorrow - $20,000."

And once he knew what he was doing, it was all too easy.

"It's an addiction, no doubt about that," said Mr. Sharma, who
inflected his words with the sort of street cadence adopted by smart
kids trying to be cool. "I get scared that when I get out, I might
have a problem and relapse because it would be so easy to take $300
and turn it into several thousand."

That ease accounts for the sizable ranks of identity-fraud victims,
whose acquaintance with the crime often begins with unexplained credit
card charges, a drained bank account or worse. The victims' tales have
become alarmingly familiar, but usually lack a protagonist - the
perpetrator. Mr. Sharma's account of his own exploits provides the
missing piece: an insight into both the tools and the motivation of a
persistent thief.

Identity theft can, of course, have its origins in a pilfered wallet
or an emptied mailbox. But for computer-savvy thieves like Mr. Sharma,
the Internet has forged new conduits for the crime, both as a means of
stealing identity and account information and as the place to use it.

The Secret Service and the Federal Bureau of Investigation have
invested millions of dollars in monitoring Internet sites where
thousands of users from around the world congregate to swap tips about
identity theft and to buy and sell personal data. Mr. Sharma
frequented such sites from their earliest days, and the techniques he
learned there have become textbook-variety scams.

"Shiva Sharma was probably one of the first, and he was certainly one
of the first to get caught," said Diane M. Peress, a former Queens
County prosecutor who handled all three of Mr. Sharma's cases and who
is now the chief of economic crimes with the Nassau County district
attorney's office. "But the kinds of methods that he used are being
used all the time."

As far back as 2002, Mr. Sharma began picking the locks on consumer
credit lines using a computer, the Internet and a deep understanding
of online commerce, Internet security and simple human nature,
obtained through years of trading insights with like-minded thieves in
online forums. And he deployed the now-common rods and reels of data
theft - e-mail solicitations and phony Web sites - that fleece the
unwitting.

Much of this unfolded from the basement of a middle-class family home
in Richmond Hill, Queens, at the hands of a high school student with a
knack for problem solving and an inability, even after multiple
arrests, to resist the challenge of making a scheme pay off.

That is what worries Mr. Sharma's wife, Damaris, 21, who has no time
for the Internet as she raises the couple's 1-year-old daughter,
Bellamarie.

"I hate computers," she said. "I think they're the devil."


A Thief's Tool Kit

Mr. Sharma is soft-spoken, but he does not shrink from the spotlight.  
He gained fleeting attention after his first arrest, as the first
person charged under a New York State identity-theft statute - and
later, at his high school graduation at the Rikers Island jail, where
he was the class valedictorian.

For a prison interview, he has applied gel to his mane of black hair.  
He is Hollywood handsome, with deceptively sleepy eyes and smiles that
come as tics in reaction to nearly every stimulus - a question, a
noise. Prosecutors interpreted those smiles as evidence of smug
indifference.

A tattoo of Shiva, the Hindu god of destruction and his namesake, is
just visible on Mr. Sharma's right arm, under the short sleeve of his
green prison jumpsuit.

Recalling his youth, Mr. Sharma said he was not unlike many other
young people growing up with the mating calls of modems and
unprecedented access to people, sounds, software and other thrills
streaming into the family's home over the Internet.

As the youngest of three children in a family of immigrants from
Trinidad - his parents brought the family to Queens when he was 6 -
Mr. Sharma said sibling battles for access to the computer were
common. He studied programming at Brooklyn Tech, one of New York's
most selective public high schools, where he met Damaris.

He enjoyed chatting on AOL and was drawn, along with millions of his
peers in the early days of file sharing, to downloading MP3's.

As he got older, he began hanging out on Internet-based chat channels
that dealt with bigger game, like bootleg software. And amid the
chatter were whispers of other something-for-nothing sites - ones
where thieves had set up bazaars involving credit cards, banks and
account numbers.

"So I ended up registering and then I started just looking, really,"  
Mr. Sharma said. "Not really taking anything in, just looking and
seeing what's going on there."

Mr. Sharma said he chiefly visited two such sites, Carderplanet.com
and Shadowcrew.com, where he was known by the screen name sniper5984
(the number denoted his birthdate). The sites were shut down in 2004,
but many others have sprung up to replace them.

"For the aspiring little computer hacker in the United States, they're
an excellent opportunity to learn," said Greg Crabb, the assistant
director for economic crimes at the United States Postal Inspection
Service's international group in Washington. On Carderplanet, for
example, "a person could learn how to set up a drop, receive packages,
develop other relationships and generally get started in the
business."

Mr. Sharma got started with phishing - sending e-mail meant to dupe
recipients into revealing their personal or financial data, which can
then be exploited. He told investigators that he paid $60 to someone
he had met on Carderplanet to buy a program designed to harvest AOL
e-mail addresses.

"I pretty much stuck with AOL because I knew AOL is most likely people
new to the Internet," Mr. Sharma explained, "people who don't use the
Internet for much but chat rooms."

He managed to gather about 100,000 addresses, and crafted an e-mail
message that told recipients, "We regret to inform you, but due to a
recent system flush, the billing information for your account was
deleted." Recipients were instructed to follow a link to a Web page to
remedy the situation.

The Web page, which mimicked AOL's look and feel, including a bogus
AOL Web address, had form fields requesting everything from name and
address to mother's maiden name, Social Security number, date of
birth, credit card number, expiration date and bank.

The "submit" button sent the data to Mr. Sharma's e-mail account. He
then went shopping.

 From the 100,000 phishing e-mails Mr. Sharma sent, investigators say,
about 100 recipients were duped into clicking through to the phony AOL
Web page he created and filling out the form. Mr. Sharma said he did
even better, with about 250 to 300 responses.

And Mr. Sharma went on to more elaborate and lucrative schemes. By the
end, he said, he had become well known at Carderplanet and Shadowcrew
for being able to "cash out" victims' credit accounts by making large
wire transfers from their accounts to himself.

"I cash them out all the time," sniper5984 wrote at Carderplanet on
July 5, 2004. "Here's two examples of Citi Cards I have used last
month just to show."

Sniper5984 then provided links to two images of the account statement
of the victim, a California resident, showing, amid various legitimate
charges, nearly $10,000 in Western Union wire transfers made over
three days in June 2004.

There were also two charges for Domino's pizza in Ozone Park, Queens.

"There was always a challenge," Mr. Sharma said. "You know, like it's
always something like, wow, can I take it to the next step, you know?"

Ms. Sharma recalled that on trips to a Six Flags amusement park, her
husband rarely took to the rides, preferring instead the games of
chance. "The ones where you win a giant stuffed animal if you can
throw some ball into a bucket or something like that, but there's
obviously some trick to it," she said. "Well, he would always know the
trick."

She also recalled one evening in the summer of 2004, when Mr. Sharma
came to her apartment with $27,000 in cash and asked her to hold onto
it overnight. The next morning he picked up the money and returned
later with a new Acura RSX.

"He liked to race cars," Ms. Sharma said.

Back at the correctional facility, Mr. Sharma struggled to find a
clear explanation for his crimes. At times he suggested he was taking
aim at a usurious banking industry. At other moments he offered that
it was simply a game, that he was young, that he was not thinking
clearly.

"Well, you know - I mean there's no, there's no justification behind
it at all," he said. "You know it was wrong, and I did it - it was
wrong."

He also suggested it all became too easy too fast.

"The challenge was really stopping, you know?" he said. "That was the
hardest challenge of them all."


'It's Sharma Again'

The tools that allowed Mr. Sharma to profit from his thievery were
also his undoing, more than once.

On Sept. 19, 2002, William Robertson, a 73-year-old retired physical
education teacher in Ormond Beach, Fla., received one of the 100,000
e-mail lures that Mr. Sharma's had sent out from Queens, and he fell
for the scam.

"I don't know what made me fill out that whole form," Mr. Robertson
said. "At that time I was a fairly new user of the computer. And after
I did it, I just didn't feel right. But it wasn't until after the
credit card company called me that I knew I'd done anything wrong."

A $3,000 Eltron photo ID printer had been bought on his Chase credit
card from an online store in Buffalo. He canceled the card and made a
report to the Flagler County police. The police determined that the
printer had been shipped to a Brent Sharma in Queens.

Just over a month later, on Nov. 8, Peter Ruh, a United States postal
inspector, arrived at Mr. Sharma's parents' home wearing a postal
delivery uniform and carrying a box of high-end racing car parts that
Mr. Sharma had ordered using another credit card account he had
hijacked. When Mr. Sharma identified himself and signed for the
package, Mr. Ruh, wearing a wire, gave a pre-arranged signal and his
fellow inspectors, along with New York City police officers, moved in.

Among the items seized from his parents' basement were a computer, two
digital cameras, a scanner, nearly 500 blank plastic identity cards
with magnetic strips, two Marine Corps ID's - with Mr. Sharma's name
and photo - and a newer model Eltron photo ID printer. A search of his
computer revealed personal identifying information on hundreds of
people from across the country.

"We were surprised at how forthcoming he was," Mr. Ruh said. "He was
very proud of his accomplishments."

It was the first of many encounters that Queens postal investigators
would have with Mr. Sharma over the next two years. "I'd get a call
from someone over at Postal and they'd say, 'You're not going to
believe this,' " Ms. Peress said. "And then they'd say, 'It's Sharma
again.' "

Even with charges of identity theft pending in the AOL case, Mr.  
Sharma was arrested and charged again, in May 2003, for schemes
involving the hijacking of Amazon.com accounts, moving fraudulently
bought merchandise through auctions at eBay and Yahoo, and enlisting
the father of a friend to receive shipments at his home in exchange
for a digital camera.

Four months later, as part of a combined plea agreement, Mr. Sharma
was permitted to plead guilty in the first case as a youthful
offender, avoiding a felony designation. He pleaded guilty in the
second case to two felony counts of identity theft and unlawful
possession of personal identification information. In November 2003 he
was sentenced to five years' probation and 350 hours of community
service and was ordered to pay $5,000 in restitution.

But within a month, on Jan. 21, 2004, sniper5984 was active again at
Carderplanet. "I am looking for partners," he wrote.


Logging Off

By the summer of 2004, investigators had begun piecing together a
string of complaints from out-of-state consumers whose credit card
accounts had been hijacked for tens of thousands of dollars in bogus
charges, and they quickly recognized the modus operandi.

Mr. Sharma was arrested again in October while accepting a package
under the watch of postal inspectors. A search of his apartment in
Ozone Park on Oct. 16, 2004, the day after his final arrest, turned up
consumers' credit bureau reports, assorted hand-written notations of
credit card accounts and Social Security numbers and printed chats
showing him negotiating online for the purchase of FirstUSA and MBNA
credit cards.

Mr. Sharma remembers making heavy use, just before his last arrest, of
the credit card of a commercial airline pilot from Florida.

Receipts show that a Jean Pascal Francis, presenting a Michigan state
identification card, signed in Queens for nearly $5,500 in Western
Union cash transfers charged to the pilot's account on a single Friday
afternoon in July 2004. A Michigan state identification card with that
name and Mr. Sharma's photograph was among the documents later found
in Mr. Sharma's apartment.

"I thought it was horrible," recalled the airline pilot, who did not
want to be named because he feared it would invite other thieves to
take a crack at him. "You just feel violated in terms of your
privacy."

Meanwhile, Mr. Sharma, whose family had moved to Florida, was largely
on his own in New York and was burning through cash like rocket fuel.

"I tried every five-star hotel in Manhattan," he said. "That's why
they say, 'Oh, he stayed at the Parker Meridien, the Regency, the
Waldorf-Astoria.' You know, I went to all those and just stayed. The
Mandarin Oriental is by my wife's house, and that's supposed to be the
nicest one and the newest one, so I went there and it's like $3,500 a
night."

"The more you make," he added, "it's like, it becomes a different kind
of lifestyle."

The question now is whether Mr. Sharma, who has a parole hearing in
August, can adapt to a less lucrative lifestyle when he gets out.

He says he is determined to stay clean long enough for his knowledge
of fraud techniques to become obsolete. "I've just got to stay with my
daughter and just try and stick it through another year or two," Mr.  
Sharma said, "because by then things have changed so much that it will
be kind of hard for me to just go back in there and do everything."

His wife understands the temptations that will lurk in the meantime.

"I do worry a whole lot because - I don't want to say I agree, but I
understand his mentality," Ms. Sharma said. "People work really hard
for eight hours a day and make minimum wage. And he knows he can get
out and make the same thing with the computer in half an hour."

Kassie Bracken contributed reporting for this article.

Copyright 2006 The New York Times Company




From isn at c4i.org  Thu Jul  6 01:23:08 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:23:08 -0500 (CDT)
Subject: [ISN] DOE's Federated Model aims to identify security threats
Message-ID: <Pine.LNX.4.44.0607060022580.28448-100000@idle.curiosity.org>

http://www.networkworld.com/news/2006/070506-argonne-national-lab.html

By Cara Garretson
NetworkWorld.com
07/05/06 

Argonne National Laboratory, a division of the Department of Energy
(DOE) operated out of the University of Chicago, is spearheading an
effort to collect information about cyber security events that is
beginning to gain steam.

Called The Federated Model, this information-sharing initiative among
government, universities, and research labs began last fall and
currently has about half a dozen active members, says Scott Pinkerton,
manager of network services for the lab in DuPage County, Ill.

The initiative is open to any organization wanting to share details,
or even just view information, regarding attempts by different IP
addresses to access networks and how organizations have responded to
these attempts, in an effort to spot patterns of malicious behavior
and proactively block security threats, says Pinkerton.

For example, if one member of the Federated Model suffers an attack
from a certain IP address, another member may be able to block that IP
address from accessing its network and thwart a second attack, he
says.

"We're reinforcing the idea that we could be smarter, and more
prepared," Pinkerton says. While the number of members is growing,
Pinkerton says The Federated Model hasn't yet hit critical mass.

Pinkerton discussed The Federated Model's progress at Network World?s
IT Roadmap conference held in Chicago late last month during a session
on security. He stressed the importance of monitoring NetFlow data to
search for zero-day attack traffic patterns, a practice his department
engages in. NetFlow is a Cisco technology for storing traffic flow
histories on routers and switches.

Argonne has taken on the development of The Federated Model's
repository and laid out specifications to be used for submitting and
accessing information. Following IETF standards, data is submitted in
XML format that is encrypted. The lab is working on adding features,
such as an RSS feed that would tell members when new information has
been added to the repository, Pinkerton says.

What's valuable about this data is not only learning what IP addresses
are doing, but what organizations are doing in response to potential
threats, says Tami Martin, intrusion detection systems engineer with
Argonne. "You're learning the reactive measures other sites are
taking," she says. "Also of intrinsic value is [learning] the severity
of the action taken."

Eventually, members could get to the point where they can completely
thwart an attack by following the actions of a trusted member, says
Pinkerton.

All contents copyright 1995-2006 Network World, Inc




From isn at c4i.org  Thu Jul  6 01:23:30 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:23:30 -0500 (CDT)
Subject: [ISN] Security expert dubs July the 'Month of browser bugs'
Message-ID: <Pine.LNX.4.44.0607060023200.28448-100000@idle.curiosity.org>

http://news.com.com/Security+expert+dubs+July+the+Month+of+browser+bugs/2100-1002_3-6090959.html

By Greg Sandoval 
Staff Writer, CNET News.com
July 5, 2006

Each day this month, a prominent security expert will highlight a new
vulnerability found in one of the major Internet browsers.

HD Moore, the creator of Metasploit Framework, a tool that helps test
whether a system is safe from intrusion, has dubbed July the Month of
Browser Bugs. Already, the security researcher has featured five
security flaws, three for Microsoft's Internet Explorer and one apiece
for Mozilla's Firefox and Apple Computer's Safari.

Moore noted that one of the IE bugs appeared to have been recently
patched.

"This blog will serve as a dumping ground for browser-based security
research and vulnerability disclosure," Moore said on his blog. "The
hacks we publish are carefully chosen to demonstrate a concept without
disclosing a direct path to remote code execution."

Browser security holes are nothing new, but Moore's repository of
flaws shines a light on the problem.

Moore says on his site that he reported two of the IE bugs to
Microsoft last March. Microsoft acknowledged that it had been in
contact with Moore but downplayed the seriousness of the flaws Moore
is publicizing.

"(Microsoft's) investigation has revealed that most issues relating to
Internet Explorer in particular will result in the browser closing
unexpectedly," the company said in an e-mail statement.

Moore doesn't indicate how many of his published vulnerabilities are
critical, but security company Secunia has rated one of the flaws,
which Moore calls Internet.HHCtrl Image Property, as highly critical.




From isn at c4i.org  Thu Jul  6 01:20:21 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:20:21 -0500 (CDT)
Subject: [ISN] Web perils advise switch to Macs
Message-ID: <Pine.LNX.4.44.0607060020060.28448-100000@idle.curiosity.org>

Forwarded from: eric wolbrom, CISSP <eric at shtech.net>

http://news.bbc.co.uk/2/hi/technology/5150508.stm

BBC News
5 July 2006

Security threats to PCs with Microsoft Windows have increased so much
that computer users should consider using a Mac, says a leading
security firm.

Sophos security said that the 10 most commonly found pieces of
malicious software all targeted Windows machines.

In contrast, it said, none of the "malware" were capable of infecting
the Mac OS X operating system.

Microsoft has pledged that the latest version of its operating system,
known as Vista, will be its most secure yet.

"It is our goal to give PC users the control and confidence they need
so they can continue to get the most out of their PCs," a Microsoft
spokesperson said.

"Windows Vista contains a number of new safety features that, taken
together, are designed to make Windows PCs more secure and online
experiences safer."

Microsoft said that security on Vista would be an integral part of the
operating system rather than an add-on like in previous systems.


Top threats

The advice from Sophos was given as it released a report, detailing
the security threats posed to computers so far in 2006.

The report says that there has been a vast drop in malicious software
like viruses and worms.

However, the company warns that there has been a sharp increase in the
number of Trojans. It said that 82% of new security threats this year
were from these programs.  Trojans are pieces of malicious software
that are hidden in other legitimate programs such as downloaded
screensavers.

The Trojan may collect financial information or allow the infected
computer to be controlled remotely for sending spam or launching web
attacks.

"The continuing rise of malware will concern many - the criminals
responsible are obviously making money from their code, otherwise
they'd give up the game," said Graham Cluley, senior technology
consultant at Sophos.


Mac flaws

Although Trojans dominate the list of security threats, the most
widespread problem was the Sober-Z worm.

The worm, which was spread by e-mail, infected people's computers and
tried to turn off security settings. It replicated by looking for
other e-mail addresses on the computers' hard drives.

At its peak, the worm accounted for one in every 13 e-mails being
sent.  The worm infected computers running the Windows operating
system, but was not designed to infect Apple Macs.

"It seems likely that Macs will continue to be the safer place for
computer users for some time to come," said Mr Cluley.

"[That is] something that home users may wish to consider if they're
deliberating about the next computer they should purchase," he added.

Earlier this year, a security flaw in the way that Macs downloaded
files was identified; while three concept viruses and a worm written
specifically for Apple computers were also discovered.

The viruses were never released into the "wild" and posed little
security threat




From isn at c4i.org  Thu Jul  6 01:21:04 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 6 Jul 2006 00:21:04 -0500 (CDT)
Subject: [ISN] Nmap Hackers Pick Top 100 Security Tools
Message-ID: <Pine.LNX.4.44.0607060020320.28448-100000@idle.curiosity.org>

====================

This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Sherpa
   http://list.windowsitpro.com/t?ctl=3094A:4FB69

Thawte
   http://list.windowsitpro.com/t?ctl=3094C:4FB69

Symantec
   http://list.windowsitpro.com/t?ctl=30947:4FB69

====================

1. In Focus: Nmap Hackers Pick Top 100 Security Tools

2. Security News and Features
   - Recent Security Vulnerabilities
   - Windows Genuine Advantage Now at a Disadvantage
   - Microsoft Response to Exploit Riles Metasploit Developer
   - SharePoint Antivirus Solutions

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread
   - Share Your Security Tips

4. New and Improved
   - Encryption for SOHO

====================

==== Sponsor: Sherpa ====

How will compliance regulations affect your IT 
infrastructure? Help design your retention and retrieval, 
privacy and security policies to make sure that your 
organization is compliant.
     http://list.windowsitpro.com/t?ctl=3094A:4FB69

====================

==== 1. In Focus: Nmap Hackers Pick Top 100 Security Tools ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You've most likely heard of Nmap, the network-mapping tool developed by 
"Fyodor." Nmap is widely used and is a standard tool in countless 
security administrators' toolkits. Fyodor operates a mailing list, 
nmap-hackers, for general announcements, patches, and light discussion 
regarding Nmap. 

In 2000 and 2003, Fyodor surveyed the members of the mailing list to 
find out which security tools were their favorites. The 2000 survey 
resulted in a list of the top 50 most popular security tools. The 2003 
survey resulted in an expanded list of the top 75 most popular security 
tools. Both lists have been great resources, and many people have 
discovered new tools that they weren't previously aware of.

It's been three years since the last survey, and in that time lots of 
new security tools have come into existence, while other security tools 
have been updated (in some cases several times) with new features and 
functionality. This year, Fyodor conducted a new survey, and 3243 
people responded. This latest survey resulted in an even longer list: 
the top 100 most popular security tools. 

Although the list contains tools for several platforms, including 
Windows, Linux, BSD, Solaris, and Mac OS X, it's easy to figure out 
which tools work on which platforms because each tool description 
includes platform-specific icons. There are also icons that let you 
know whether a tool is free, whether it has a command-line interface or 
GUI, and whether source code is available.

Another feature of the list shows you whether the tool has risen or 
dropped in popularity compared with the 2003 survey results. 
Surprisingly, the top four tools on the current list remain unchanged 
in their popularity rank. Those top four tools are Nessus, Wireshark 
(formerly Ethereal), Snort, and Netcat. Metasploit Framework (released 
after the 2003 survey) is new to the list and is ranked the fifth most 
popular tool. Incidentally, you can read a semi-related news story, 
"Microsoft Response to Exploit Riles Metasploit Developer," on our Web 
site at the URL below. 
   http://list.windowsitpro.com/t?ctl=30956:4FB69

An interesting trend revealed by 2006 survey results is that wireless 
security is far more important to security administrators than it was 
three years ago, evidenced by the fact that the wireless sniffer Kismet 
rose from the 17th most popular tool in 2003 to 7th most popular tool 
in 2006. Aircrack, originally released in mid-2004, now ranks as the 
21st most popular security tool in the list. Aircrack helps crack Wired 
Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) encryption, 
which, as you probably know, are typically used to help secure 
communication on WiFi networks. 

Another interesting trend is that two great password-cracking tools, 
John the Ripper and Cain and Abel, broke into the top 10 as the 9th and 
10th most popular tools respectively. John the Ripper was previously 
ranked #11 in 2003 and Cain and Abel was ranked #23, so the latter made 
quite a jump in popularity. 

So that's a brief rundown of a few of the tools and trends from the 
list. You can of course glean even more information about security tool 
trends by reviewing the complete list, and you can learn about more 
tools that are new to the list, such as BackTrack, P0f, WebScarab, 
WebInspect, Core Impact, Canvas, and others. Check out the full survey 
results at http://list.windowsitpro.com/t?ctl=3095B:4FB69 . 

====================

==== Sponsor: Thawte ====

Secure Your Online Data Transfer with SSL     
Increase your customers' confidence and your business by securely 
collecting sensitive information online.  In this free white paper 
you'll learn about the various applications of SSL certificates and 
their appropriate deployment, along with details of how to test SSL on 
your web server.  
   
http://list.windowsitpro.com/t?ctl=3094C:4FB69

====================

==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=3094D:4FB69

Windows Genuine Advantage Now at a Disadvantage
   Microsoft's anti-piracy tool, Windows Genuine Advantage (WGA), was 
recently found to be regularly contacting Microsoft without informing 
the user that such contact was taking place. Microsoft recently 
modified the latest version of WGA to contact the company's 
servers only once every two weeks. Nevertheless, a third party has stepped 
in to prevent WGA from regularly contacting Microsoft's servers.
   http://list.windowsitpro.com/t?ctl=30952:4FB69

Microsoft Response to Exploit Riles Metasploit Developer
   A recently released exploit that takes advantage of problems in RRAS 
has drawn the relative ire of Microsoft and the obligatory rebuttal of 
a well-known security researcher. 
   http://list.windowsitpro.com/t?ctl=30956:4FB69

SharePoint Antivirus Solutions
   Interest in SharePoint is heating up. Online SharePoint discussion 
groups such as those at Windows IT Pro's sister site MSD2D.com are 
flourishing, evidence that more and more IT pros are either working 
with Windows SharePoint Services or Microsoft Office Share-Point Portal 
Server 2003 or are investigating them. The downside of a collaboration 
technology like SharePoint is that it exposes an organization to 
security threats such as viruses. Fortunately, SharePoint-specific 
antivirus solutions are available and our buyer's guide can help you 
choose the best solution for you needs. 
   http://list.windowsitpro.com/t?ctl=30954:4FB69

====================

==== Resources and Events ====

Learn how to gather evidence of compliance across multiple systems and 
link the data to regulatory and framework control objectives.    View 
this on-demand Web seminar today!
   http://list.windowsitpro.com/t?ctl=30944:4FB69

Take an up-to-date look at secure, remote access to corporate 
applications and stay ahead of the curve when making decisions about 
near- and long-term IT infrastructure. On-demand Web seminar.  
   http://list.windowsitpro.com/t?ctl=30949:4FB69

Find out what policies help or hurt in protecting your company's assets 
and data. View this on-demand seminar today! 
   http://list.windowsitpro.com/t?ctl=30948:4FB69

Gain control of your messaging data--and make your job easier--with 
these step-by-step instructions for complying with the law and ensuring 
your systems are working properly.
   http://list.windowsitpro.com/t?ctl=3094B:4FB69

Are you protected company-wide against spyware, keyloggers, adware, and 
backdoor Trojans? Test the state of the art scanning engine that uses 
threat signatures from multiple sources to track down the culprits that 
antivirus solutions alone can't protect you against. Download your  
free 30 day trial of CounterSpy Enterprise today!  
   http://list.windowsitpro.com/t?ctl=30946:4FB69

====================

==== Featured White Paper ====

Achieve compliance in today's complex regulatory environment while 
managing threats to the inward- and outward-bound communications vital 
to your business. Adopt a best-practices approach, such as the one 
outlined in the international information security standard ISO/IEC 
17799:2005. Download the white paper today and secure the 
confidentiality, availability and integrity of your corporate 
information!
   http://list.windowsitpro.com/t?ctl=30945:4FB69

====================

==== Hot Spot ====

Learn the commonalities across multiple compliance 
regulations and standards to optimize your environment and 
save time and money.
   http://list.windowsitpro.com/t?ctl=30947:4FB69

====================

==== 3. Security Toolkit ==== 

Security Matters Blog: Voylent Encrypts Cell Phone Calls
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=30958:4FB69

   The recently released Zfone beta encrypts voice-over-IP calls. Now 
you can encrypt cell phone calls too with the Voylent beta.
   http://list.windowsitpro.com/t?ctl=30955:4FB69

FAQ
   (by John Savill, http://list.windowsitpro.com/t?ctl=3095C:4FB69

Q: Is there a tool I can use to delete user profiles?

Find the answer at    
http://list.windowsitpro.com/t?ctl=30953:4FB69


Security Forum Featured Thread

Security and Permission consideration
   (One message in this thread)
   A forum participant writes that he has a group of people (other than 
the Server Administrator) who are responsible for applications on 
various servers. Those people have been given the local administrator 
passwords for various servers so they can log on remotely to perform 
certain tasks. However, those people sometimes take actions on a server 
that go beyond their assigned tasks. Therefore he doesn't want those 
people to have full administrator privileges on the servers and wonders 
whether creating local accounts in the Power Users group would give 
them enough rights to perform their administrative tasks? 
Join the discussion at 
http://list.windowsitpro.com/t?ctl=30943:4FB69

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

====================

==== Announcements ====
   (from Windows IT Pro and its partners)

Discounted Offer for the Windows IT Pro Master CD
   Save 50% off the Windows IT Pro Master CD! Order now and get 
portable, high-speed access to the entire Windows IT Pro article 
database on CD--a searchable library that includes every issue ever 
published. The newest issue also includes BONUS Windows IT Tips. Order 
now and save 50%:
   http://list.windowsitpro.com/t?ctl=3094E:4FB69  

Save $80 off the Exchange & Outlook Administrator newsletter
   Get endless solutions to help you migrate, optimize, administer, 
back up, recover, and secure your messaging environment. Subscribe to 
the Exchange & Outlook Administrator newsletter today and save $80:
   http://list.windowsitpro.com/t?ctl=30950:4FB69

====================

==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Encryption for SOHO
   WinMagic offers MySecureDoc, a line of full-disk encryption 
solutions priced for the small office/home office (SOHO) user. 
MySecureDoc Personal Edition ($29.95) works with Windows XP/2000 and 
protects all data on desktops and laptops by encrypting the entire hard 
drive before the logon screen appears so that intruders can't bypass 
the encryption level. MySecureDoc Media Edition ($19.95) protects all 
data on removable storage devices such as USB sticks. It encrypts the 
entire device, not just the files and folders in use, and asks for 
authentication before granting access to the device. MySecureDoc 
Personal Edition Plus ($49.95) combines Personal Edition and Media 
Edition. For more information, go to
   http://list.windowsitpro.com/t?ctl=3095A:4FB69

Tell Us About a Hot Product and Get a Best Buy Gift Card!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a Best Buy Gift Card if we write about the product in a 
Windows IT Pro What's Hot column. Send your product suggestion with 
information about how the product has helped you to 
whatshot at windowsitpro.com.

====================

==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=30959:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com

====================

This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.
   http://list.windowsitpro.com/t?ctl=30951:4FB69

View the Windows IT Pro privacy policy at
   http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.




From isn at c4i.org  Fri Jul  7 05:29:57 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:29:57 -0500 (CDT)
Subject: [ISN] Payroll Giant Gives Scammer Personal Data of Hundreds of
 Thousands of Investors
Message-ID: <Pine.LNX.4.44.0607070427100.21787-100000@idle.curiosity.org>

http://abcnews.go.com/Technology/story?id=2160425

By DAN ARNALL
ABC News
July 6, 2006

The latest corporate data breach is from a company you may never have
heard of, even though one in six American workers gets paid by the
firm.

Automatic Data Processing, one of the world's largest payroll service
companies, confirmed to ABC News that it was swindled by a data thief
looking for information on hundreds of thousands of American
investors.

According to a company spokeswoman, ADP provided a scammer with
personal information of investors who had purchased stock through
brokerages that use ADP's investor communications services. Initial
reporting indicates that these firms include a number of brand-name
brokers, including Fidelity Investments and Morgan Stanley.

A Fidelity spokesman says the data breach compromised 125,000 of the
72 million active accounts at the brokerage.

Morgan Stanley says 3,800 of its clients were affected.

An industry source says Bear Stearns, Citigroup and Merrill Lynch also
had account data leaked in the incident. A Merrill Lynch spokesperson
refused comment. Calls to Citigroup and Bear Stearns have not been
returned.

A spokesperson for banking and financial services group UBS confirms
that about 10,000 of its brokerage clients were among those whose data
was disclosed.

In a prepared statement, ADP spokeswoman Dorothy Friedman said the
data thief exploited a Securities and Exchange Commission rule that
allows public companies to get names and addresses of shareholders
from brokers, as long as the shareholder has not objected to the
disclosure of such information.

The thief impersonated a corporate officer from a public company and
got ADP to send the information.

ADP refused to answer questions about its data security measures or
why its existing policies did not prevent the data loss.

ADP said that the loss, which occurred between November 2005 and
February 2006, resulted in the "inadvertent disclosure" of investors'
names, mailing addresses and the number of shares they held in certain
companies. No Social Security numbers or brokerage account numbers
were disclosed.

"ADP notified federal law enforcement authorities promptly after its
discovery of the problem in February 2006," said Friedman. "Shortly
thereafter, ADP notified its broker clients. Law enforcement
authorities are continuing to investigate the matter."

Some customers whose personal data was compromised have received a
letter from ADP. The three-page letter contains a list of 60 "affected
companies," including HealthSouth and Sirius Satellite Radio among
many smaller corporate names.

"We have been advised that the information disclosed was not
sufficient by itself to permit unauthorized access to your account,
and we have no evidence that the information on the lists has been
improperly used," reads the customer notification. "However, we
recommend that you be alert to any unusual or unexpected contact or
correspondence that you may have with the listed public companies (or
with anyone else) about your holdings in these companies."

The letter then goes on to encourage affected customers to consider
contacting one of the national credit bureaus to discuss getting a
fraud alert service. ADP says federal authorities are investigating
the matter.

Copyright ? 2006 ABC News Internet Ventures




From isn at c4i.org  Fri Jul  7 05:30:08 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:30:08 -0500 (CDT)
Subject: [ISN] Computer system taken; thong panty left behind
Message-ID: <Pine.LNX.4.44.0607070429590.21787-100000@idle.curiosity.org>

http://www.buffalonews.com/editorial/20060706/7027334.asp

The Buffalo News
7/6/2006  
 
The owner of a Seneca Street company returning to work early Wednesday
found that his computer system and accessories had been taken in a
burglary, Buffalo police said.

Left behind was a pair of black thong underwear with an attached note,
whose contents were not disclosed by police.

The owner of Big Bear, in the 700 block of Seneca, told police that a
door had been jimmied open sometime between 7 p.m. Monday and 8:30
a.m. Wednesday and that the stolen computer system and accessories
were valued at $5,000.

Big Bear, an embroidery business, employs about 40 workers, according
to the company's Web site.

Copyright 1999 - 2006 - The Buffalo News




From isn at c4i.org  Fri Jul  7 05:30:25 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:30:25 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-27
Message-ID: <Pine.LNX.4.44.0607070430130.21787-100000@idle.curiosity.org>

========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-06-29 - 2006-07-06                        

                       This week: 68 advisories                        

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

A vulnerability has been reported in Apple iTunes, which can be
exploited by malicious people to compromise a user's system using
malicious AAC media files.

Additional details can be found in the referenced Secunia advisory.

Reference:
http://secunia.com/SA20891

 --

HD Moore has discovered a vulnerability in the HTML Help ActiveX
Control in Internet Explorer, which potentially can be exploited
by malicious people to compromise a user's system.

References:
http://secunia.com/SA20906

 --

VIRUS ALERTS:

During the past week Secunia collected 142 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA20906] Internet Explorer HTML Help ActiveX Control Memory
              Corruption
2.  [SA20825] Internet Explorer Information Disclosure and HTA
              Application Execution
3.  [SA20867] OpenOffice Multiple Vulnerabilities
4.  [SA20748] Microsoft Windows Hyperlink Object Library Buffer
              Overflow
5.  [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
6.  [SA20891] Apple iTunes AAC File Parsing Integer Overflow
              Vulnerability
7.  [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability
8.  [SA20860] Cisco Wireless Access Point Web Management Vulnerability
9.  [SA20886] Geeklog "connector.php" File Upload Vulnerability
10. [SA20877] Mac OS X Update Fixes Multiple Vulnerabilities

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA20938] iMBCContents ActiveX Control "Execute()" Insecure Method
[SA20906] Internet Explorer HTML Help ActiveX Control Memory
Corruption
[SA20947] NASCAR Racing Empty UDP Datagram Denial of Service
[SA20926] Hitachi Products Cross-Site Scripting Vulnerabilities

UNIX/Linux:
[SA20964] Ubuntu update for libmms
[SA20944] Avaya Products Ethereal Vulnerabilities
[SA20937] Gentoo mpg123 Heap Overflow Vulnerability
[SA20921] libwmf Integer Overflow Vulnerability
[SA20897] SUSE update for Opera
[SA20951] Avaya Products PHP Multiple Vulnerabilities
[SA20931] Red Hat update for Squirrelmail
[SA20925] SUSE update for acroread
[SA20917] Linux Kernel SCTP Denial of Service Vulnerability
[SA20914] Debian update for kernel-source-2.6.8
[SA20913] SUSE update for OpenOffice_org
[SA20910] Red Hat update for OpenOffice.org
[SA20899] SUSE Updates for Multiple Packages
[SA20895] rPath update for mutt
[SA20894] HP Tru64 UNIX and HP Internet Express Perl Vulnerability
[SA20893] Debian update for openoffice.org
[SA20900] Gentoo update for kiax
[SA20963] ppp setuid Security Issue
[SA20902] Efone "config.inc" Information Disclosure Security Issue
[SA20967] Ubuntu update for ppp
[SA20966] Ubuntu update for shadow
[SA20950] shadow setuid Vulnerability
[SA20934] HP-UX mkdir Unspecified Unauthorized Access Vulnerability
[SA20890] SUSE update for kdebase3-kdm
[SA20939] phpSysInfo "lng" Parameter File Detection Weakness

Other:
[SA20896] Siemens Speedstream 2624 Password Protection Bypass

Cross Platform:
[SA20949] Mambo Galleria Module "mosConfig_absolute_path" File
Inclusion
[SA20923] SiteBuilder-FX "admindir" Parameter File Inclusion
Vulnerability
[SA20922] phpFormGenerator File Upload Vulnerability
[SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability
[SA20961] Icculus.org Quake 3 Engine CS_ITEMS Buffer Overflow
[SA20957] Glendown Shopping Cart Script Insertion Vulnerabilities
[SA20955] BLOG:CMS URL Parameter SQL Injection
[SA20946] Quake 3 Buffer Overflow Vulnerabilities
[SA20945] Foros "inc/config.inc" Information Disclosure Security Issue
[SA20936] Vincent LECLERCQ News Cross-Site Scripting and SQL Injection
[SA20933] Buddy Zone Script Insertion and SQL Injection
[SA20932] mAds Cross-Site Scripting and Script Insertion
[SA20927] DZCP "id" Parameter SQL Injection Vulnerability
[SA20920] Drupal Form_mail Module Mail Header Injection Vulnerability
[SA20915] MyNewsGroups "grp_id" SQL Injection Vulnerability
[SA20911] StarOffice / StarSuite Multiple Vulnerabilities
[SA20908] BXCP "where" Parameter SQL Injection Vulnerability
[SA20901] FineShop Cross-Site Scripting and SQL Injection
[SA20892] Webmin / Usermin Arbitrary File Disclosure Vulnerability
[SA20959] PHPMailList "email" Cross-Site Scripting Vulnerability
[SA20952] TTCalc Multiple Cross-Site Scripting Vulnerabilities
[SA20943] NewsPHP Cross-Site Scripting Vulnerabilities
[SA20941] ATutor Cross-Site Scripting Vulnerabilities
[SA20935] PHPWebGallery "keyword" Cross-Site Scripting Vulnerability
[SA20930] Invision Power Board Cross-Site Scripting and Security
Bypass
[SA20929] AutoRank PHP "Keyword" Cross-Site Scripting Vulnerability
[SA20924] ky2help "Meine Links" SQL Injection Vulnerability
[SA20918] Kamikaze-qscm "config.inc" Information Disclosure Security
Issue
[SA20916] the banner engine Multiple Cross-Site Scripting
Vulnerabilities
[SA20912] Taskjitsu Task Script Insertion Vulnerabilities
[SA20909] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability
[SA20907] phpMyAdmin "table" Parameter Cross-Site Scripting
[SA20905] CommuniGate Pro POP Service Empty Inbox Denial of Service
[SA20904] PHP-Fusion Image Script Insertion Vulnerability
[SA20903] AutoRank Pro "Username" Cross-Site Scripting Vulnerability
[SA20898] Nuked-Klan Blocks Management Cross-Site Request Forgery
[SA20919] Sun Java System Messaging Server Arbitrary File Disclosure
[SA20928] WordPress "paged" Disclosure of Table Prefix Weakness

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA20938] iMBCContents ActiveX Control "Execute()" Insecure Method

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-05

Gyu Tae Park has discovered a vulnerability in the iMBCContents ActiveX
control, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20938/

 --

[SA20906] Internet Explorer HTML Help ActiveX Control Memory
Corruption

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

HD Moore has discovered a vulnerability in Internet Explorer, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/20906/

 --

[SA20947] NASCAR Racing Empty UDP Datagram Denial of Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-07-03

Luigi Auriemma has reported a vulnerability in NASCAR Racing, which can
be exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20947/

 --

[SA20926] Hitachi Products Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-05

Some vulnerabilities have been reported in various Hitachi products,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20926/


UNIX/Linux:--

[SA20964] Ubuntu update for libmms

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-06

Ubuntu has issued an update for libmms. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20964/

 --

[SA20944] Avaya Products Ethereal Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-03

Avaya has acknowledged some vulnerabilities in ethereal included in
various Avaya products, which can be exploited by malicious people to
cause a DoS (Denial of Service) or compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20944/

 --

[SA20937] Gentoo mpg123 Heap Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

Horst Schirmeier has reported a vulnerability in Gentoo's mpg123
package, which potentially can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20937/

 --

[SA20921] libwmf Integer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-03

infamous41md has reported a vulnerability in libwmf, which potentially
can be exploited by malicious people to compromise an application using
the vulnerable library.

Full Advisory:
http://secunia.com/advisories/20921/

 --

[SA20897] SUSE update for Opera

Critical:    Highly critical
Where:       From remote
Impact:      Spoofing, DoS, System access
Released:    2006-07-04

SUSE has issued an update for Opera. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system or to display the SSL certificate from a trusted site on
an untrusted site.

Full Advisory:
http://secunia.com/advisories/20897/

 --

[SA20951] Avaya Products PHP Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting, Manipulation of
data, Exposure of sensitive information, DoS, System access
Released:    2006-07-06

Avaya has acknowledged some vulnerabilities in PHP included in various
Avaya products, which can be exploited by malicious users to cause a
DoS (Denial of Service) or compromise a vulnerable system, and by
malicious people to conduct cross-site scripting attacks, to gain
knowledge of potentially sensitive information, and to use PHP as an
open mail relay.

Full Advisory:
http://secunia.com/advisories/20951/

 --

[SA20931] Red Hat update for Squirrelmail

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

Red Hat has issued an update for Squirrelmail. This fixes a
vulnerability, which can be exploited by malicious people to disclose
certain sensitive information.

Full Advisory:
http://secunia.com/advisories/20931/

 --

[SA20925] SUSE update for acroread

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-07-05

SUSE has issued an update for acroread. This fixes some vulnerabilities
with unknown impacts.

Full Advisory:
http://secunia.com/advisories/20925/

 --

[SA20917] Linux Kernel SCTP Denial of Service Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-07-03

A vulnerability has been reported in the Linux Kernel, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20917/

 --

[SA20914] Debian update for kernel-source-2.6.8

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS, System access
Released:    2006-07-04

Debian has issued an update for kernel-source-2.6.8. This fixes some
vulnerabilities and weaknesses, which can be exploited to bypass
certain security restrictions, disclose potentially sensitive
information, and cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20914/

 --

[SA20913] SUSE update for OpenOffice_org

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

SUSE has issued an update for OpenOffice_org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20913/

 --

[SA20910] Red Hat update for OpenOffice.org

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-07-04

Red Hat has issued an update for OpenOffice.org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20910/

 --

[SA20899] SUSE Updates for Multiple Packages

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Privilege escalation, DoS, System access
Released:    2006-07-03

SUSE has issued updates for multiple packages. These fix some
vulnerabilities and security issues, which can be exploited by
malicious, local users to perform certain actions with escalated
privileges, and by malicious people to cause a DoS (Denial of Service),
bypass certain security restrictions, or compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20899/

 --

[SA20895] rPath update for mutt

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-30

rPath has released an update for mutt. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20895/

 --

[SA20894] HP Tru64 UNIX and HP Internet Express Perl Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-30

HP has acknowledged a vulnerability in HP Tru64 UNIX and HP Internet
Express running Perl, which can be exploited by malicious people to
cause a DoS (Denial of Service) and potentially compromise a vulnerable
Perl application.

Full Advisory:
http://secunia.com/advisories/20894/

 --

[SA20893] Debian update for openoffice.org

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-30

Debian has issued an update for openoffice.org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20893/

 --

[SA20900] Gentoo update for kiax

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2006-07-03

Gentoo has issued an update for kiax. This fixes two vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20900/

 --

[SA20963] ppp setuid Security Issue

Critical:    Moderately critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Marcus Meissner discovered a vulnerability in the winbind plugin of
ppp, which potentially can be exploited by malicious, local users to
perform certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20963/

 --

[SA20902] Efone "config.inc" Information Disclosure Security Issue

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

DarkFig has discovered a security issue in Efone, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20902/

 --

[SA20967] Ubuntu update for ppp

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Ubuntu has issued an update for ppp. This fixes a vulnerability, which
potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20967/

 --

[SA20966] Ubuntu update for shadow

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Ubuntu has issued an update for shadow. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20966/

 --

[SA20950] shadow setuid Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-07-06

Ilja van Sprundel reported a vulnerability in the passwd application of
shadow, which potentially can be exploited by malicious, local users to
perform certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20950/

 --

[SA20934] HP-UX mkdir Unspecified Unauthorized Access Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-07-03

A vulnerability has been reported in HP-UX, which can be exploited by
malicious, local users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20934/

 --

[SA20890] SUSE update for kdebase3-kdm

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-07-04

SUSE has issued an update for kdebase3-kdm. This fixes a vulnerability,
which can be exploited by malicious, local users to gain knowledge of
sensitive information.

Full Advisory:
http://secunia.com/advisories/20890/

 --

[SA20939] phpSysInfo "lng" Parameter File Detection Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of system information
Released:    2006-07-05

Micheal Turner has discovered a weakness in phpSysInfo, which can be
exploited by malicious people to detect files on the server.

Full Advisory:
http://secunia.com/advisories/20939/


Other:--

[SA20896] Siemens Speedstream 2624 Password Protection Bypass

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-06-30

Jaime Blasco has reported a vulnerability in Siemens Speedstream 2624,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20896/


Cross Platform:--

[SA20949] Mambo Galleria Module "mosConfig_absolute_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-05

ineal has discovered a vulnerability in the Galleria module for Mambo,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20949/

 --

[SA20923] SiteBuilder-FX "admindir" Parameter File Inclusion
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-03

MazaGi has discovered a vulnerability in SiteBuilder-FX, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20923/

 --

[SA20922] phpFormGenerator File Upload Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-07-03

Donnie Werner has discovered a vulnerability in phpFormGenerator, which
can be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20922/

 --

[SA20891] Apple iTunes AAC File Parsing Integer Overflow Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-30

A vulnerability has been reported in Apple iTunes, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20891/

 --

[SA20961] Icculus.org Quake 3 Engine CS_ITEMS Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-06

A vulnerability has been reported in the Icculus.org Quake 3 Engine,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20961/

 --

[SA20957] Glendown Shopping Cart Script Insertion Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

luny has discovered two vulnerabilities in Glendown Shopping Cart,
which can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20957/

 --

[SA20955] BLOG:CMS URL Parameter SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-07-06

Ellipsis Security has discovered a vulnerability and a security issue
in BLOG:CMS, which can be exploited by malicious people to bypass
certain security restrictions and to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20955/

 --

[SA20946] Quake 3 Buffer Overflow Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-07-04

RunningBon has reported two vulnerabilities in the Quake 3 Engine,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20946/

 --

[SA20945] Foros "inc/config.inc" Information Disclosure Security Issue

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

DarkFig has reported a security issue in Foros, which can be exploited
by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20945/

 --

[SA20936] Vincent LECLERCQ News Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-07-03

DarkFig has reported some vulnerabilities in Vincent LECLERCQ News,
which can be exploited by malicious people to conduct cross-site
scripting and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20936/

 --

[SA20933] Buddy Zone Script Insertion and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-07-03

luny has reported some vulnerabilities in Buddy Zone, which can be
exploited by malicious users to conduct script insertion and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20933/

 --

[SA20932] mAds Cross-Site Scripting and Script Insertion

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Luny has reported two vulnerabilities in mAds, which can be exploited
by malicious people to conduct cross-site scripting and script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/20932/

 --

[SA20927] DZCP "id" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-03

x128 has discovered a vulnerability in DZCP, which can be exploited by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20927/

 --

[SA20920] Drupal Form_mail Module Mail Header Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-07-05

A vulnerability has been reported in the Form_mail module for Drupal,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20920/

 --

[SA20915] MyNewsGroups "grp_id" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-03

CrAzY CrAcKeR has discovered a vulnerability in MyNewsGroups, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20915/

 --

[SA20911] StarOffice / StarSuite Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-07-03

Three vulnerabilities have been reported in StarOffice, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20911/

 --

[SA20908] BXCP "where" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-03

x23 has discovered a vulnerability in BXCP, which can be exploited by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20908/

 --

[SA20901] FineShop Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-30

r0t has reported some vulnerabilities in Fineshop, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20901/

 --

[SA20892] Webmin / Usermin Arbitrary File Disclosure Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-06-30

A vulnerability has been reported in Webmin and Usermin, which can be
exploited by malicious people to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/20892/

 --

[SA20959] PHPMailList "email" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

Lostmon has discovered a vulnerability in PHPMailList, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20959/

 --

[SA20952] TTCalc Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

luny has discovered some vulnerabilities in TTCalc, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20952/

 --

[SA20943] NewsPHP Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Ellipsis Security has reported two vulnerabilities in NewsPHP, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20943/

 --

[SA20941] ATutor Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-06

Security News has discovered some vulnerabilities in ATutor, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20941/

 --

[SA20935] PHPWebGallery "keyword" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-05

The Moroccan Security Research Team reported a vulnerability in
PHPWebGallery, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20935/

 --

[SA20930] Invision Power Board Cross-Site Scripting and Security
Bypass

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting
Released:    2006-07-03

Two vulnerabilities have been reported in Invision Power Board, which
can be exploited by malicious users to bypass certain security
restrictions and by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20930/

 --

[SA20929] AutoRank PHP "Keyword" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

David "Aesthetico" Vieira-Kurz has reported a vulnerability in AutoRank
PHP, which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20929/

 --

[SA20924] ky2help "Meine Links" SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-07-06

Marc Ruef has reported a vulnerability in ky2help, which can be
exploited by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20924/

 --

[SA20918] Kamikaze-qscm "config.inc" Information Disclosure Security
Issue

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-07-04

DarkFig has discovered a security issue in Kamikaze-qscm, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20918/

 --

[SA20916] the banner engine Multiple Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

Ellipsis Security has reported some vulnerabilities in the banner
engine, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20916/

 --

[SA20912] Taskjitsu Task Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

Two vulnerabilities have been reported in Taskjitsu, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20912/

 --

[SA20909] MoniWiki "wiki.php" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Kil13r has reported a vulnerability in MoniWiki, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20909/

 --

[SA20907] phpMyAdmin "table" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-03

Security News has reported a vulnerability in phpMyAdmin, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20907/

 --

[SA20905] CommuniGate Pro POP Service Empty Inbox Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-07-03

A vulnerability has been reported in CommuniGate Pro, which can be
exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20905/

 --

[SA20904] PHP-Fusion Image Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

ZeberuS and Redworm have reported a vulnerability in PHP-Fusion, which
can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20904/

 --

[SA20903] AutoRank Pro "Username" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-07-04

David "Aesthetico" Vieira-Kurz has reported a vulnerability in AutoRank
Pro, which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20903/

 --

[SA20898] Nuked-Klan Blocks Management Cross-Site Request Forgery

Critical:    Less critical
Where:       From remote
Impact:      Hijacking
Released:    2006-06-30

Blwood has discovered a vulnerability in Nuked-Klan, which can be
exploited by malicious people to conduct cross-site request forgery
attacks.

Full Advisory:
http://secunia.com/advisories/20898/

 --

[SA20919] Sun Java System Messaging Server Arbitrary File Disclosure

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-07-03

php0t has reported a vulnerability in Sun Java System Messaging Server
/ iPlanet Messaging Server, which can be exploited by malicious, local
users to gain knowledge of potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/20919/

 --

[SA20928] WordPress "paged" Disclosure of Table Prefix Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of system information
Released:    2006-07-04

zero has discovered a weakness in WordPress, which can be exploited by
malicious people to disclose system information.

Full Advisory:
http://secunia.com/advisories/20928/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45




From isn at c4i.org  Fri Jul  7 05:30:37 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:30:37 -0500 (CDT)
Subject: [ISN] July to be another big patch month for Microsoft
Message-ID: <Pine.LNX.4.44.0607070430280.21787-100000@idle.curiosity.org>

http://www.networkworld.com/news/2006/070606-july-to-be-another-big.html

By Robert McMillan
IDG News Service
07/06/06

With online attackers taking advantage of holes in its Office
software, Microsoft plans to release seven software patches next week.

Four of the updates will fix bugs in Windows, while another three will
address flaws in Microsoft Office, Microsoft said Thursday in a
bulletin on its Web site. Both sets of patches will address critical
flaws, which attackers could exploit to run unauthorized code on a PC
without any user action.

The patches will be released on July 11 as part of Microsoft's
regularly scheduled monthly security updates. Microsoft's advance note
on the updates can be found here.

The new software will likely fix a number of publicly reported
vulnerabilities in Office, some of which concern Excel, said Gunter
Ollmann, director of Internet Security Systems' X-Force threat
analysis service.

Last month, Microsoft confirmed that it was investigating three issues
that relate to Office, following reports that hackers had launched a
targeted attack, against an unnamed government contractor, that took
advantage of a bug in its Excel spreadsheet software.

Two of the bugs could be used to compromise a PC, but they would first
require user action like opening a malicious document and clicking on
hyperlinks. The third appears to be less critical, but it could be
used to run an unauthorized ActiveX control, Microsoft said.

On Thursday another bug was added to the mix with security vendor
Secunia warning of a flaw affecting Asian language versions of Excel.  
As with the other bugs, victims would need to be tricked into doing a
little work before compromising their systems, but if this were to
happen, attackers could run their malicious software on the PC,
Secunia said.

More details on this latest flaw can be found here.

The seven patches may keep system administrators busy next week, but
not as busy as they were in June. Last month Microsoft released 12
security updates.

The IDG News Service is a Network World affiliate.




From isn at c4i.org  Fri Jul  7 05:30:56 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:30:56 -0500 (CDT)
Subject: [ISN] Computer hacker will be extradited to US, rules Home Office
Message-ID: <Pine.LNX.4.44.0607070430420.21787-100000@idle.curiosity.org>

http://news.scotsman.com/scotland.cfm?id=990732006

By AURA SABADUS
7 July 2006

A SCOT accused of the "biggest military hack of all time" will be
extradited to the United States, the Home Office confirmed last night.

Gary McKinnon, originally from Glasgow, faces more than 50 years in
prison if convicted in the US of sabotaging vital defence systems,
including networks owned by NASA and the country's army, navy and air
force.

The 40-year-old has two weeks to appeal the order, which was approved
by John Reid, the Home Secretary on Tuesday.

A judge ruled in May that McKinnon, who has been indicted in New
Jersey and northern Virginia, should be sent to the US to face trial.  
However, the decision required Mr Reid's authorisation.

McKinnon allegedly accessed a network of 300 computers at the Earle
Naval Weapons Station in New Jersey.

US estimates claim the costs of tracking and correcting the problems
he allegedly caused were around $700,000 (?400,000).

McKinnon last night said he was planning to appeal the decision. He
added: "I am very worried and feeling very let down by my own
government."

McKinnon accused of hacking into 97 United States military and NASA
computers between 2001 and 2002.

Lawyers for McKinnon had argued he could even be sent to Guantanamo
Bay as a terrorist suspect - despite claiming to have only accessed
Pentagon computers looking for information about UFOs.

He has claimed that he was not a malicious hacker bent on bringing
down US military systems, but rather more of a "bumbling computer
nerd".

But the former hairdresser lost the first round of his battle against
extradition in May, when District Judge Nicholas Evans at Bow Street
Magistrates' Court dismissed these objections as "fanciful".

Speaking after that hearing, McKinnon vowed to continue resisting
attempts to remove him from the country.

He portrayed himself as an amateur hacker who used a dial-up modem to
access sensitive government networks from his bedroom in Wood Green,
north London.

He said: "I was amazed at the lack of security and the reason I left
not just one note but multiple notes on multiple desktops was to say:  
look, this is ridiculous. My intention was never to disrupt security."

Among the most serious charges are that McKinnon deleted system files
and logs at the New Jersey naval base in the immediate aftermath of
the 11 September, 2001, attacks, rendering its entire network of more
than 300 computers inoperable.

After the hearing in May, McKinnon said he "regretted" his actions but
insisted he had been motivated only by curiosity and had not caused
any damage.

Solo, as he was known online, was originally arrested under the
Computer Misuse Act by the UK National Hi-Tech Crime Unit in 2002.  
However, he was never charged in Britain.

* The Conservatives yesterday issued an appeal for the "NatWest Three"  
to be tried in Britain rather than being sent to the US to face
American justice over their alleged role in an Enron fraud.

The party's legal affairs spokesman Dominic Grieve wrote to Attorney
General Lord Goldsmith warning that the threatened extradition of the
three bankers risked bringing the criminal justice system into
disrepute.

David Bermingham, Gary Mulgrew, the son of Labour MSP Trish Godman,
and Giles Darby are accused of an ?11 million fraud in which their
former employees NatWest were advised to sell part of an Enron company
for less than it was worth.

The three men deny any criminal conduct and have always insisted that
if there was a case against them it should be tried in England because
that is where they live and where the alleged offences took place.




From isn at c4i.org  Fri Jul  7 05:31:17 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:31:17 -0500 (CDT)
Subject: [ISN] Malware targets security research tool
Message-ID: <Pine.LNX.4.44.0607070431070.21787-100000@idle.curiosity.org>

http://www.theregister.co.uk/2006/07/06/gattmann_virus/

By John Leyden
6th July 2006

Virus writers have created a proof-of-concept virus, dubbed Gattman,
that targets an analysis tool widely used by anti-virus researchers.

Only the most inept anti-virus researchers are likely to become
infected, according to one expert, so the interest in the malware is
its curiosity value rather than any threat it poses, which is
virtually nil.

Gattman spreads using a program called Interactive Disassembler Pro
(IDA), a popular reverse engineering tool from Data Rescue, widely
used in anti-virus research labs, which converts machine code inside
program files into a human-readable source code format. The tool
allows the behaviour of code to be analysed.

The malware infects the scripting language used by IDA, elements of
which are sometimes shared between researchers during joint analysis
efforts, to create a Windows executable file. This executable searches
out new IDC files to create a new executable file. Gattmann is
programmed only to spread and doesn't feature any malicious payload.


Gotcha

The exchange of executable files is strictly controlled in anything
approaching professionally-run security labs.

Carole Theriault, senior security consultant at UK-based anti-virus
firm Sophos, said the authors of Gattman were presumably hoping to
embarrass incautious researchers by spreading a virus using the very
tools of their trade.

"The virus shows some technical knowledge. It was probably written in
an attempt to embarrass anti-virus firms but it's unlikely to spread
except among researchers - or more likely malware authors - who are
both curious and careless," Theriault told El Reg. "The approach taken
by the virus to spread is rather odd."

Gattman is a polymorphic virus, a technique that has fallen out of
favour in recent times, which means it alters its appearance as it
spreads. Both the IDC and EXE parts of this virus can change their
form as they replicate. The changes in EXE files generated by Gattman
use file-morphing utilities on each infected PC. Such utilities are
often found on the PCs of malware researchers but uncommon more
generally. ?




From isn at c4i.org  Fri Jul  7 05:31:56 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:31:56 -0500 (CDT)
Subject: [ISN] UT notifying employees of computer hacker
Message-ID: <Pine.LNX.4.44.0607070431470.21787-100000@idle.curiosity.org>

http://www.tfponline.com/absolutenm/templates/breaking.aspx?articleid=2542&zoneid=41

July 06, 2006

University of Tennessee system officials are notifying around 36,000
employees and other individuals affiliated with UT that a hacker has
broke into a computer that held personal information about them.

"Although we have no indication the hacker accessed or used the
personal information, we are taking the precaution of notifying
everyone whose information was on the database and urging them to take
steps to protect themselves," said Brice Bible, assistant vice
president for information technology.

"We regret that this has happened and have conducted a thorough
investigation. Every precaution is being taken to safeguard security,
including a thorough review of file storing and sharing and
strengthening security measures in the affected area," Mr. Bible said.

Officials said the hacker's activities occurred during a nine-month
period from August 2005 to May 2006.

UT has set up a toll-free hotline to help answer questions for
affected persons. That number is (866) 748-1680. The help line will be
operational Monday through Friday from 8 a.m. to 6 p.m. EST, starting
July 7.

Persons affected by the security breach can find more information at
UT's Information Security Office Web site,
http://security.tennessee.edu.

Copyright ?2006, Chattanooga Publishing Company




From isn at c4i.org  Fri Jul  7 05:32:11 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 7 Jul 2006 04:32:11 -0500 (CDT)
Subject: [ISN] A new beginning for InfoSec News
Message-ID: <Pine.LNX.4.44.0607070432010.21787-100000@idle.curiosity.org>

It was on or about July 26th of 2001 that InfoSec News made the move
to Attrition.org after being dumped by our last list provider for
trying to be honest.

Since then through thick and thin, Jericho and the merry denizens of
Attrition.org have helped InfoSec News grow to become one of the
largest, oldest and hopefully most trusted daily information security
lists on the Internet.

Hosting on Attrition.org was really supposed to be a temporary
measure, at least until we got our act together and started hosting
ISN on our own.

Now nearly five years later, we're finally ready to host InfoSec News
on our own server, with a RSS feed, list archives, and plenty of room
for hosting additional security lists and services.

So this will be the last mailing of InfoSec News on Attrition.org and
starting 7/10/2006, ISN will be posting from infosecnews.org

On Monday we'll also roll out the new website, you may need to add the
new address (isn [at] infosecnews [dot] org) to whitelists, procmail
recipes or other filters.

Thank you for all of your support!

Sincerely,

William Knowles
Editor
InfoSec News
wk [at] infosecnews [dot] org