From isn at c4i.org Thu Jun 1 01:47:27 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 1 Jun 2006 00:47:27 -0500 (CDT) Subject: [ISN] ACSAC 22 (Miami Beach, FL) - June 10 - extended deadline Message-ID: Forwareded from: ACSAC Distribution Manager Dear colleague. We are extending the submission deadlines for the technical track, panels, tutorials, workshop till June 10, 2006. Apologies if you receive multiple copies of this announcement. PDF versions at http://www.acsac.org/2006/cfp_2006.pdf http://www.acsac.org/2006/cfp_2006-a4.pdf --------------------------- Call For Participation --------------------------- Submission deadline approaching! 22nd Annual Computer Security Applications Conference December 11-15, 2006 Miami Beach, Florida http://www.acsac.org Submission Acceptance Deadline Notification Technical Track June 10, 2006 Aug. 13, 2006 Panels June 10, 2006 Aug. 13, 2006 Tutorials June 10, 2006 Jul. 20, 2006 Workshop June 10, 2006 Jul. 20, 2006 Case Studies July 1, 2006 Aug. 15, 2006 Works in Progress Sep. 8, 2006 Oct. 1, 2006 See http://www.acsac.org/cfp for detailed submission information! Please submit blinded papers, at most 10 pages in length at 10pt. --------------------------------------------------------------------------- ACSAC is presented by a group of professionals who are working to facilitate information sharing among colleagues. We're an all-volunteer not-for-profit organization. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at http://www.acsac.org/list. We have moved to a new web host and are trying to remove duplicates from our mailing lists. If you receive duplicate messages, or simple want to be removed from our list, please reply with the word REMOVE in the subject. From isn at c4i.org Thu Jun 1 01:47:38 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 1 Jun 2006 00:47:38 -0500 (CDT) Subject: [ISN] Computer hacker to appeal sentence Message-ID: http://tvnz.co.nz/view/page/411749/735744 Jun 1, 2006 A computer hacker is to appeal against his prison sentence for internet fraud, saying it is too severe. Aucklander Mark Hayes, 19, was sentenced last Friday in the District Court in Auckland to two years six months in prison after pleading guilty to more than 100 computer-related offenses and around $38,000 worth of fraud. In sentencing, the Judge called Hayes a "serious recidivist computer criminal" for his offending in 2004 and reoffending while on bail in 2005. Hayes' lawyer Peter Kaye says his client feels his sentence is too high for a person of his age and circumstances. Hayes is not eligible to apply for home detention. The Crown Solicitor for Auckland last week described the sentence as "substantial." Crown Solicitor Simon Moore said such offending would normally draw a jail term of three months at the most but the judge wanted to send a clear message about the seriousness of hacking. The court heard that in 2004, Hayes used a "keystroke logger" hacking device to access the login password details of TradeMe account holders. He used their accounts to buy $18,500 worth of computer and clothing goods, paying for them with other peoples' money whose bank account details he had also hacked into. Hayes pleaded guilty. He then appeared before the court again for similar offending in 2005, again using a "keystroke logger" to get bank account details. He took around $20,000. In sentencing, Judge David Harvey called Hayes a "serious recidivist computer criminal", ordering a jail sentence of 30 months and the repayment of around $18,000. From isn at c4i.org Thu Jun 1 01:47:15 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 1 Jun 2006 00:47:15 -0500 (CDT) Subject: [ISN] Security a bridge too far Message-ID: http://www.thesun.co.uk/article/0,,2-2006250101,00.html By ALEX PEAKE May 31, 2006 THE Sun yesterday exposed security at Britain's biggest naval base as a shambles after strolling unchallenged on to the bridge of a WARSHIP. Our reporter walked through two checkpoints at Plymouth's HM Devonport - brandishing a worker's lost photo ID - before spending an hour on board the Navy's 21,578-ton flagship HMS Ocean. Posing as a cleaner, he strolled around the deck of the giant vessel - even pausing to flick through its log books and sip tea in the galley. Furious Royal Navy chiefs launched TWO probes last night as it emerged most of the ship's 500-strong company were on board. The base is surrounded by a 9ft perimeter fence and guarded by security staff and scores of military police officers with alsatians. But yesterday, armed with just workmen's overalls and the lost pass - handed to us by a concerned reader - our man gained entry after flashing the ID card over 20 yards from guards. They waved him through and even wished him "good morning". Yet had we been terrorists, we could have caused carnage. Within minutes our man found the quay where HMS Ocean, the Navy's largest ship, is moored for maintenance. As ship workers and sailors filed up the gangplank, we followed them on to the warship, designed to hold 18 attack helicopters and an army of highly-trained commandos. Two machine gun-carrying marines were checking passes. But again our man held his finger over the real workman's picture and marched in. Once at the heart of the ship - which is on 24 hours' notice to sail anywhere in the world if a crisis breaks - he was directed by one unwitting worker to the bridge and nerve centre. He toured the area with video gear for 15 minutes before moving to a walkway, where photographer Marc Giddings snapped him from a road. Our reporter also saw the engine room, living quarters and anchor room. Only one sailor asked what he was doing, but he returned to hoisting a flag when told our man was a cleaner. We finally left the ship, praised for leading the Marines' 2003 invasion of southern Iraq, and left the base as easily as we walked in. A Navy spokesman said: "We take all breaches of security very seriously. A full investigation by the ship and the naval base has commenced." From isn at c4i.org Thu Jun 1 01:47:51 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 1 Jun 2006 00:47:51 -0500 (CDT) Subject: [ISN] Employees may be opening doors to criminals Message-ID: http://news.ft.com/cms/s/458807fe-efec-11da-b80e-0000779e2340,dwp_uuid=863bb51c-1f76-11da-853a-00000e2511c8.html By Kate Mackenzie May 30 2006 Holding a security door open for someone laden with cups of coffee or a big stack of documents may seem the polite thing to do. But you may have fallen for a classic trick deployed by hackers. The person might have been smartly dressed and looked legitimate, but that is a key part of the deception of "social engineering", which uses simple, everyday situations to deceive individuals into giving out physicial or technical access to facilities that can be a mine of valuable information. Whether getting into a building, eliciting a password over the telephone or persuading a phishing victim to e-mail their banking details, "social engineering" is responsible for more than half of security breaches, and some estimates claim the proportion is as high as 90 per cent. Deploying a powerful firewall or maintaining up-to-date software patches on thousands of desktop machines is easy compared with raising employees' awareness of their own risky behaviour. Last year, for example, three call centre staff at Mphasis, an Indian outsourcer, tricked several Citibank customers into revealing their Pin numbers and then stole hundreds of thousands of dollars, in an incident that rocked the outsourcing industry. Bob Blakley, chief scientist for security and privacy at IBM's Tivoli division, says it is partly because there is no "standard set of social behaviours" for tasks such as resetting a password over the phone, so many people are easily persuaded to go along with risky procedures. The problem is worsening, as hacking attempts and malware are increasingly used by organised criminals, rather than fame-hungry or curious geeks. Despite a consensus that it is always people who are the weakest point in any security system, workplace prevention tactics are often neglected or relegated to a set of acceptable use policies that are largely ignored by staff. By contrast, meticulous and detailed documents on the dishonest use of "social engineering" techniques are easily available on the internet. One such document details a vast number of techniques, ranging from "dumpster diving" to shoulder surfing - looking over someone's shoulder as they key in a password or Pin - to "conformity": for example, telling the target that everyone else has given out their password over the phone. Appealing to people's better nature by phoning up and pretending to be an out-of-town colleague who urgently needs to access the network is another. In spite of all the experimentation and refinement of techniques to persuade and confuse potential "social engineering" targets, the security industry's response is almost exclusively focused on technology rather than psychology. What can be done about it? The first thing is to take a wider view of security, says Jan Babiak, Head of Information Security at Ernst & Young. "For example in certain countries, you have a very good chance of kidnapping senior executives. The physical security [team] take enormous precautions, but the IT people might have left something like a calender somewhere where it's easy to hack into." Cisco, meanwhile, urges executives to create a "top-down" culture of security awareness instead of palming off all security to a separate team. Dave Shackleford, the director of security solutions and assessment services at Vigilar, a US security consultancy, says that executives are often the softest target for "social engineering" experiments. They tend to think they are "above the law" and have access to high level information. They are also used to associating with other top-level people, says Shackleford, so their trust levels are higher. Mr Shackleford frequently puts clients' security defences to the test by, for example, photographing staff IDs with a telephoto lens to copy them. No attempted physical test undertaken by Vigilar has failed, he says. Mr Shackleford says companies need policies in place: "If they don't have explicit policies laid out for their employees, then they may not know any better." Vigilar's clients act on the information gleaned from the tests in different ways, but punishing employees who fell for a "social engineering" trick is not usually one of them. "It's human nature to be helpful," says Mr Shackleford. Instead, they tend to respond by improving training and awareness procedures. Some of Mr Shackleford's techniques are frighteningly simple: "Just phoning someone's extension can reveal if they are out of town, for example, and for how long." Robert Chapman, chief executive of The Training Camp, which runs security awareness courses for non-IT staff, says: "All the talk and all the money really is on technology. People in a sense brag about how much they spent on their Cisco firewalls." But they overlook the obvious weaknesses. His company recently ran the well-publicised "CD test" in London in which 100 CDs were handed out to workers in the City, promising a free Valentine's Day gift if they installed it. Once installed the CD reported back to Chapman; he says the majority of recipients did so. Bruce Schneier, the cryptographer who also works as a security consultant, is not so sure. He believes technical security must take into account behaviours, but does not believe "social engineering" can be adequately guarded against by training: "Have you ever met a user?" he replies when asked about efforts to improve staff awareness. Technology, Mr Schneier says, must be more tailored to each user's needs and risk levels. Does a typical office worker, for example, need to have access to a USB port or even a CD drive? "This is not just a 'get some guys on and solve it' problem," says Schneier. "It's like murder, burglary - all of these things, they've been around for ever." From isn at c4i.org Thu Jun 1 01:48:50 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 1 Jun 2006 00:48:50 -0500 (CDT) Subject: [ISN] Police close file sharing site Message-ID: http://www.thelocal.se/article.php?ID=3955&date=20060531 By James Savage 31st May 2006 Police have closed down The Pirate Bay, a Sweden-based file sharing site and one of the most popular websites of its kind in the world. Three people were taken in for questioning after police raids in Sweden on Wednesday. The trio, ages 22, 24 and 28, are suspected of violating property rights legislation, police spokesman Ulf G?ranzon said. Servers connected to the site have been impounded and the site was down on Wednesday afternoon, although the operators of The Pirate Bay have set up a temporary website to provide updates on the situation. Some fifty policemen and women were involved in raids on ten homes and offices in Sweden. The three men taken in by police were still being questioned on Wednesday afternoon. They all have links to The Pirate Bay. Prosecutors will decide whether to detain the men after they have been questioned. "The suspects are not people who download files, but are people who have relations to the website," Ulf G?ranzon told The Local. He would not reveal anything more about the roles that the men played. Police have been monitoring the website and the men behind it for some time. Computers were taken during raids on the men's homes and offices to secure evidence. "We are now going to look at how the operation is structured," G?ranzon said. "At the moment we are talking to lots of people about this case. We are still at a very early stage in our investigations," he said. He would not reveal whether police had their eyes on further suspects. Henrik Pont?n, lawyer at Antipiratbyr?n (The Anti-Pirate Bureau) in Stockholm, welcomed the move to close down the site. "It is good that the Swedish police are now prioritising this kind of crime. The copyright laws finance creativity within film, computer gaming, music and other culture," said Pont?n. "People who break copyright laws steal from the creators and movie-watching public of the future. The closure of The Pirate Bay is therefore good for all of us who enjoy new film and entertainment." But Tobias Andersson at pressure group Piratbyr?n (The Pirate Bureau), which founded The Pirate Bay, stressed that there was no copyright-protected material on the servers. "The Anti-Pirate Bureau has clearly misled the police in this case," said Andersson. "They appear to have persuaded police who are incompetent in IT that the servers in question are full of copyright-protected material. This is a gross misuse of taxpayers' money." Andersson also condemned the fact that police had closed down a number of other websites, including The Pirate Bureau, which he says is no longer officially linked to the Pirate Bay. "This is the greatest infringement. The Anti-Pirate Bureau has clearly fooled the police into closing down its antagonists, The Pirate Bureau." "We are very upset that the film industry doesn't dare to have a debate, and chooses instead to trick politicians and the police into criminalizing their opponents and a large portion of the Swedish population." The Pirate Bay is a BitTorrent tracker, which enables people to download large files such as movies from other users. From isn at c4i.org Fri Jun 2 01:16:58 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:16:58 -0500 (CDT) Subject: [ISN] Ernst & Young laptop loss exposes 243, 000 Hotels.com customers Message-ID: http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/ By Ashlee Vance in Mountain View 1st June 2006 Exclusive - Ernst & Young's laptop loss unit continues to be one of the company's more productive divisions. We learn this week that the accounting firm lost a system containing data on 243,000 Hotels.com customers. Hotels.com joins the likes of Sun Microsystems, IBM, Cisco, BP and Nokia, which have all had their employees' data exposed by Ernst & Young, as revealed here in a series of exclusive stories. The Register can again exclusively confirm the loss of the Hotels.com customer information after having received a copy of a letter mailed out jointly by the web site and Ernst & Young. A Hotels.com spokesman also confirmed the data breach, saying Ernst & Young notified the company of the laptop loss on May 3. The laptop in question was stolen from an Ernst & Young worker's car in Texas and did have some basic data protection mechanisms such as, erm, the need for a password. "Recently, Hotels.com was informed by its outside auditor, Ernst & Young, that one of Ernst & Young's employees had his laptop computer stolen," Hotels.com told its customers in the letter. "Unfortunately, the computer contained certain information about customer transactions with Hotels.com, and other sites through which we provide booking services directly to customers, from 2002 through 2004. "This information may have included your name, address and some credit or debit card information you provided at that time." Ernst & Young in February lost one laptop that held information on what's believed to be tens of thousands of Sun, IBM, Cisco, BP and Nokia employees. It's not clear if this was the same system in the Hotels.com incident. Ernst & Young has not returned our calls seeking comment and has been reluctant to provide information on these incidents in the past. Ernst & Young in February also lost four laptops in Miami when its workers decided to leave their systems in a hotel conference room while they went out for lunch. Major media outlets have so far ignored the Ernst & Young laptop incidents, although they were quick to follow on our confirmation of a Fidelity data breach that saw 200,000 HP workers have their information exposed. Ernst & Young offers a variety of security services to customers, and encourages clients to be transparent with their policies around customer data issues. The company, however, has not exactly been proactive with regard to its own issues. ? From isn at c4i.org Fri Jun 2 01:17:10 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:17:10 -0500 (CDT) Subject: [ISN] Cern seeks to tighten security for data grid Message-ID: http://www.vnunet.com/computing/news/2157258/cern-seeks-tighten-security Lara Williams Computing 01 Jun 2006 Cern, the world's largest particle physics laboratory and birthplace of the web, is starting a two-year project to improve security for its worldwide data grid. The European organisation for nuclear research identified that partner sites on the grid are a security concern; many are open access public institutions supporting the lab's projects. Cern tests innovative technologies in partnership with industry, and has asked security specialists Stonesoft and F-Secure to test security for the launch of the large hadron collider (LHC) project next year. The 27km underground particle accelerator will distribute large amounts of information onto the worldwide LHC computing grid. More than 1GB per second of data will be generated and either stored at Cern or sent to 12 major computing sites and a further 100 institutes around the world for analysis. "The results of the security trials may provide solutions which could eventually be commercially available to other organisations," said Cern spokesman Francois Grey. Although large data grids are only starting to be used in business, Cern is seeing a lot of interest from industry. The lab is developing grids that will reach across organisational boundaries, allowing multiple institutions to share resources. "Businesses are now becoming interested in this kind of grid," said Grey. "Its use could enable suppliers and companies to share resources and large corporations to share information between business units. Grid technology will only be adopted if the right type of security solutions are available." Particle collisions in the LHC will create 15 petabytes per year of data, and it is due to run for a decade. The grid will have a storage and analysis infrastructure accessed by more than 7,000 scientists worldwide. The aim of the LHC is to simulate the events taking place one millionth of a millionth of a second after the universe was created - information that could revolutionise our understanding of how the natural world works. From isn at c4i.org Fri Jun 2 01:16:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:16:29 -0500 (CDT) Subject: [ISN] VA Data in Format Not Widely Used Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/05/31/AR2006053102000.html By Christopher Lee Washington Post Staff Writer June 1, 2006 The sensitive personal information of 26.5 million veterans that was stolen from a Department of Veterans Affairs data analyst last month was stored in a format that could make it difficult for thieves to use, according to an internal VA memo. In the May 5 memo, VA privacy officer Mark Whitney wrote that the critical data "may not be easily accessible" because most of it -- including names, birth dates and Social Security numbers -- was stored in a specialized, standard format used for data manipulation and statistical analysis. The format "requires specialized application software and training" to write computer code "to access and manipulate the data for use," Whitney wrote in the memo, obtained yesterday by The Washington Post. Ari Schwartz, deputy director of the nonprofit Center for Democracy and Technology, a privacy group, said Whitney is generally right that the information would be hard to extract. It would be easier, however, if the laptop stolen along with an external hard drive and several data disks has the software needed to view the data, he said. "This is not nearly the type of protection they would have had if they had followed basic security procedures and encrypted this," Schwartz said. The Whitney memo, dated two days after the burglary at the analyst's Aspen Hill home and distributed to several high-ranking VA officials, provides the first public indication that some addresses and telephone numbers were among the stolen data; it refers to such information being part of electronic files of a national survey of about 20,000 veterans in 2001. Also stolen was an electronic spreadsheet with 6,744 records about "mustard gas veterans" -- generally, veterans who took part in chemical warfare tests during World War II. Another stolen file contains as many as 10 diagnostic codes from the treatment file of one veteran who visited the VA health-care system on 57 dates. "These type of data contain more than limited financial information, the codes contain information about veterans' medical conditions," Rep. Bob Filner (D-Calif.) said in a statement. "It is not appropriate for this information to ever enter the public domain." Matthew Burns, a VA spokesman, said the department has been "focused on getting notification to veterans that some of the most sensitive data was out there." Also yesterday, VA Secretary Jim Nicholson announced that he had named Richard M. Romley, a former prosecutor from Maricopa County, Ariz., as his new special adviser for information security. Romley, a Marine Corps veteran, will evaluate the department's computer security procedures and recommend improvements. The move follows the resignation last week of Michael H. McLendon, a VA deputy assistant secretary who learned of the May 3 burglary within hours of the crime but did not immediately tell top-ranked officials. Nicholson announced Tuesday that the employee will be fired and that Dennis M. Duffy, who has been acting assistant secretary for policy and planning, had been placed on administrative leave. The employee worked in McLendon's office, and Duffy was in charge of the division in which both worked. Nicholson learned of the information breach on May 16 and told the public on May 22, nearly three weeks after the crime. ? 2006 The Washington Post Company From isn at c4i.org Fri Jun 2 01:16:46 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:16:46 -0500 (CDT) Subject: [ISN] The new breed of cyber-terrorist Message-ID: http://news.independent.co.uk/world/science_technology/article622421.ece By Jimmy Lee Shreeve 31 May 2006 According to cyber-security experts, the terror attacks of 11 September and 7 July could be seen as mere staging posts compared to the havoc and devastation that might be unleashed if terrorists turn their focus from the physical to the digital world. Scott Borg, the director and chief economist of the US Cyber Consequences Unit (CCU), a Department of Homeland Security advisory group, believes that attacks on computer networks are poised to escalate to full-scale disasters that could bring down companies and kill people. He warns that intelligence "chatter" increasingly points to possible criminal or terrorist plans to destroy physical infrastructure, such as power grids. Al-Qa'ida, he stresses, is becoming capable of carrying out such attacks. Most companies and organisations seem oblivious to the threat. Usually, they worry about e-mail viruses and low-grade hacker attacks. But Borg sees these as the least of their worries. "Up to now, executives and network professionals have worried about what adolescents and petty criminals have been doing," he says. "In most cases, these kinds of cyber attacks aren't very destructive. The reason is that businesses generally have enough inventory and extra capacity to make up for any short-term interruptions." What companies and organisations should worry about, Borg insists, is "what grown-ups could do" - terrorists or hardcore criminals. One key target would probably be the vital Supervisory Control and Data Acquisition (Scada) systems in power plants and similar industries. "Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks. "Control systems are a particular worry, because these are the computer systems that manage physical processes. They open and shut the valves, adjust the temperatures, throw the switches, regulate the pressures," he says. "Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse." Until now, hackers have usually targeted credit cards or personal information on the web. More sophisticated hackers, however, are beginning to focus on databases. The type of data most likely to be hit, Borg says, might include a pharmaceutical company's drug development databases, or programs that manipulate data, such as formulas for generating financial statements. "Many attacks of this kind would have two components. One would alter the process control system to produce a defective product. The other would alter the quality control system so that the defect wouldn't easily be detected," Borg says. "Imagine, say, a life-saving drug being produced and distributed with the wrong level of active ingredients. This could gradually result in large numbers of deaths or disabilities. Yet it might take months before someone figured out what was going on." The result, he says, would be panic, people afraid to visit hospitals and health services facing huge lawsuits. Deadly scenarios could occur in industry, too. Online outlaws might change key specifications at a car factory, Borg says, causing a car to "burst into flames after it had been driven for a certain number of weeks". Apart from people being injured or killed, the car maker would collapse. "People would stop buying cars." A few such attacks, run simultaneously, would send economies crashing. Populations would be in turmoil. At the click of a mouse, the terrorists would have won. Is Borg justified in his fears? All this sounds like a plot from a thriller; it's hard to take it seriously. But intelligence reports in the last year or so make for worrying reading. An assessment by the British security service MI5 stated that "Britain is four meals away from anarchy". And officials admit their greatest fears about electronic attacks focus on the more exposed networks that make up the "critical national infrastructure" - the systems Borg is concerned about. US agencies are concerned that terrorists could combine electronic and physical attacks to devastating effect, such as disrupting emergency services at the same time as mounting a bomb attack. Risk management analysts, equally edgy, are focusing on the financial impact on businesses and economies. They believe that an online attack would undermine public confidence in vital industries, especially utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A cyber attack on, say, the power industry would cause communications operations to close down for a period of time, expose customers to loss of service, increase liability exposure and ultimately damage reputation for service delivery." It isn't just Western nations that fear a digital meltdown. This month, the Malaysian government announced plans to establish a centre to fight cyber-terrorism, which will provide an emergency response to hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi said the facility - to be located at the technology hub of Cyberjaya outside Kuala Lumpur - would be called the International Multilateral Partnership against Cyber-Terrorism, or Impact, and would be funded by a combination of government revenue and the private sector. Badawi said the threat of cyber-terrorism was too serious for governments to ignore. "The potential to wreak havoc and cause disruption to people, governments and global systems has increased as the world becomes more globalised," he said. "The economic loss caused by a cyber attack can be truly severe; for example, a nationwide blackout, collapse of trading systems or the crippling of a central bank's cheque clearing system." While the case for cyber attack appears persuasive, some believe that much of it is hype. "It's difficult to avoid comparisons with the Millennium bug and the predictions of widespread computer chaos arising from the change of date to the year 2000," says Tom Standage, technology editor at The Economist magazine. "Then, as now, the alarm was sounded by technology vendors and consultants, who stood to gain from scaremongering." Almost ?400m was spent by the Government alone on preparations for the Millennium bug. Computer consultants issued dire warnings of the danger of an information technology breakdown that could paralyse nations on New Year's Day 2000. When the clock struck midnight, however, few problems were reported. There is scepticism that the bug was ever a threat. As far as Standage is concerned, those in the cyber-security industry - be they vendors boosting sales, academics chasing grants or politicians looking for bigger budgets - always have a "built-in incentive to overstate the risks". But what of the Scada systems; surely they are highly vulnerable? "It is true that utility companies and other operators of critical infrastructure are increasingly connected to the internet," Standage concedes. "But just because customers pay their bills online, it doesn't follow that critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason. They tend to be obscure, old-fashioned systems that are incompatible with internet technology anyhow. Even authorised users require specialist knowledge." A simulation in 2002 by the US Naval War College concluded that an "electronic Pearl Harbor" attack on America's infrastructure would certainly cause serious disruption. But to pull it off would require five years of preparation and a $200m budget. As US computer security guru Bruce Schneier says: "If they want to attack, they will do it with bombs like they always have." But Richard Clarke, a former cyber-security expert in the Bush administration, says this is complacent. "People claim no one will ever die in a cyber-attack, but they're wrong. This is a serious threat." Clarke says that each time the US government has tested the security of the electric power industry, he and his colleagues have been able to hack their way in, "sometimes through an obscure route like the billing system". He reveals that computer security officers at a number of chemical plants have told him privately that they are very concerned about the openness of their networks. Scott Borg of the Cyber Consequences Unit goes along with this. He believes the $93m budget for 2007 allocated to the Department of Homeland Security to defend against cyber attack is justified. "Even systems isolated from the internet are often accessible to thousands of employees. How secure can any system be if thousands of people and thousands of data ports can provide inside access to that system?" The threat from software IT security consulting firm Cyber Defense Agency (CDA) has warned the US military, government and "critical infrastructure agencies" against using outsourced commercial software which could be tampered with by terrorists. CDA said that gas, electricity, telecommunications, banking and water companies are among the services that could fall foul of cyber terrorists exploiting "life-cycle" weaknesses buried deep in the software code. Life-cycle attacks occur when one line of code is programmed to open vulnerabilities within the software, exposing the software and the company to external threats. "Outsourced commercial software poses a silent but significant security risk to the defence and welfare of the US," says Sami Saydjari, president of CDA. "The chances of strategic damage from a cyber-terrorist attack on the US increases the longer it takes to remedy the risks posed by outsourced software." From isn at c4i.org Fri Jun 2 01:17:21 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:17:21 -0500 (CDT) Subject: [ISN] Extortion virus code gets cracked Message-ID: http://news.bbc.co.uk/1/hi/technology/5038330.stm 1 June 2006 Do not panic if your data is hidden by virus writers demanding a ransom. Poor programming has allowed anti-virus companies to discover the password to retrieve the hijacked data inside a virus that has claimed at least one UK victim. The Archiveus virus caught out British nurse Helen Barrow and swapped her data with a password-protected file. The virus is the latest example of so-called "ransomware" that tries to extort cash from victims. Code breaker Analysis of Archiveus has revealed that the password to unlock the file containing all the hijacked files is contained within the code of the virus itself. This virus swaps files found in the "My Documents" folder on Windows with a single file protected by a 30-digit password. Victims are only told the password if they buy drugs from one of three online pharmacies. The 30-digit password locking the files is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". Using the password should restore all the hijacked files. "Now the password has been uncovered, there should be no reason for anyone hit by this ransomware attack to have to make any payments to the criminals behind it," said Graham Cluley, senior technology consultant for security firm Sophos. Archiveus was discovered on 6 May but it took the rest of the month for the first victim, Rochdale nurse Helen Barrow, to emerge. Ms Barrow is thought to have fallen victim when she responded to an on-screen message warning her that her computer had contracted another unnamed virus. The virus asks those it infects to buy drugs on one of three websites to get their files back. "When I realised what had happened, I just felt sick to the core," said Ms Barrow about the incident. The Archiveus virus is only the latest in a series of malicious programs used by extortionists to extract cash from victims. Archiveus seems to use some parts of another ransoming virus called Cryzip that was circulating in March 2006. From isn at c4i.org Fri Jun 2 01:17:32 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:17:32 -0500 (CDT) Subject: [ISN] Miami U. reports 2nd security breach Message-ID: http://www.cleveland.com/news/plaindealer/index.ssf?/base/news/1149150686240780.xml&coll=2 June 01, 2006 Associated Press An employee at a Miami University branch campus lost a hand-held personal computer containing private information on 851 students, but school officials said they don't believe that the data has been used unlawfully. The recent case involves a potential breach of privacy that the school takes very seriously, said Kelly Cowan, interim dean at the Middletown campus. Students affected were enrolled between July 2001 and May 2006, representing about 8 percent of the students on campus during that five-year period. It's the second security breach at Miami since last September, when officials said a report containing some private information on students was accidentally placed in a file accessible through the Internet. It included names, Social Security numbers and information on the 21,762 students enrolled on all Miami campuses in the fall of 2002. Cowan said the school is tightening its security and increasing employee training. From isn at c4i.org Fri Jun 2 01:17:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:17:45 -0500 (CDT) Subject: [ISN] Toronto firm at centre of security breach Message-ID: http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&pubid=968163964505&cid=1149113029270&col=968705899037&call_page=TS_News&call_pageid=968332188492 By TYLER HAMILTON BUSINESS REPORTER Jun. 1, 2006 Toronto software provider Hummingbird Ltd. has found itself at the centre of an embarrassing privacy accident involving the social security numbers of 1.3 million American students. Hummingbird disclosed yesterday evening that one of its employees lost a piece of computer equipment that contained the names and social security numbers of customers who borrowed funds from Round Rock, Tex.-based Texas Guaranteed, a non-profit company that administers a U.S. family education loan program. "The privacy of customer data is of utmost importance to us and we take our responsibility to safeguard it very seriously. We deeply regret that this incident has occurred," Barry Litwin, Hummingbird?s president and chief executive, said in a statement. "We continue to investigate the facts surrounding this loss of information and are taking all necessary action in order to ensure that such occurrences do not happen in the future." Hummingbird, which announced on May 26 that it is being acquired by Palo Alto, Calif.-based holding company Symphony Technology Group for $465 million (U.S.), said it has no reason to believe the equipment was stolen to obtain confidential data. The company said the equipment was password-protected and that it was "extremely unlikely" the data would be misused. Hummingbird was given the data as part of a contract to develop a custom document management system for Texas Guaranteed. According to information on Texas Guaranteed?s Web site, the equipment was lost on May 24 but Hummingbird didn?t notify the company until mid-afternoon on May 26, the day Hummingbird disclosed its deal with Symphony. The U.S. loan provider said that customers whose information was lost will be notified over the coming weeks and given advice on how to guard against identity theft. "Even though this information is not easily accessed and used, and even though the loss appears to be inadvertent, we are issuing this release out of an abundance of caution, because the piece of equipment has not been located," said Sue McMillin, president and CEO of Texas Guaranteed, in a statement. The use of social security numbers as a form of identification in the United States has been a topic of considerable controversy in recent weeks. In early May, computer disks containing the social security numbers of 26.5 million U.S. veterans were stolen from the U.S. Department of Veteran Affairs, putting millions of Americans at risk of identity fraud. From isn at c4i.org Fri Jun 2 01:18:07 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 2 Jun 2006 00:18:07 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-22 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-05-25 - 2006-06-01 This week: 102 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: eEye Digital Security has reported a vulnerability in Symantec Client Security and Symantec AntiVirus Corporate Edition, which can be exploited by malicious people to compromise a user's system. Users of Symantec products are advised to view the referenced Secunia advisory for additional details and information about patches. Reference: http://secunia.com/SA20318 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20153] Microsoft Word Malformed Object Code Execution Vulnerability 2. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 3. [SA20107] RealVNC Password Authentication Bypass Vulnerability 4. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 5. [SA20261] Cisco VPN Client Privilege Escalation Vulnerability 6. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 7. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 8. [SA20288] Novell Netware abend.log User Credentials Disclosure 9. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 10. [SA20300] Basic Analysis and Security Engine "BASE_path" File Inclusion ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20361] wodSFTP ActiveX Component Arbitrary File Access Vulnerability [SA20318] Symantec Client Security / AntiVirus Unspecified Code Execution [SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability [SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities [SA20355] AspSitem SQL Injection and Private Message Disclosure [SA20348] Nukedit "groupid" Parameter Administrator Register Vulnerability [SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability [SA20335] My Web Server Long URL Denial of Service [SA20317] Mini-NUKE SQL Injection Vulnerabilities [SA20309] qjForum member.asp SQL Injection Vulnerability [SA20294] NewsCMSLite Admin Logon Bypass Vulnerability [SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability [SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting [SA20342] Jiwa Financials Information Disclosure Vulnerability UNIX/Linux: [SA20313] Ubuntu update for nagios [SA20281] Mandriva update for mpg123 [SA20398] SUSE update for kernel [SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability [SA20345] Gentoo update for libtiff [SA20344] Gentoo update for cherrypy [SA20339] Mandriva update for dia [SA20338] Debian update for kernel-source-2.4.17 [SA20326] Debian update for libextractor [SA20323] Open-Xchange Default Account Password [SA20314] Ubuntu update for postgresql [SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities [SA20381] UnixWare update for MySQL [SA20283] Debian update for awstats [SA20396] SUSE update for rug [SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue [SA20333] Debian update for mysql-dfsg [SA20302] OpenOBEX ircp File Overwrite Vulnerability [SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability [SA20388] SUSE update for vixie-cron [SA20380] Vixie Cron "do_command.c" setuid Security Issue [SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions [SA20368] Debian update for motor [SA20332] Avaya PDS Software Distributor Privilege Escalation [SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability [SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability [SA20312] SUSE update for foomatic-filters [SA20369] xine-lib HTTP Response Heap Corruption Weakness [SA20330] Debian update for tiff [SA20315] Debian update for dovecot [SA20308] Dovecot "LIST" Command Directory Traversal Weakness [SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service [SA20337] PHP "curl_init()" Safe Mode Bypass Weakness Other: [SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities [SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting [SA20288] Novell Netware abend.log User Credentials Disclosure [SA20377] Secure Elements Class 5 AVR Message Encryption Security Issue Cross Platform: [SA20404] METAjour "system_path" Parameter File Inclusion Vulnerabilities [SA20399] Ottoman "default_path" File Inclusion Vulnerabilities [SA20373] phpMyDesktop|arcade Local File Inclusion and Script Insertion [SA20364] IBM DCE Two Kerberos Vulnerabilities [SA20358] F at cile Interactive Web Multiple Vulnerabilities [SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities [SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File Inclusion [SA20353] UBB.threads Cross-Site Scripting and File Inclusion [SA20350] phpBB Blend Portal System Module "phpbb_root_path" File Inclusion [SA20346] Fastpublish CMS "config[fsBase]" File Inclusion Vulnerabilities [SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion [SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion [SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability [SA20300] Basic Analysis and Security Engine "BASE_path" File Inclusion [SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion [SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities [SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability [SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive Information [SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File Loading [SA20366] WikiNi Script Insertion Vulnerabilities [SA20359] phpBB Nivisec Hacks List Module Local File Inclusion [SA20352] Eggblog posts.php SQL Injection Vulnerability [SA20351] aMule Information Disclosure Vulnerability [SA20316] Geeklog Multiple Vulnerabilities and Weaknesses [SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability [SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities [SA20303] MailManager PostgreSQL Encoding-Based SQL Injection [SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability [SA20295] Pre Shopping Mall SQL Injection Vulnerabilities [SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities [SA20287] iFdate Cross-Site Scripting and Script Insertion Vulnerabilities [SA20286] Realty Pro One Cross-Site Scripting and SQL Injection [SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting Vulnerabilities [SA20341] Open Searchable Image Catalogue SQL Injection Vulnerabilities [SA20340] DGNews "upprocess.php" File Upload Vulnerability [SA20336] Photoalbum B&W "index.php" Cross-Site Scripting Vulnerabilities [SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities [SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability [SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting [SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability [SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability [SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability [SA20311] php-residence Multiple Script Insertion Vulnerabilities [SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability [SA20305] PHP-AGTC membership system "useremail" Script Insertion [SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability [SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities [SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability [SA20289] Elite-Board "search" Parameter Cross-Site Scripting Vulnerability [SA20285] Assetman Unspecified Script Insertion Vulnerabilities [SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20361] wodSFTP ActiveX Component Arbitrary File Access Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2006-05-31 Will Dormann has reported a vulnerability in WeOnlyDo wodSFTP, which can be exploited by malicious people to disclose sensitive information and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20361/ -- [SA20318] Symantec Client Security / AntiVirus Unspecified Code Execution Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-29 eEye Digital Security has reported a vulnerability in Symantec Client Security and Symantec AntiVirus Corporate Edition, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20318/ -- [SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-01 A vulnerability has been reported in F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20407/ -- [SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-29 Mustafa Can Bjorn has reported some vulnerabilities in Enigma Haber, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20357/ -- [SA20355] AspSitem SQL Injection and Private Message Disclosure Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-05-29 Mustafa Can Bjorn has reported two vulnerabilities in AspSitem, which can be exploited by malicious users to disclose sensitive information or malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20355/ -- [SA20348] Nukedit "groupid" Parameter Administrator Register Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-30 FarhadKey has discovered a vulnerability in Nukedit, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20348/ -- [SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-31 A vulnerability has been reported in Hitachi HITSENSER3, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20347/ -- [SA20335] My Web Server Long URL Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-29 s3rv3r_hack3r has discovered a vulnerability in My Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20335/ -- [SA20317] Mini-NUKE SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-29 Mustafa Can Bjorn has reported some vulnerabilities in Mini-NUKE, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20317/ -- [SA20309] qjForum member.asp SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-29 ajann has reported a vulnerability in qjForum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20309/ -- [SA20294] NewsCMSLite Admin Logon Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-26 FarhadKey has discovered a vulnerability in NewsCMSLite, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20294/ -- [SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 Mustafa Can Bjorn has reported a vulnerability in ASPBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20360/ -- [SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-31 MC.Iglo has reported a vulnerability in Omegasoft Insel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20319/ -- [SA20342] Jiwa Financials Information Disclosure Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-05-30 Robert Passlow has reported a vulnerability in Jiwa Financials, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20342/ UNIX/Linux:-- [SA20313] Ubuntu update for nagios Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-30 Ubuntu has issued an update for nagios. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20313/ -- [SA20281] Mandriva update for mpg123 Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-29 Mandriva has issued an update for mpg123. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20281/ -- [SA20398] SUSE update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2006-06-01 SUSE has issued an update for the kernel. This fixes some vulnerabilities and weaknesses, which can be exploited by malicious, local users to bypass certain security restrictions, gain knowledge of potentially sensitive information and to cause a DoS (Denial of Service), and by malicious people to disclose certain system information, potentially to bypass certain security restrictions and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20398/ -- [SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-31 CrAzY CrAcKeR has reported a vulnerability in 4nForum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20374/ -- [SA20345] Gentoo update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-31 Gentoo has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20345/ -- [SA20344] Gentoo update for cherrypy Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-31 Gentoo has issued an update for cherrypy. This fixes a vulnerability, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20344/ -- [SA20339] Mandriva update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-31 Mandriva has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20339/ -- [SA20338] Debian update for kernel-source-2.4.17 Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2006-05-31 Debian has issued an update for kernel-source-2.4.17. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of sensitive information, cause a DoS (Denial of Service), gain escalated privileges, and by malicious people to cause a DoS, and disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20338/ -- [SA20326] Debian update for libextractor Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-29 Debian has issued an update for libextractor. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application that uses the library. Full Advisory: http://secunia.com/advisories/20326/ -- [SA20323] Open-Xchange Default Account Password Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-29 Cemil Degirmenci has reported a security issue in Open-Xchange, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20323/ -- [SA20314] Ubuntu update for postgresql Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-30 Ubuntu has issued an update for postgresql. This fixes two vulnerabilities, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20314/ -- [SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-26 luny has reported some vulnerabilities in Pre News Manager, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20284/ -- [SA20381] UnixWare update for MySQL Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-01 SCO has issued an update for MySQL. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20381/ -- [SA20283] Debian update for awstats Critical: Less critical Where: From remote Impact: Security Bypass, System access Released: 2006-05-26 Debian has issued an update for awstats. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20283/ -- [SA20396] SUSE update for rug Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information Released: 2006-06-01 SUSE has issued an update for rug. This fixes a security issue and a weakness, which can be exploited by malicious, local users to disclose certain sensitive information and potentially by malicious people to bypass security restrictions. Full Advisory: http://secunia.com/advisories/20396/ -- [SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-06-01 A security issue has been reported in FreeBSD, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20389/ -- [SA20333] Debian update for mysql-dfsg Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information, System access Released: 2006-05-29 Debian has issued an update for mysql-dfsg. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, disclose potentially sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20333/ -- [SA20302] OpenOBEX ircp File Overwrite Vulnerability Critical: Less critical Where: From local network Impact: Manipulation of data Released: 2006-05-26 Jeroen van Wolffelaar has reported a vulnerability in Open OBEX, which can be exploited by malicious people to manipulate certain data on a user's system. Full Advisory: http://secunia.com/advisories/20302/ -- [SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-06-01 A vulnerability has been reported in FreeBSD, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20390/ -- [SA20388] SUSE update for vixie-cron Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-01 SUSE has issued an update for vixie-cron. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20388/ -- [SA20380] Vixie Cron "do_command.c" setuid Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-01 Roman Veretelnikov has reported a security issue in Vixie Cron, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20380/ -- [SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-31 A security issue has been reported in Shadow, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20370/ -- [SA20368] Debian update for motor Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-31 Debian has issued an update for motor. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20368/ -- [SA20332] Avaya PDS Software Distributor Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-29 Avaya has acknowledged a vulnerability in Avaya Predictive Dialing System (PDS), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20332/ -- [SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-31 A vulnerability has been reported in Motor, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20329/ -- [SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-29 A vulnerability has been reported in AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20325/ -- [SA20312] SUSE update for foomatic-filters Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-30 SUSE has issued an update for foomatic-filters. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20312/ -- [SA20369] xine-lib HTTP Response Heap Corruption Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2006-05-31 Federico L. Bossi Bonin has discovered a weakness in xine-lib, which can be exploited by malicious people to crash certain applications on a user's system. Full Advisory: http://secunia.com/advisories/20369/ -- [SA20330] Debian update for tiff Critical: Not critical Where: From remote Impact: DoS Released: 2006-05-29 Debian has issued an update for tiff. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20330/ -- [SA20315] Debian update for dovecot Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-29 Debian has issued an update for dovecot. This fixes a weakness, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/20315/ -- [SA20308] Dovecot "LIST" Command Directory Traversal Weakness Critical: Not critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-29 A weakness has been reported in Dovecot, which can be exploited by malicious users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/20308/ -- [SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-05-31 Tony Griffiths has reported a vulnerability in the Linux Kernel, which can be exploited malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20349/ -- [SA20337] PHP "curl_init()" Safe Mode Bypass Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2006-05-30 Maksymilian Arciemowicz has discovered a weakness in PHP, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20337/ Other:-- [SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: Security Bypass, Spoofing, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-05-31 Multiple vulnerabilities and security issues have been reported in Secure Elements Class 5 AVR, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, spoof the contents of messages, cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20378/ -- [SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 jaime.blasco has reported a vulnerability in D-Link Airspot DSA-3100 Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20343/ -- [SA20288] Novell Netware abend.log User Credentials Disclosure Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-05-26 A security issue has been reported in Novell Netware, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20288/ -- [SA20377] Secure Elements Class 5 AVR Message Encryption Security Issue Critical: Not critical Where: From local network Impact: Exposure of sensitive information Released: 2006-05-31 A security issue has been reported in Secure Elements Class 5 AVR, which potentially can be exploited by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/20377/ Cross Platform:-- [SA20404] METAjour "system_path" Parameter File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-01 Kacper has discovered some vulnerabilities in METAjour, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20404/ -- [SA20399] Ottoman "default_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-01 Kacper has discovered some vulnerabilities in Ottoman, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20399/ -- [SA20373] phpMyDesktop|arcade Local File Inclusion and Script Insertion Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access, Cross Site Scripting Released: 2006-05-31 darkgod has discovered two vulnerabilities in phpMyDesktop|arcade, which can be exploited by malicious people to conduct script insertion attacks, disclose sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20373/ -- [SA20364] IBM DCE Two Kerberos Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-06-01 IBM has acknowledged two vulnerabilities in IBM DCE, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20364/ -- [SA20358] F at cile Interactive Web Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-29 Mustafa Can Bjorn has reported some vulnerabilities in F at cile Interactive Web, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20358/ -- [SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2006-05-29 Mustafa Can Bjorn has discovered some vulnerabilities in tinyBB, which can be exploited by malicious people to conduct SQL injection attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20356/ -- [SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-30 Mustafa Can Bjorn has reported a vulnerability in the Activity Mod Plus module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20354/ -- [SA20353] UBB.threads Cross-Site Scripting and File Inclusion Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-30 Mustafa Can Bjorn has discovered some vulnerabilities in UBB.threads, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20353/ -- [SA20350] phpBB Blend Portal System Module "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-30 Mustafa Can Bjorn has reported a vulnerability in the Blend Portal System module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20350/ -- [SA20346] Fastpublish CMS "config[fsBase]" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-30 Kacper has reported some vulnerabilities in Fastpublish CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20346/ -- [SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-29 Kacper has discovered a vulnerability in Hot Open Tickets, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20331/ -- [SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-29 beford has discovered a vulnerability in Plume CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20310/ -- [SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-26 Kacper has discovered a vulnerability in the open-medium.CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20301/ -- [SA20300] Basic Analysis and Security Engine "BASE_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-26 str0ke has discovered some vulnerabilities in Basic Analysis and Security Engine, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20300/ -- [SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-26 Kacper has discovered some vulnerabilities in ActionApps, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20299/ -- [SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-26 beford has discovered some vulnerabilities in DoceboLMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20298/ -- [SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-26 Kacper has discovered a vulnerability in Back-End CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20292/ -- [SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-01 rgod has discovered a vulnerability in pppBLOG, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20375/ -- [SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File Loading Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-05-31 socsam has discovered a vulnerability in WebCalendar, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/20367/ -- [SA20366] WikiNi Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-30 Raphael Huck has discovered some vulnerabilities in WikiNi, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20366/ -- [SA20359] phpBB Nivisec Hacks List Module Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-29 Mustafa Can Bjorn has discovered a vulnerability in the Nivisec Hacks List module for phpBB, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20359/ -- [SA20352] Eggblog posts.php SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-29 Mustafa Can Bjorn has discovered a vulnerability in Eggblog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20352/ -- [SA20351] aMule Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-05-29 A vulnerability has been reported in aMule, which can be exploited by malicious people and by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20351/ -- [SA20316] Geeklog Multiple Vulnerabilities and Weaknesses Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2006-05-30 trueend5 has reported some vulnerabilities and weaknesses in Geeklog, which can be exploited by malicious people to disclose system information, and conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20316/ -- [SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 Yunus Emre Yilmaz has discovered a vulnerability in Seditio, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20307/ -- [SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-29 Nomenumbra has discovered two vulnerabilities in ByteHoard, which can be exploited by malicious people to manipulate sensitive information and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20304/ -- [SA20303] MailManager PostgreSQL Encoding-Based SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-26 A vulnerability has been reported in MailManager, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20303/ -- [SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-26 beford has discovered a vulnerability in V-webmail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20297/ -- [SA20295] Pre Shopping Mall SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-26 luny has reported some vulnerabilities in Pre Shopping Mall, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20295/ -- [SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-26 luny has reported two vulnerabilities in ChatPat, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20290/ -- [SA20287] iFdate Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-26 luny has reported some vulnerabilities in iFdate, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20287/ -- [SA20286] Realty Pro One Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-26 luny has reported some vulnerabilities in Realty Pro One, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20286/ -- [SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-31 Yannick Daffaud has reported two vulnerabilities in the XiTi Tracking Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20363/ -- [SA20341] Open Searchable Image Catalogue SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-31 Nenad Jovanovic has discovered some vulnerabilities in Open Searchable Image Catalogue, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20341/ -- [SA20340] DGNews "upprocess.php" File Upload Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-05-30 r0t has discovered a vulnerability in DGNews, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20340/ -- [SA20336] Photoalbum B&W "index.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-30 black-code and sweet-devil have discovered some vulnerabilities in Photoalbum B&W, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20336/ -- [SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 Blwood has discovered some vulnerabilities in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20334/ -- [SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-05-30 Christian Nancy has reported a vulnerability in Achievo, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20327/ -- [SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 luny has discovered a vulnerability in Vacation Rental Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20324/ -- [SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 luny has discovered a vulnerability in Pretty Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20322/ -- [SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 luny has discovered a vulnerability in Smile Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20321/ -- [SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 luny has discovered a vulnerability in Morris Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20320/ -- [SA20311] php-residence Multiple Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 Nomenumbra has reported some vulnerabilities in php-residence, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20311/ -- [SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 luny has discovered a vulnerability in PHPSimpleChoose, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20306/ -- [SA20305] PHP-AGTC membership system "useremail" Script Insertion Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 Nomenumbra has discovered a vulnerability in PHP-AGTC membership system, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20305/ -- [SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-26 luny has reported a vulnerability in CMS Mundo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20296/ -- [SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 Some vulnerabilities have been reported in phpESP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20293/ -- [SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-26 luny has reported a vulnerability in AZ Photo Album Script Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20291/ -- [SA20289] Elite-Board "search" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-26 luny has reported a vulnerability in Elite-Board, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20289/ -- [SA20285] Assetman Unspecified Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-29 Nomenumbra has reported some vulnerabilities in Assetman, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20285/ -- [SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-26 luny has reported some vulnerabilities in iFlance, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20282/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Mon Jun 5 04:26:44 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 5 Jun 2006 03:26:44 -0500 (CDT) Subject: [ISN] HP printer drivers hit with Funlove virus Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000907 By Robert McMillan IDG News Service June 02, 2006 Hewlett-Packard Co. on Thursday pulled a printer driver from its Web site after security vendor BitDefender reported that the software was infected with the same computer virus that infected HP's drivers more than five years ago. A BitDefender partner notified the security vendor of the infected driver software on Wednesday, and the company's security researchers soon determined that it had the same Funlove virus that had plagued HP in December 2000. BitDefender notified HP of the problem on Wednesday, and the infected printer driver was removed from HP's Web site early Thursday, said BitDefender spokesman Vitor Souza. Until then, the virus was being distributed with the Korean version of the Windows 95/98 driver for HP's Officejet g85 All-in-One printer. HP no longer sells the all-in-one printer, and the current antivirus products are able to block it. So while the oversight is an embarrassment for HP, it's unlikely that many users were affected by Funlove. Previously, HP had inadvertently distributed the Funlove virus in Japanese printer drivers that were made available on the company's Web site. Souza believes that HP most likely neglected to remove this particular infected driver back in 2000. "Its just like nobody had run a test against antivirus [software]," he said. Even for users who fall prey to the virus, the consequences are not severe. When it gets installed, the Funlove pops up a text message that reads "Fun Loving Criminal," and then attempts to reboot the PC. On Windows NT machines, it attempts to change system settings so that files that can normally be seen only by administrators are visible to all. HP executives were not immediately available to comment for this story. BitDefender is owned by Softwin SRL, based in Bucharest, Romania. From isn at c4i.org Mon Jun 5 04:26:21 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 5 Jun 2006 03:26:21 -0500 (CDT) Subject: [ISN] PaineWebber Systems Admin Faces Trial For Computer Sabotage Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=188700855 By Sharon Gaudin InformationWeek Jun 1, 2006 A former systems administrator for financial giant UBS PaineWebber goes on trial Tuesday for allegedly sabotaging two-thirds of the company's computer network in what prosecutors say was a vengeful attempt to profit from a crashing stock price. Roger Duronio, 63, of Bogota, N.J., is facing federal charges in front of a U.S. District Court in Newark, in connection to the creation and planting of malicious code on more than 1,000 computers in the company's central office, as well as in approximately 370 branch offices. When the malicious code, or "logic bomb," was triggered on March 4, 2002, it began deleting files and data, taking down many PaineWebber computers across the United States and hindering trading for days in some branch offices and for several weeks in others, according to Assistant U.S. Attorney Mauro Wolfe, lead prosecutor on the case. The attack, according to the indictment, cost UBS PaineWebber, which was renamed UBS Wealth Management USA in 2003, $3 million just to assess and repair the damage. The company didn't submit a list of losses to the government based on business downtime or lost trading opportunities. Chris Adams, Duronio's defense attorney and a partner at Walder Hayden & Brogan in Roseland, N.J., says the government has the wrong man. Duronio has pleaded not guilty to all charges. He has been free on bail awaiting trial for the past four years. Adams says he's not working in an IT position at this time. According to Wolfe, Duronio is facing four counts--one count of computer intrusion, one count of mail fraud, and two counts of securities fraud. The government contends that Duronio tried to profit from the attack by manipulating the stock price of the global investment banking and securities firm with the attack on its network. The government contends that in the months leading up to the planting of the logic bomb and the subsequent attack, Duronio, using the U.S. postal system, bought more than $21,000 worth of 'put option' contracts for PaineWebber's parent company, UBS, A.G.'s stock. A put option is a type of stock that actually increases in value when the stock price drops. According to Wolfe, Duronio was betting the attack would cripple the company's network, and its stock would fall in the aftermath, allowing him to cash in. Because of this part of his alleged plan, Duronio is being charged with mail and securities fraud. ''Computers across the country pretty much all went down at once,'' says Wolfe. ''System administrators started to receive phone calls that morning that certain computers weren't working. Within minutes, it escalated from one phone call to 10, 60, 70... over 100 phone calls. At or about 10 o'clock they realized it wasn't an isolated issue but all the computers across the network. It was just too much of a coincidence for that to happen... This [network] was designed so everything would not crash at once. The same network designed to not suffer that problem was suffering that exact problem.'' And Wolfe says the man who was responsible for keeping that exact system up and running for three years was the one who ultimately took it down. ''The defendant was motivated by the fact that he was a disgruntled employee who was not happy with his salary,'' says Wolfe. ''He wanted an annual salary of $175,000 guaranteed. And I think for the year 2001 he was paid about $13,000 less than that.'' Insider Attacks Attacks by corporate insiders, even by IT professionals, is not an uncommon problem, according to last year's CSI/FBI Computer Crime Survey. With only slight variation from year to year, inside jobs occur as frequently as the highly publicized outside hacker attacks. Insider abuse, according to the survey, cost U.S. companies $6,856,450 last year. ''Insider attacks are definitely more dangerous,'' says Eric Maiwald, a senior analyst for Burton Group, a research and consulting firm based in Midvale, Utah. ''The average outside person generally doesn't have access to your systems. Their first job in attacking you is to get access, whereas the insider starts out with access. They're starting one step ahead of the game. You have some general expectation that they're not trying to cause you harm.'' John O'Leary, director of education at the San Francisco-based Computer Security Institute, says companies have more to fear from insiders in general because they know where the weak points in the network are, and where the critical information is stored. But he adds that executives have far more to fear from IT workers, because they not only know how to get to the information but have the tools and the access rights to do it easily. ''It's easy [to do] because we give our techs a lot of trust, but it's difficult because we generally put compensating controls in place,'' says O'Leary. ''Other [people] need to edit what these guys are doing. Someone needs to see what changes he made. If he could make changes without somebody noticing, then something is wrong.'' Maiwald, though, says it's exceedingly difficult for companies to put in enough processes and controls to completely shut down someone with system administrator-level authority and access. ''It's only the trusted individuals who can betray you at that level," says Maiwald. ''If someone is digging ditches for you, they don't have a lot of power. But your system administrator has a lot of power because it's part of the job. If you put too many controls on them, they can't do their jobs... There are controls that can be put in place to do such things but they require a company to be very watchful, along with additional staff, [and] specific procedures. And it's just not very easy to do that.'' The Duronio Case In this case, the government alleges that Duronio was a trusted employee - one with great access and authority -- who used that against PaineWebber. The charge of computer intrusion is based on the government's allegations that Duronio built the code for the logic bomb, installed it on Unix machines in PaineWebber's central office in Weehawkin, N.J., and then pushed it out to about 1,000 computers across the company's national network. Wolfe says the malicious code was planted ''from coast to coast." The logic bomb, which was made up of only 50 to 70 lines of code, was built to delete every file on the system, according to the prosecution. Duronio, who quit his job at PaineWebber a few weeks before the bomb went off, also allegedly planted the code on the system's backup servers so that when IT workers tried to restore operations using backup tapes, those files were deleted as well. The bomb was designed to go off every Monday at 9:30 a.m. - just as the stock market opened - in March, April and May of 2002. Trading, the lifeblood of the company, was interrupted because of the crippled network. PaineWebber reported to the government that trading was hindered for a few days in larger locations, and for as long as a few weeks in some branch offices. According to the prosecution, 350 IBM support personnel were brought in to aid with the nationwide recovery effort. ''Could they trade? Yes. Could they trade the way they normally traded? No,'' says Wolfe. ''Normally... the broker would sit at his desk and go online and trade for you... If the client didn't know what the balance of their account was, they couldn't trade for them.'' The government also contends that Duronio planted the code piecemeal during the previous November and December from a remote location. Wolfe says records show that Duronio's password and user account information were used to gain remote access to the areas where the malicious code was built inside the PaineWebber network. The U.S. Secret Service, which is frequently called in to conduct criminal investigations and specifically cyber crime, executed a warrant on March 21, 2002, and allegedly found hard copy of the logic bomb's source code on the defendant's bedroom dresser. They also allegedly found the source code on two of his four home computers. ''The defendant used the information of the impending logic bomb attack,'' says Wolfe. ''He purchased securities. He bet against the company that the company stock would drop... He engaged in an artifice or scheme to fraud investors.'' Computer sabotage is a federal offense if it affects a computer used in interstate commerce and causes more than $5,000 worth of damage to the company over a 12-month span. Duronio faces a maximim sentence of 30 years, fines of up to $1 million and restitution for the $3.2 million PaineWebber spent on recovery. From isn at c4i.org Mon Jun 5 04:26:32 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 5 Jun 2006 03:26:32 -0500 (CDT) Subject: [ISN] Swedish police probe site crash Message-ID: http://news.com.com/Swedish+police+probe+site+crash/2100-7349_3-6079740.html By Reuters June 4, 2006 Sweden's domestic intelligence agency said it would probe why the government's Web site crashed on Sunday amid reports hackers had sought revenge for a crackdown on alleged online piracy. The government Web site went off line in the early hours of Sunday. The Internet home page of the national police crashed in similar fashion on Thursday. The police Web site problem came a day after the Pirate Bay Internet page, which the recording industry calls a major source for downloading pirated music and films, was shut by police. "They (the government) contacted us and wanted to make a police complaint that something has happened with their home page and it is now a question for us investigate if it is a crime or something else," said Anders Thornberg, a spokesman for the Security Police intelligence agency. Local media said hackers attacked both sites, now functioning again, after the clampdown on Pirate Bay. Pirate Bay is also up and running again. Sweden's Emergency Management Agency earlier warned all 31 bodies involved in emergency management, such as the police and rescue services, and all 21 local authorities to ensure they were safe from attacks on their Web sites. Newspaper Aftonbladet quoted a group called World Wide Hackers as saying they had arranged an attack on the government's Web site. Sweden last year banned the downloading of copyright protected music and movies from the Internet after being singled out for criticism by Hollywood. The raid on Pirate Bay was the latest of several actions against suspected online piracy. Critics say the police are heavy handed and that people should have access to free information via the Internet, including file sharing. Several hundred people demonstrated in Stockholm on Saturday in support of Pirate Bay. Story Copyright ? 2006 Reuters Limited. All rights reserved. From isn at c4i.org Mon Jun 5 04:26:55 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 5 Jun 2006 03:26:55 -0500 (CDT) Subject: [ISN] DISA seeks input on insider threat tools Message-ID: http://www.fcw.com/article94741-06-02-06-Web By Bob Brewin June 2, 2006 The Defense Information Systems Agency wants industry input on tools that could counter insider threats to Defense Department information systems. DISA said traditional efforts to secure networks focus on outside threats, but insiders pose an equally damaging threat. And they can access DOD networks without detection by the security systems. DISA, in a request for information released June 1 [1], said it is looking for an insider threat focused observation tool that could be deployed on selected host DOD machines to aggressively gather and analyze data on inside threats. DISA said the insider threat tools would enhance the network security of DOD information systems. The agency would install the host machines on network end points and could be servers, desktop PCs or laptop PCs equipped with agent-based tools that can monitor insider network activity. The tool would collect data such as user IDs, computer type and the processes - e-mail clients, Web browsers, office management tools, database access - that monitored computers run. DISA said it wants tools that can then conduct user analysis on the collected data and warn of anomalies based on user profiles and behavior patterns. DISA envisions that the host machines would connect to a central manager that can handle as many as 250 hosts at a time, with hosts located within an enclave, such as local-area or base network. The insider threat tools should also include a console, which is the central display and action point for collected user data and will provide the operator with real-time insight into user activity, the RFI states. DISA said it wants a tool capable of working with a wide range of operating systems including Microsoft Windows 2000, Windows XP, Windows NT4, Sun Microsystems Solaris, Unix and Linux. The due date for RFI responses is July 5. [1] http://www.fbo.gov/spg/DISA/D4AD/DITCO/RFI418/listing.html From isn at c4i.org Mon Jun 5 04:27:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 5 Jun 2006 03:27:12 -0500 (CDT) Subject: [ISN] BACK TO THE BUNKER Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/02/AR2006060201410.html By William M. Arkin The Washington Post June 4, 2006 On Monday, June 19, about 4,000 government workers representing more than 50 federal agencies from the State Department to the Commodity Futures Trading Commission will say goodbye to their families and set off for dozens of classified emergency facilities stretching from the Maryland and Virginia suburbs to the foothills of the Alleghenies. They will take to the bunkers in an "evacuation" that my sources describe as the largest "continuity of government" exercise ever conducted, a drill intended to prepare the U.S. government for an event even more catastrophic than the Sept. 11, 2001, attacks. The exercise is the latest manifestation of an obsession with government survival that has been a hallmark of the Bush administration since 9/11, a focus of enormous and often absurd time, money and effort that has come to echo the worst follies of the Cold War. The vast secret operation has updated the duck-and-cover scenarios of the 1950s with state-of-the-art technology -- alerts and updates delivered by pager and PDA, wireless priority service, video teleconferencing, remote backups -- to ensure that "essential" government functions continue undisrupted should a terrorist's nuclear bomb go off in downtown Washington. But for all the BlackBerry culture, the outcome is still old-fashioned black and white: We've spent hundreds of millions of dollars on alternate facilities, data warehouses and communications, yet no one can really foretell what would happen to the leadership and functioning of the federal government in a catastrophe. After 9/11, The Washington Post reported that President Bush had set up a shadow government of about 100 senior civilian managers to live and work outside Washington on a rotating basis to ensure the continuity of national security. Since then, a program once focused on presidential succession and civilian control of U.S. nuclear weapons has been expanded to encompass the entire government. From the Department of Education to the Small Business Administration to the National Archives, every department and agency is now required to plan for continuity outside Washington. Yet according to scores of documents I've obtained and interviews with half a dozen sources, there's no greater confidence today that essential services would be maintained in a disaster. And no one really knows how an evacuation would even be physically possible. Moreover, since 9/11 and Hurricane Katrina, the definition of what constitutes an "essential" government function has been expanded so ridiculously beyond core national security functions -- do we really need patent and trademark processing in the middle of a nuclear holocaust? -- that the term has become meaningless. The intent of the government effort may be laudable, even necessary, but a hyper-centralized approach based on the Cold War model of evacuations and bunkering makes it practically worthless. That the continuity program is so poorly conceived, and poorly run, should come as no surprise. That's because the same Federal Emergency Management Agency that failed New Orleans after Katrina, an agency that a Senate investigating committee has pronounced "in shambles and beyond repair," is in charge of this enormous effort to plan for the U.S. government's survival. Continuity programs began in the early 1950s, when the threat of nuclear war moved the administration of President Harry S. Truman to begin planning for emergency government functions and civil defense. Evacuation bunkers were built, and an incredibly complex and secretive shadow government program was created. At its height, the grand era of continuity boasted the fully operational Mount Weather, a civilian bunker built along the crest of Virginia's Blue Ridge, to which most agency heads would evacuate; the Greenbrier hotel complex and bunker in West Virginia, where Congress would shelter; and Raven Rock, or Site R, a national security bunker bored into granite along the Pennsylvania-Maryland border near Camp David, where the Joint Chiefs of Staff would command a protracted nuclear war. Special communications networks were built, and evacuation and succession procedures were practiced continually. When the Soviet Union crumbled, the program became a Cold War curiosity: Then-Defense Secretary Dick Cheney ordered Raven Rock into caretaker status in 1991. The Greenbrier bunker was shuttered and a 30-year-old special access program was declassified three years later. Then came the terrorist attacks of the mid-1990s and the looming Y2K rollover, and suddenly continuity wasn't only for nuclear war anymore. On Oct. 21, 1998, President Bill Clinton signed Presidential Decision Directive 67, "Enduring Constitutional Government and Continuity of Government Operations." No longer would only the very few elite leaders responsible for national security be covered. Instead, every single government department and agency was directed to see to it that they could resume critical functions within 12 hours of a warning, and keep their operations running at emergency facilities for up to 30 days. FEMA was put in charge of this broad new program. On 9/11, the program was put to the test -- and failed. Not on the national security side: Vice President Cheney and others in the national security leadership were smoothly whisked away from the capital following procedures overseen by the Pentagon and the White House Military Office. But like the mass of Washingtonians, officials from other agencies found themselves virtually on their own, unsure of where to go or what to do, or whom to contact for the answers. In the aftermath, the federal government was told to reinvigorate its continuity efforts. Bush approved lines of succession for civil agencies. Cabinet departments and agencies were assigned specific emergency responsibilities. FEMA issued new preparedness guidelines and oversaw training. A National Capital Region continuity working group established in 1999, comprising six White House groups, 15 departments and 61 agencies, met to coordinate. But all the frenetic activity did not produce a government prepared for the worst. A year after 9/11, and almost three years after the deadline set in Clinton's 1998 directive, the Government Accounting Office evaluated 38 agencies and found that not one had addressed all the issues it had been ordered to. A 2004 GAO audit of 34 government continuity-of-operations plans found total confusion on the question of essential functions. One unnamed organization listed 399 such functions. A department included providing "speeches and articles for the Secretary and Deputy Secretary" among its essential duties, while neglecting many of its central programs. The confusion and absurdity have continued, according to documents I've collected over the past few years. In June 2004, FEMA told federal agencies that essential services in a catastrophe would include not only such obvious ones as electric power generation and disaster relief but also patent and trademark processing, student aid and passport processing. A month earlier, FEMA had told states and local communities that library services should be counted as essential along with fire protection and law enforcement. None of this can be heartening to Americans who want to believe that in a crisis, their government can distinguish between what is truly essential and what isn't -- and provide it. Just two years ago, an exercise called Forward Challenge '04 pointed up the danger of making everyone and everything essential: Barely an hour after agencies were due to arrive at their relocation sites, the Office of Management and Budget asked the reconstituted government to identify emergency funding requirements. As one after-action report for the exercise later put it in a classic case of understatement: "It was not clear . . . whether this would be a realistic request at that stage of an emergency." This year's exercise, Forward Challenge '06, will be the third major interagency continuity exercise since 9/11. Larger than Forward Challenge '04 and the Pinnacle exercise held last year, it requires 31 departments and agencies (including FEMA) to relocate. Fifty to 60 are expected to take part. According to government sources, the exercise will test the newly created continuity of government alert conditions -- called COGCONs -- that emulate the DEFCONs of the national security community. Forward Challenge will begin with a series of alerts via BlackBerry and pager to key officials. It will test COGCON 1, the highest level of preparedness, in which each department and agency is required to have at least one person in its chain of command and sufficient staffing at alternate operating facilities to perform essential functions. Though key White House officials and military leadership would be relocated via the Pentagon's Joint Emergency Evacuation Program (JEEP), the civilians are on their own to make it to their designated evacuation points. But fear not: Each organization's COOP, or continuity of operations plan, details the best routes to the emergency locations. The plans even spell out what evacuees should take with them (recommended items: a combination lock, a flashlight, two towels and a small box of washing powder). Can such an exercise, announced well in advance, hope to re-create any of the tensions and fears of a real crisis? How do you simulate the experience of driving through blazing, radiated, panic-stricken streets to emergency bunker sites miles away? As the Energy Department stated in its review of Forward Challenge '04, "a method needs to be devised to realistically test the ability of . . . federal offices to relocate to their COOP sites using a scenario that simulates . . . the monumental challenges that would be involved in evacuating the city." With its new plans and procedures, Washington may think it has thought of everything to save itself. Forward Challenge will no doubt be deemed a success, and officials will pronounce the continuity-of-government project sound. There will be lessons to be learned that will justify more millions of dollars and more work in the infinite effort to guarantee order out of chaos. But the main defect -- a bunker mentality that considers too many people and too many jobs "essential" -- will remain unchallenged. -=- William M. Arkin writes the Early Warning blog for washingtonpost.com and is the author of "Code Names: Deciphering U.S. Military Plans, Programs and Operations in the 9/11 World" (Steerforth Press). ? 2006 The Washington Post Company From isn at c4i.org Tue Jun 6 06:03:36 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 6 Jun 2006 05:03:36 -0500 (CDT) Subject: [ISN] Spammer settles suit for $1 million Message-ID: http://news.com.com/2100-7348_3-6079868.html By Will Sturgeon Special to CNET News.com June 5, 2006 A major spammer who was accused of sending up to 25 million e-mails per day has settled a lawsuit with Microsoft and the state of Texas. The settlement has cost Ryan Pitylak $1 million, as well as the seizure of many of the assets he accumulated during a short-lived career as one of the world's worst spammers. At the peak of his spamming activity, the 24-year-old Texas resident was listed as the world's fourth most-prolific spammer by antispam group Spamhaus. Now Pitylak is claiming something of an epiphany, saying he has seen the error of his ways and will dedicate his efforts to trying to rid the world of nuisance e-mail. He has even taken to referring to himself as an "antispam activist" in an apparent change of heart of epic proportions. On Saturday, Pitylak wrote in his blog: "Over time I have come to see how I was wrong to think of spam as just a game of cat and mouse with corporate e-mail administrators. I now understand why so much effort is put into stopping it. The settlements with Microsoft and the Attorney General's Office have been a serious reality check: harsh but good, and in the public's best interest." He added: "I am pleased to announce that I am now a part of the anti-spam community, having started an Internet security company that offers my clients advice on systems to protect against spam. I'm now working earnestly to help other entrepreneurs avoid the traps that deceived me and led me to make questionable business choices." Will Sturgeon of Silicon.com reported from London. From isn at c4i.org Tue Jun 6 06:03:03 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 6 Jun 2006 05:03:03 -0500 (CDT) Subject: [ISN] Wal-Mart's data center remains mystery Message-ID: http://www.joplinglobe.com/local/local_story_148015054/ By Max McCoy The Joplin Globe Globe Investigative Writer May 28, 2006 JANE, Mo. - Call it Area 71. Behind a fence topped with razor wire just off U.S. Highway 71 is a bunker of a building that Wal-Mart considers so secret that it won't even let the county assessor inside without a nondisclosure agreement. The 125,000-square-foot building, tucked behind a new Wal-Mart Supercenter, is only a stone's throw from the Arkansas line and about 15 miles from corporate headquarters in Bentonville, Ark. There is nothing about the building to give even a hint that Wal-Mart owns it. Despite the glimpses through the fence of manicured grass and carefully placed trees, the overall impression is that this is a secure site that could withstand just about anything. Earth is packed against the sides. The green roof - meant, perhaps, to blend into the surrounding Ozarks hills - bristles with dish antennas. On one of the heavy steel gates at the guardhouse is a notice that visitors must use the intercom for assistance. What the building houses is a mystery. Speculation Wal-Mart's ability to crunch numbers is a favorite of conspiracy theorists, and its data centers are the corporate counterpart to Area 51 at Groom Lake in the state of Nevada. According to one consumer activist, Katherine Albrecht, even the wildest conspiracy buff might be surprised at just how much Wal-Mart knows about its customers - and how much more it would like to know. "We were contacted about two years ago by somebody who runs a security company that had been asked in a request for proposals for ways they could link video footage with customers paying for their purchases," Albrecht said. "Wal-Mart would actually be able to view photos and video of customers paying, say, for a pack of gum. At the time, it struck me as unbelievably outlandish because of the amount of data storage required." But Wal-Mart, according to a 2004 New York Times article, had enough storage capacity to contain twice the amount of all the information available on the Internet. For the technically minded, the exact amount was for 460 terabytes of data. The prefix tera comes from the Greek word for monster, and a terabyte is a trillion bytes, the basic unit of computer storage. Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering, said she never could confirm the contractor's story. That is not surprising, since Wal-Mart seldom comments on its data capabilities and operations. A Globe request for information about the Jane data center was referred at Wal-Mart headquarters to Carrie Thum, a senior information officer and former lobbyist for the retailer. "This is not something that we discuss publicly," Thum said. "We have no comment. And that's off the record." Skeleton crew The Jane data center is an enigmatic icon to the power of data, which has helped Wal-Mart become the largest retailer in the world, and to the corporation's growing secrecy since founder Sam Walton's death in 1992. When Wal-Mart constructed its primary data center at corporate headquarters in 1989, it wasn't much of a secret: It was the largest poured concrete structure in Arkansas at the time, and Walton himself ordered a third story. "Not only had we completely designed it, we were under construction," said Bill Ferguson, a founder of Askew Nixon Ferguson Architects in Memphis, Tenn. "They were pouring foundations, and Sam walked across the parking lot one Friday at the end of the day and said, 'You know, let's add a third floor and put some people up there.'" Ferguson said the Bentonville data center is built on bedrock and is designed to withstand most natural and man-made disasters, but is not impregnable. The biggest danger, he said, is the area's frequently violent thunderstorms. "We studied making it tornado-proof, which is difficult," he said. "We calculated the probability of a category 5 tornado hitting it, which was less likely than an airplane crashing into it head-on. At the time, they decided not to." Since then, Ferguson said, changes have been made to increase the integrity of the structure. The data center was designed with backup generators, fuel on site, and room and board for a skeleton crew in the event an emergency required an extended stay. Ferguson said his firm learned to design data centers by working with FedEx, which also is based in Memphis, and that the 1989 Wal-Mart data center was built so that it could communicate via any means available - including copper wire, fiber optics and satellites. The firm no longer works with Wal-Mart, and Ferguson said he had no knowledge of the design or purpose of the data center in Jane. But he suggested that Jim Liles, a Memphis engineer, might know. Liles said he was a consultant on the Jane project, and that Crossland Construction was the contractor, but he was reluctant to say much else. "As far as what its purpose is, all that has to come from Wal-Mart," Liles said. Crossland Construction, based in Columbus, Kan., said Tim Oelke of the company's Rogers, Ark., office had been in charge. Oelke did not return a phone call seeking comment. 'Never saw a plan' The data center was completed in 2004 and was part of a project that included the Supercenter, which opened early last year, and a warehouse. The resulting economic impact on McDonald County, known for its rolling hills and lazy rivers, is difficult to underestimate, said Rusty Enlow. "Just a few years ago, one new store would have been a big deal," Enlow said. "And I'm not talking about a Supercenter. Just a gas station would have generated excitement." Now, Enlow said, the county's tax base has doubled, and land is going for about $2,100 an acre, about twice what it was before the project was announced in 2001. Enlow is chairman of the county planning commission, a body created by popular vote in 1964 but which had not met until this month. Enlow said he doesn't know why the commission never met, but he believes it was because whatever problem prompted its creation was solved before the board was appointed. He also said he's not sure the planning commission has any real authority, or would want any (there is no zoning in the county), but that he and the other 18 members are eager to bring even more business into the county. "It seems with the opening of that store there has just been a lot of activity," he said. "McDonald County has always been a poor county, but we are in an excellent position now. We're a friendly place, and we're open to things." Wal-Mart, Enlow said, had created a business synergy that was helping the county of 22,000 shed its hillbilly stereotype. Enlow was director of the McDonald County Economic Development Council when Wal-Mart quietly began scouting for land. Only after the land had been bought south of the then-unincorporated community of Jane was it announced that the project was Wal-Mart's, and even then, plans for the data center were closely held. "I never even saw a plan on it," Enlow said. But Enlow said he watched during the construction of the data center, and that it appeared to be a single-story building that was built "like a bunker," with mounds of earth piled against the sides. He later was told that it would employ 15 to 20 people, and that the building was for data storage. To facilitate the project, the Missouri Department of Transportation agreed to widen Highway 71 to four lanes from Jane to the Arkansas line; a grant was used to expand the public water district; and the Army Corps of Engineers approved a request to fill in a small portion of wetland along Bear Hollow Road. Meanwhile, the village of Jane incorporated. In April 2005, Wal-Mart used the 160,000-square-foot Supercenter to demonstrate its micro-merchandising capabilities as part of a media conference. Employees demonstrated hand-held Telxon (pronounced Tel-zon) computers, which resemble hand scanners but hold a year's worth of a particular store's sales history on every item. The devices help store managers decide what to stock. Bananas are Wal-Mart's best-selling produce product nationwide, but at Jane, the top seller was lettuce, Supermarket News reported after the event. 'Secretive' Bill Wilson, McDonald County presiding commissioner, said he has never been inside the green-roofed data center, and that to his knowledge, only one county official has: Assessor Laura Pope. "I had to sign a document saying that I wouldn't talk about what's in there," Pope said. "I've never been in a situation to tour anything like that before. I don't want to be secretive about it. Basically, it houses computer equipment." Pope said she had never been asked to sign a nondisclosure agreement before in her job as assessor, and that she didn't keep a copy. She said she didn't appraise the building and equipment, but rather came to an agreement with Wal-Mart on what it was worth. They agreed that the data center would be worth $10.7 million at fair market value, she said. The equipment inside the center was judged to be worth nearly three times as much: $31.7 million. The taxes that Wal-Mart paid last year on the data center totaled just more than $500,000: $128,091 for the real estate and $373,091 for the equipment. Pope said she did not place a value on the data stored at the building. At an estimated worth of $42.4 million, is the Wal-Mart data center at Jane important enough to the infrastructure of the state - or the country - to be on Missouri's list of critical assets? Paul Fennewald, Missouri Homeland Security coordinator, said the list is confidential, and that he could neither confirm nor deny that the Jane building is on it. He did say that the list includes 4,000 to 4,500 sites across the state. 'Retail surveillance' Albrecht, the consumer activist, said that when the contractor came to her with the story about Wal-Mart wanting to biometrically identify customers through video, one of the reasons given was to help law enforcement. "You could search for all sales of a particular kind of rope and get a photo of who bought it," she said. "On the other end, you could research all of the purchases of a particular individual, even if they paid in cash." Albrecht is the co-author of "Spychips," about the use of RFID, or radio frequency identification devices, by the government and corporations to track individuals. She lives in Nashua, N.H., and is getting ready to receive a doctorate of education in consumer education. "To the best of our knowledge, the only consumer-level item that is (RFID) tagged at Wal-Mart are Hewlett-Packard products and some Sanyo television sets," she said. "Now, the privacy implications of that are fairly trivial, because you're not going to be walking down the street carrying your printer box in your back pocket." But in 2003, she said, Wal-Mart did two experiments using RFID on smaller items: razor blades and lipstick. At Brockton, Mass., Albrecht said, the company used a surveillance camera on a shelf that was linked to chips in packages of razor blades. When someone picked up a package, she said, the shelf camera would be activated. Another camera would take a mug shot of the customer at the checkout stand. At Broken Arrow, Okla., she said, the company linked devices in packages of lipstick that triggered a camera that allowed the lipstick manufacturer to watch consumers on live video. The experiments apparently were aimed at decreasing theft or for use in merchandise research, she said. "Since 1999, I've been working on a phenomenon called retail surveillance, which is a whole panoply of technologies that are being secretly deployed," she said. "I think most people, when they learn about these technologies, are quite disturbed. There's a sense that when you enter a retail space, you should retain some degree of privacy." But, Albrecht said, there's a push among retailers to collect as much information about their customers as possible - and to keep the lower-profit individuals, known as "barnacles" and "bottom-feeders," away. "There's a lot of hand-wringing about how we can find out even more about our customers," she said. "And to the extent that Wal-Mart may be creating the ability to monitor consumers by RFID and identify them by video, I'm extremely concerned. ... If that's the case, they would need that kind of data storage." Wal-Mart's stand on RFID "Electronic product codes (EPCs) can best be described as the next generation of bar codes. Unlike current bar codes, which only share that a carton contains product XYZ, EPCs can identify one box of product XYZ from another box of product XYZ. "This is possible because EPCs are powered by radio frequency identification or RFID. EPCs do not track customers. ... EPCs assist retailers in more closely monitoring where products are as they move from manufacturers to warehouses to a store's backroom. "This helps us do a better job of having the right products on the shelves when you come to buy them." Source: www.walmart.com From isn at c4i.org Tue Jun 6 06:03:25 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 6 Jun 2006 05:03:25 -0500 (CDT) Subject: [ISN] Cybercrime spurs college courses in digital forensics Message-ID: http://www.usatoday.com/tech/news/techinnovations/2006-06-05-digital-forensics_x.htm By Jon Swartz USA TODAY 6/5/2006 SAN FRANCISCO - One of the hottest new courses on U.S. college campuses is a direct result of cybercrime. Classes in digital forensics - the collection, examination and presentation of digitally stored evidence in criminal and civil investigations - are cropping up as fast as the hackers and viruses that spawn them. About 100 colleges and universities offer undergraduate and graduate courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University and the University of Central Florida. Five years ago, there were only a handful. "I teach students to be like (TV supersleuth) MacGyver," says Sujeet Shenoi, a computer science professor at the University of Tulsa. Traditional students, police officers, government employees and aspiring security consultants are taking the courses as more crooks stash ill-gotten data and goods on PCs, PDAs, cellphones, network servers, iPods and even Xboxes. Students learn where to find digital evidence and handle it without contaminating it. Once preserved, students are shown how to examine evidence and present it clearly during court testimony. "If you revert to geek speak, you can lose a judge, jury and prosecutor," says Mark Pollitt, a digital forensics professor at Johns Hopkins University who retired in 2003 after 20 years as an FBI agent. Digital forensics is considered a crucial weapon in law enforcement's escalating war against computer-related crimes. The science is used in criminal investigations; civil cases such as employment lawsuits where personnel records and e-mail correspondence are sought; and by companies faced with cyberattacks. Plus, there are evolving state and federal laws that define how evidence is handled in civil cases. The evidence is particularly important in the seizure of data for child pornography cases, which comprise a majority of criminal investigations in the USA, says Marcus Rogers, an associate professor who heads the computer forensics program at Purdue University's College of Technology. The FBI handled more than 9,500 computer forensics cases in fiscal year 2005, which ended in September, compared with about 3,600 in fiscal 2000, according to an FBI briefing. The crush of cases has domestic intelligence agencies such as the National Security Agency and the CIA, local law-enforcement officials and companies clamoring for experts in finding and preserving digital evidence, security experts says. "There is a thirst in government agencies for (cyberinvestigators)," Pollitt says. There appear to be no shortage of suitors. Since he enrolled in Purdue's master's program last fall, Blair Gillam says he has been approached by recruiters representing government agencies and the private sector. From isn at c4i.org Tue Jun 6 06:04:01 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 6 Jun 2006 05:04:01 -0500 (CDT) Subject: [ISN] REVIEW: "Perfect Passwords", Mark Burnett Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKPRFPWD.RVW 20060420 "Perfect Passwords", Mark Burnett, 2006, 1-59749-041-5, U$24.95/C$34.95 %A Mark Burnett %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-041-5 %I Syngress Media, Inc. %O U$24.95/C$34.95 781-681-5151 fax: 781-681-3585 amy at syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597490415/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597490415/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597490415/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 181 p. %T "Perfect Passwords: Selection, Protection, Authentication" Those of us in the security field know that users are generally bad at creating passwords, and that passwords that are easily guessed or found account for huge numbers of security incidents. Therefore, I am in full sympathy with a book that attempts to lay out some guidance on password choice. However, Burnett's work calls to mind the old joke that lists all kinds of restrictions on password selection, and finally admits that only one possible password actually fits the criteria, and will all users please contact tech support to be issued with that password. Chapter one tells us that people choose weak passwords, and gives a number of lists of such poor choices, without an awful lot of explanation. (Burnett also states that the choice of strong passwords provides non-repudiation, which is a rather strange position. One could make a case that the deliberate choice of a vulnerable password would allow the user to later claim that their account had been hacked, and therefore assist with repudiation, but the reverse doesn't necessarily hold.) Various types of password cracking techniques are given in chapter two. This begins to show the inconsistencies and contradictions that plague the text: at one point we are told that any password less than fifteen characters is "immediately" available to attackers, but elsewhere it is suggested that a ten character password is a wise choice. (Although brute force cracking is discussed extensively, there is, oddly, no mention of the implications of Moore's Law.) There is a good discussion of the vital issue of randomness in chapter three, although there are numerous gaps, and, again, erratic suggestions. Chapter four covers character sets and address space. Unfortunately, it is rather impractical (as are other areas of the manual) due to a lack of recognition of character restrictions. Password length is addressed in chapter five, covering many of the same concepts as in four. It is also the most useful of the material to this point in the book, suggesting ways to lengthen and harden passwords already chosen and preferred. (Some of the advice is suspect: bracketing is easy to add to automated password cracking programs, and even Burnett admits that "colorization" is a weak idea due to the limitations on selection.) Chapter six takes an extremely terse and abbreviated look at password aging, but all that is really said is that it is inconvenient. Miscellaneous advice about using, remembering, storing, and managing passwords is given in chapter seven. Chapter eight provides password creations tips, but these are, after some of the previous material in the book, rather weak, and typically boil down to the use of passphrases and long passwords. Five hundred weak passwords are listed in chapter nine, but the purpose of the list is not clear. As with chapter one, the passwords are not analysed for strength in any way, and, even if you want to check your favourite against the list, it isn't in alphabetical order. Additional password creation tips are in chapter ten, these slightly more useful. We are told, in chapter eleven, to make complex passwords, uncommon passwords, and not to tell anyone our passwords. Chapter twelve suggests having a regular "password day" set aside to concentrate on changing passwords and creating strong ones. Other forms of authentication are discussed in chapter thirteen. While the advice and information given in the book is not bad, it seems to posit a fairly ideal world. A number of practical items can assist users with password choice, but a number of realistic considerations are ignored. Readers may also be confused by the lack of constancy in the recommendations. Certainly the structure of the text could use work: concepts are repeated in different chapters, and the advice seems to be aggregated and presented at random. There is good advice in this manual, but it lacks focus. The average computer user would probably receive a lot of benefit, but is unlikely to purchase or read anything this size on this topic. (A pocket sized volume, along the lines of the O'Reilly "Desktop Reference" series would be ideal.) System administrators would be able to understand and use the material in the book, although much of the content is either known or available. On balance, I would recommend that this primer is important, but definitely needs work. copyright Robert M. Slade, 2006 BKPRFPWD.RVW 20060420 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org "Dictionary of Information Security" Syngress (forthcoming) 1597491152 Any fool can criticize, condemn and complain - and most do. - Dale Carnegie (1888-1955) http://victoria.tc.ca/techrev/rms.htm From isn at c4i.org Tue Jun 6 06:05:23 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 6 Jun 2006 05:05:23 -0500 (CDT) Subject: [ISN] Oracle mends fences with security researchers Message-ID: http://computerworld.co.nz/news.nsf/0/FB208DAE086D24ABCC2571810014C73E?OpenDocument By Robert McMillan San Francisco 6 June, 2006 Oracle once marketed its database as "unbreakable," but security researcher David Litchfield has a less inflated opinion of the software. "God forbid that any of our critical national infrastructure runs on this product," he said recently on the widely read Bugtraq security mailing list. "Oops it does." Security researchers like Litchfield, managing director of Next Generation Security Software, based in Sutton, UK, make their living finding flaws in other people's software. And, while this can put them at odds with software makers, the relationship between Oracle and people like Litchfield has been particularly bad. In Litchfield's case, the problems go back to 2004, when he published details of an unpatched Oracle vulnerability in a presentation written for the Black Hat security conference. By Litchfield's account, Oracle had given him the go-ahead to discuss the vulnerability, but changed its mind at the last minute. Litchfield changed the topic of his presentation, but he was unable to remove his slides from the conference hand-out. The next day, the Wall Street Journal wrote about the flaws and, ever since, the relationship between Oracle and the tight network of security researchers who hack its products has been tense. This antagonism has prevented Oracle from receiving the independent testing and security advice that would have improved its products, says Cesar Cerrudo, chief executive officer of security research firm Argeniss, based in Parana, Argentina. "Oracle has ignored researchers and also attacked them, saying that researchers are the problem," he says. "The problem is Oracle's flawed software and Oracle's amateur handling of security related issues." From Oracle's perspective, researchers like Litchfield profit from the publicity they get for exposing Oracle's security flaws, but that exposure comes at a price: more risk for Oracle's customers. There is often little upside to cooperating with companies that do not understand Oracle and who profit from publishing security vulnerabilities, according to Oracle's chief security officer, Mary Ann Davidson. "What I really want is a world where there can be fair and accurate criticism," she says. "I'm all for dialogue, but you have to establish trust." In the past few months, however, there have been a few signs that things may be changing at the Redwood Shores, California, company. Oracle is becoming better at communicating with the research community, says Darius Wiles, manager of Oracle Security Alerts. Wiles' team is now working out a new system which will let bug reporters outside the company know they are not being ignored. "Once a month, going forward, we'll provide them with a list of everything that has not yet been fixed and indicate whether it's still under investigation or whether it's been fixed." Taking a cue from Microsoft, Oracle has even launched its own security blog and Oracle no longer talks about its products as being unbreakable. Davidson says that the first time she heard the marketing slogan, she thought, "What idiot dreamed this up?" This outreach is starting to pay off. Earlier this month, Litchfield wrote an uncharacteristically positive Bugtraq posting about the company. He says that he believes Oracle's products are becoming more secure and even had some praise for his long-time nemesis, Davidson. "Another thing that struck me was the amount of effort and time that it must have taken to get a lumbering stegosaurus of a beast like Oracle to turn around," he wrote. "Dare I say it, well done, Mary." Though Oracle executives may not like having their company compared to a Jurassic era dinosaur, this is far and away the most complimentary Litchfield has been since the Black Hat presentation. Still, the database giant is unwilling to go as far as its competitor Microsoft in embracing the so-called "white hat" hackers. Microsoft has invited researchers, including Litchfield and Cerrudo, to its Redmond, Washington, campus for twice-yearly hacker conferences, called Blue Hat. Microsoft says that Blue Hat helps them make their products more secure, but don't expect Oracle to invite hackers over to Redwood Shores, California, anytime soon. Such an event is really not necessary, Davidson says. "Microsoft had to go with the hacker love fest model because they're a big target," she says. Davidson believes that Oracle and Microsoft have very different pedigrees when it comes to security. She says that security has been built into the development of Oracle's products for years now, a by-product of its long history of government use. The US Central Intelligence Agency was one of Oracle's first customers, she claims. Oracle's security team doesn't simply fix bugs. When a new flaw is discovered, researchers make sure that what they've learned also translates into secure coding practices for the development team. "For at least 12 years we have built security into the formal development process," Davidson says. While Oracle has improved the security of some products, like the recent Oracle 10g Release 2 database, the company still has a lot of work to do, says Cerrudo. "They said recently that they will change the way they communicate with researchers, giving more feedback information, but nothing has happened yet," he says. "Right now the only feedback you get is the day before a patch is released they [tell] you your bug is going to be patched and nothing else." For all of the Oracle bugs that have been found, there has never been a widespread Oracle attack like the Slammer worm which disabled Microsoft SQL Server machines worldwide in 2003. But some observers say that Oracle's reputation for security has more to do with the fact that the database is typically buried in the bowels of datacentres, and hidden behind corporate firewalls, far from the prying eyes of hackers. And, while users who have not exposed their databases to queries from outside partners or customers may not be staying up late at night worrying about Oracle's security, they do have concerns about the future. "We're in a nervous state, but we think it's manageable risk," says Hal Kuff, a technology services manager with Tessco Technologies, in Hunt Valley, Maryland. Users must first be inside Tessco's local area network in order to query the database, Kuff says. "If we were to pursue an Oracle environment, where we invited direct connectivity from outside partners, we would reconsider our security posture." As these outside connections become more common, thanks to grid computing and internet applications, outside experts like Litchfield could become important to Oracle, Kuff says. "As Oracle becomes more pervasive, they should absolutely explore a relationship with the so called "white hat" hackers," he says. "The people that are willing to sit down with them at the table are one of their only defences against the people who will not sit down with them at the table." The pervasiveness Kuff talks about may be closer than many people realise. Late last year, Litchfield conducted a survey of nearly half a million computer systems on the internet and found nearly as many Oracle databases exposed as he did Microsoft SQL server systems. Extrapolating from his data, Litchfield estimated there were about 140,000 Oracle servers not firewalled on the internet. There are about 210,000 Microsoft SQL Servers similarly unprotected, he says. "This is just a myth, that Oracle is in the back-end of nowhere protected by all these firewalls," he says. Still, like Microsoft, Oracle has reached a turning point and is clearly making much more secure products, Litchfield says. Finding bugs has become harder with the latest releases of its database and, while Litchfield will undoubtedly remain a thorn in Oracle's side, he realised earlier this month that the time had finally come to soften his rhetoric. "I just got weary to be honest," he says. "You see, they will get to the point of having a secure product at some time - but all without acknowledging that they were dragged to that point kicking and screaming." Copyright ? 2005, IDG Communications New Zealand Limited From isn at c4i.org Wed Jun 7 01:07:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:07:30 -0500 (CDT) Subject: [ISN] Despite breaches, companies seen as lax on protecting data Message-ID: http://www.mercurynews.com/mld/mercurynews/business/technology/14754071.htm By Aman Batheja Fort Worth Star Telegram Jun. 06, 2006 FORT WORTH, Texas - Another week, another huge breach of personal data. Dallas-based Hotels.com announced last week that credit-card numbers and other personal information on about 243,000 of its customers were on a laptop computer stolen from a car in February. Last month, the Veterans Affairs Department announced that personal information of 26.5 million veterans was compromised after a laptop and disks were stolen from the home of a data analyst. Information on 1.3 million more people who borrowed money through the Texas Guaranteed Student Loan Corp. was lost in May while in possession of a contractor. Despite the growing list of blunders, most companies still aren't doing enough to protect their customers' data, according to security experts. The reasons are largely the prohibitive costs of securing mobile devices and a lack of public concern. ``Until businesses are held accountable ... legally, financially and by customer demand for protecting that information, they're not in any strong hurry to make it happen,'' said Rick Fleming, chief technology officer with Digital Defense, a San Antonio-based network security firm. The Hotels.com data breach stems from an audit of the company's transactions performed by Ernst & Young. The laptop was stolen from the car of an analyst with the accounting firm. Hotels.com spokesman Paul Kranhold said the incident occurred in Texas but would not say where. He would not confirm nor deny news reports that indicated that the theft occurred in the Dallas area. The laptop required a password to use it. A file on the computer has information mostly on customer transactions from 2004, although some are from 2003 and 2002. The information on the file may have included customers' names, addresses and some credit- or debit-card information, according to a statement released by Ernst & Young. Hotels.com is sending letters to every customer whose data may have been on the laptop. Ernst & Young has set up a call center to address questions or concerns involving the incident. The accounting firm has also arranged for those affected to sign up for a credit-monitoring service for a full year for free. The information on the laptop was not encrypted, a practice of protecting information by transforming it into an unreadable code. Ernst & Young spokesman Charlie Perkins said the company had begun installing encryption systems on all of the company's laptops earlier this year, but the one with the Hotels.com data did not have the system yet. Ernst & Young has promised Hotels.com that it will take extra steps to protect the company's data in the future, including encrypting sensitive information. It has set up a toll-free phone number to help those who may be in danger of identity theft: 866-387-2242. Encryption is one of the most effective and efficient ways of securing information on a laptop, said Mike Stute, chief technology officer for Global DataGuard, a security risk-management company in Dallas. Companies, especially larger ones, are hesitant to spend up to several hundred dollars per laptop to encrypt data, Stute said. ``The truth is, the $1,000 laptop is trivial compared to the data on the machine,'' Fleming said. ``I don't understand why every company doesn't do it.'' Even a good encryption program is only as safe as the person operating it. A hacker can easily overcome an encryption system that's protected by a password if the user picked an easy one to guess, Fleming said. A more secure system includes an encryption token, a small object that must be plugged into the laptop's USB port to decrypt the information. That type of system can be extremely effective -- as long as the laptop and the token are kept apart. Fleming recalled seeing a man in an airport with an encryption token taped to his laptop, thereby defeating the purpose of having the token at all. A slew of large data breaches have surfaced in the past year mainly because laws passed in several states now require companies to report these embarrassing mistakes. California started the trend of data-breach laws in 2003. The Texas Breach of Computer Security Statute went into effect in September. ``There's no question that the states are taking the lead on identity theft,'' said Ed Mierzwinski, consumer program director for the Texas Public Interest Research Group. A handful of bills working their way through Congress would make data-breach notification a national law. Depending on which bill passes, companies may be required to report any data breaches where there's a chance for identity theft or fraud, or only when there's a good chance of misuse of the data. No matter what laws are passed, Stute doubts that companies will get more serious about protecting sensitive data until the technology becomes cheaper and easier to use. He noted that they have little motivation, considering that most of the major data breaches over the last year have not appeared to impose any lasting damage to the image of the company at fault. ``It never seems to stop consumers anyway,'' Stute said. ``It's bad press, but it doesn't seem to hit home with anybody.'' From isn at c4i.org Wed Jun 7 01:07:44 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:07:44 -0500 (CDT) Subject: [ISN] Fraidy Cat Marketing Message-ID: http://www.forbes.com/home/free_forbes/2006/0605/100.html By Matthew Rand and David Whelan 06.05.06 To sell antivirus software, first you must sell the fear. Verisign, the intrepid Web security giant, issued an ominous warning in December. It predicted an imminent invasion by a worm called Sober, which would infect networks worldwide and clog up the Internet. It would be timed to coincide with the 87th anniversary of the founding of the Nazi party. Other firms joined in a chorus of worry, offering an abundance of soundbites for news outlets. Then in January dozens more reports, similarly circulated by security firms, warned that an e-mailed virus called Kama Sutra would ruin PCs from Seattle to Sri Lanka. Neither outbreak ever occurred. Two small security software outfits claimed credit for blocking Kama Sutra, but Microsoft (nasdaq: MSFT - news - people ) said later the threat was overblown. Vincent Weafer, who runs the security response division at Symantec (nasdaq: SYMC - news - people ), the world's largest seller of antivirus software, concedes both threats were duds and that his rivals overhyped them. "To get attention, you pick something new and say the sky's falling down," he says. Fear-mongering sparks big business in the thriving computer security industry. Spending will grow 18% this year to $38 billion. In 1995 venture capitalists backed all of 3 new security firms; last year they funded 96 newcomers. To stir up business, they ply fearful forecasts and ominous ads. RSA Security's (nasdaq: RSAS - news - people ) annual conference in San Jose, Calif. drew 14,000 this year, up from 10,000 in 2004. Some 4,000 attendees paid the full $1,100 to $1,900 to get spooked in person. The fetish for fretfulness has gotten old. U.S. losses last year from corporate security breaches "declined dramatically," say the Computer Security Institute and the Federal Bureau of Investigation, to $130 million based on a survey of 639 companies. (Other incidents go undetected because companies are too ashamed to report them.) Three-quarters of companies said they had some virus problems last year, but 94% said so in 2001. The improving stats have done little to lift the security industry's mood. Symantec recently warned that instant messaging would be the next source of threats, while flogging a new product that scans instant messages for viruses. In 2003 it called cell phones "the Achilles heel," while promoting new wireless products. "Chief executives are like consumers. They are heavily influenced by what they see on CNN or in the newspapers," says Symantec's Weafer. The antivirus warriors lately have conducted surveys to highlight a glaring security weakness: the gullibility of a company's own employees. Never mind that even their toughest products can't protect much against same. Offered the chance to win chocolate Easter eggs, 81% of London commuters polled gave out their birthdays, pet names and other personal data, possible clues for cracking into their e-mail accounts. The pollsters were hired by the organizers of the Infosecurity Europe conference. Before the same conference two years ago RSA Security performed a similar stunt and found that 79% of people gave out this kind of personal information--free. That prompted a press release: "Internet identity theft threatens to be the next crime wave to hit Britain." In the U.S., RSA, which sells electronic tokens that generate randomized passwords, hired a perky team in "I Love NY" T shirts to scour Central Park and sweet-talk tourists into giving out their mothers' maiden names; 70% did. Newscasts in San Francisco, Miami and Boston ran the story. Christopher Young, an RSA vice president, bristles at any suggestion that the surveys were aimed at stoking sales. "It's hardly that direct." The surveys, he says, are used only to "raise awareness." Some 70% of security breaches are caused by human error, says a March 2006 survey by the Computing Technology Industry Association. Brian Boetig, a supervisory special agent with the FBI's computer crime unit in San Jose, Calif., describes the typical breach: "When you fire an employee and don't change their password, they can get into the system and get information to a competitor." No technical solution there. Says Boetig: "There are people creating problems so they can fix them. But that's marketing for you." ? Forbes.com Inc. - All Rights Reserved From isn at c4i.org Wed Jun 7 01:08:04 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:08:04 -0500 (CDT) Subject: [ISN] Commerce sets up IT security education program Message-ID: http://www.gcn.com/print/25_14/40927-1.html By Patience Wait GCN Staff 06/05/06 issue The first step toward better information security in the government is to provide more training for the people responsible for keeping systems safe. That's the approach being taken by Nancy DeFrancesco, chief information security officer for the Commerce Department. With DeFrancesco as the champion, the department is implementing an education and training program for its information security professionals that she hopes will develop into a center of excellence within the Security Line of Business initiative established by the Office of Management and Budget. DeFrancesco convinced the department last month to hire (ISC)2 Inc. of Palm Harbor, Fla., to provide courses for employees to earn designations as Certified Information Systems Security Professionals (CISSP), System Security Certified Professionals (SSCP) and Certification and Accreditation Professionals (CAP). "Education is a large part [of our IT budget] because I make it that way," DeFrancesco said. "I have a commitment from the Secretary of Commerce [Carlos M. Gutierrez] that it's important." For the past two years, IT security professionals in the department had been using the Office of Personnel Management's online learning center. But DeFrancesco wanted a broader course offering, and she wanted to give employees different ways to access materials. Funding issues "Our component [agencies] were interested in instructor-led training, and, of course, people learn in different ways," she said. Getting the funding to set up the educational program was a challenge, DeFrancesco said. Her office has a small budget; most information security funds are allocated to the department's major program areas. To gain the funding, she persuaded component agencies, such as the Census Bureau, to contribute money to get it off the ground. "We had great participation - I was very surprised and pleased," she said. "A solid education program is critical to reaching personnel in the department with significant information security responsibility." John Mongeon, head of the government services division at (ISC)2, said that DeFrancesco's push to set up training and education opportunities shows that "Commerce is dedicated to building the next generation of information security managers." "Commerce is a pretty robust agency, with personnel all over the place," Mongeon said. To accommodate the dispersed workforce, his company will be providing courses through several channels - classes on-site at Commerce headquarters in Washington, vouchers for employees scattered around the country to take classes off-site at (ISC)2 public education venues, and online classes. The first, one-day class, on the system certification and accreditation process, was held May 31 at Commerce headquarters. All the session's 25 slots were filled and DeFrancesco already has a waiting list for the next offering. The department will hold a week of information security training the first week of August, and is planning to schedule other certification and accreditation classes in June and July. DeFrancesco said that she is hoping the information security education program will prove so successful that it can be established as a center of excellence in OMB's Security LOB. A COE does not have to provide soup-to-nuts solutions for a particular line of business; instead, it can carve out a particular specialty. The Justice Department, for instance, last fall submitted a business case to OMB that its Cyber Security Assessment and Management system should become the standard tool for all agencies looking to track FISMA compliance. Sources said the Treasury Department and the Environmental Protection Agency also submitted business cases related to aspects of the Security LOB for fiscal 2007, but no decisions have been made about granting any of the applications. It might seem ironic for a department to aspire to host a center of excellence in security despite its poor Federal Infor- mation Security Management Act grades - under FISMA agencies are graded on their security measures and compliance, and Commerce has veered from F to C- to D+ over the past three years. But DeFrancesco said it's appropriate, because everything starts with educating and training the people who bear the responsibility for implementing security. "I did participate on the task force for the information security LOB, [and I'm] very familiar with that particular initiative," she said. DeFrancesco said it is too early to put together the business case application to submit to OMB. The education program first has to get up and running, and demonstrate its value to information security professionals. From isn at c4i.org Wed Jun 7 01:08:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:08:29 -0500 (CDT) Subject: [ISN] Ahold USA pension data lost when laptop disappears Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000953 By Todd Weiss Computerworld June 05, 2006 A laptop computer containing the names and personal information of an undisclosed number of retirees of grocery store chain Ahold USA disappeared last month after it was placed in checked baggage on a commercial U.S. flight and the bag was lost by the airline. Barry Scher, a spokesman for Ahold USA in Quincy, Mass., said the company has notified the retirees about the incident by mail but added that information about the number of affected former employees and the kind of data kept on the laptop is not being made public. "We're not giving out any numbers to protect our people," he said. Scher said the laptop was lost by an employee of Electronic Data Systems Corp., which provides data processing services for the Ahold USA Pension Plan. The laptop was password-protected and contained a file with the personal information of retired participants in the pension plan and of some other former employees of Ahold USA subsidiaries, including Stop & Shop Supermarket Cos., also in Quincy, Mass., according to a company statement. Kimberly Walton, a spokeswoman for EDS, today acknowledged that the computer was lost amid baggage on a flight after an airline employee asked the EDS worker to check the bag rather than carry it onto the aircraft. "By doing so, that employee violated our company policy," Walton said. The employee has been disciplined, but Walton would not comment further on whether the person still works for EDS. After the laptop was determined to be lost, the EDS employee did notify the airline and local police about the incident, she said. EDS then told Ahold about what had happened, Walton said. Scher and Walton would not specify when or where the incident occurred or what airline was involved. Walton said the company has received no reports that any of the data has been used illegally. EDS and Ahold notified the three major credit bureaus were notified of the data loss, and personal notification letters are being sent out to the affected retirees. A toll-free telephone line has also been set up to allow retirees to get information on obtaining free credit reports and free credit monitoring for one year, Walton said. Ahold USA is a subsidiary of Amsterdam-based Royal Ahold, an international grocery store operator. In addition to Stop & Shop, Ahold USA operates Carlisle, Pa.-based Giant Food Stores, Buffalo, N.Y.-based Tops Market stores and Landover, Md.-based Giant Food stores. From isn at c4i.org Wed Jun 7 01:08:49 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:08:49 -0500 (CDT) Subject: [ISN] Data Theft Hit 80% Of Active Military Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/06/AR2006060601332.html By Ann Scott Tyson and Christopher Lee Washington Post Staff Writers June 7, 2006 Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel -- including nearly 80 percent of the active-duty force -- were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as identity theft. The department announced that personal data for as many as 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 reserve members may have been included on an electronic file stolen May 3 from a department employee's house in Aspen Hill. The stolen data include names, birth dates and Social Security numbers, VA spokesman Matt Burns said. Defense officials said the loss is unprecedented and raises concerns about the safety of U.S. military forces. But they cautioned that law enforcement agencies investigating the incident have not found evidence that the stolen information has been used to commit identity theft. "Anytime there is a theft of personal information, it is concerning and requires us and our members to be vigilant," Pentagon spokesman Bryan Whitman said. He said the loss is "the largest that I am aware of." Army spokesman Paul Boyce said: "Obviously there are issues associated with identity theft and force protection." For example, security experts said, the information could be used to find out where military personnel live. "This essentially can create a Zip code for where each of the service members and [their] families live, and if it fell into the wrong hands could potentially put them at jeopardy of being targeted," said David Heyman, director of the homeland security program at the Center for Strategic and International Studies (CSIS). Another worry is that the information could reach foreign governments and their intelligence services or other hostile forces, allowing them to target service members and their families, the experts said. "There is a global black market in this sort of information . . . and you suddenly have a treasure trove of information on the U.S. military that is available," said James Lewis, director of technology and public policy at CSIS. One defense official, speaking on the condition of anonymity because of the sensitivity of the matter, called the potential damage "monumental." The new revelations significantly increase the potential harm from what was already one of the largest data breaches in U.S. history. On May 22, VA disclosed that an external computer hard drive was stolen May 3 from the home of a VA employee and that it contained unencrypted names and birth dates for as many as 26.5 million veterans who were discharged after 1975 or submitted benefit claims. It also included Social Security numbers for 19.6 million of those veterans, VA officials said. Initially VA thought that all of the 26.5 million people affected were veterans, but a database comparison revealed that they also included the bulk of active-duty military services, as well as more than 1 million members of the National Guard and reserves. Montgomery County police released a description yesterday of the stolen laptop and its external hard drive because they said it may have been purchased by someone who does not realize the value of its content. "It could have shown up at a yard sale or a secondhand store," police spokeswoman Lucille Baur said. "This is a time of the year when parents may be buying computers for kids going to college in the fall." Montgomery County police are offering a $50,000 reward for information that allows authorities to recover the laptop. The computer is a Hewlett-Packard model zv5360us and the external hard drive is an HP External Personal Media Drive. The Washington Post is not publishing the name of the career data analyst whose laptop was stolen in response to a request from law enforcement authorities who are investigating its disappearance. The breach outraged veterans -- even more so because senior VA officials knew about the theft within hours of the crime but did not tell VA Secretary Jim Nicholson until 13 days later. The 60-year-old analyst, who had been taking home sensitive data for at least three years without authorization, has been fired, officials have said. His boss resigned last week and another senior VA official is on administrative leave pending investigations by the FBI, the VA inspector general and Montgomery County police. A coalition of veterans groups filed a class-action lawsuit against the federal government yesterday, contending that privacy rights were violated and seeking $1,000 in damages for each affected veteran. The lawsuit, filed in U.S. District Court in the District of Columbia, demands that VA fully disclose who was affected by the theft, and asks a court to prohibit VA workers from using sensitive data until safeguards are in place. Burns said the department does not comment on pending litigation. He said VA has received no reports of stolen data being used for identity theft or other criminal activity. VA receives records for every new recruit because active-duty personnel, National Guard members and reservists are eligible for certain VA benefits, such as GI Bill educational assistance and the home-loan program. "The department will continue to make every effort to inform and help protect those potentially affected, and is working with the Department of Defense to notify all affected personnel," Nicholson said. Rep. Lane Evans (D-Ill.), ranking member of the House Veterans' Affairs Committee, said yesterday that he was "appalled" at the data breach and called for a Government Accountability Office investigation into VA information security practices. Research shows that it is not unusual for government employees to take home sensitive data on laptops, Lewis said. "The rules we have are either chaotic or nonexistent. . . . We still have a paper rules government when we are a digital nation." Staff writer Ernesto Londo?o contributed to this report. ? 2006 The Washington Post Company From isn at c4i.org Wed Jun 7 01:09:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:09:17 -0500 (CDT) Subject: [ISN] DHS doesn't take cyberattack threats seriously, former IG says Message-ID: Forwarded from: William Knowles http://www.fcw.com/article94792-06-06-06-Web By Christopher J. Dorobek June 6, 2006 HILTON HEAD, S.C. -- The United States and the Homeland Security Department are "manifestly and woefully unprepared" for a cyberattack, the former DHS inspector general said. Al Qaeda is training people and focusing on launching cyberattacks, but DHS has "failed to make this a priority," said Clark Ervin, the director of the Aspen Institute's Homeland Security Initiative and former DHS IG, speaking at the American Council for Technology's Management of Change conference here. DHS is on its fifth cybersecurity leader. That is an indication of the department's lack of focus on this issue, he said, and it is an illustration of how unprepared the agency is to serve as a model for how cybersecurity should be handled. Ervin, who has written a book, "Open Target: Where America Is Vulnerable to Attack [1]," said terrorists are keenly aware of where the country's weaknesses are and will work to take advantage of those weaknesses. He referred to one IG report that stated DHS wireless networks were largely unsecured. If the agency isn't addressing issues as seemingly simple as securing wireless, what else is not getting done? he asked. Ervin offered a somewhat damning view of the efforts to secure the country. He said the United States is safer today than it was before the 2001 terrorist attacks, but the real question that needs to be asked is whether the country is as secure as it should be and as it needs to be. [1] http://www.amazon.com/exec/obidos/ASIN/1403972885/c4iorg *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Jun 7 01:09:40 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:09:40 -0500 (CDT) Subject: [ISN] Warning on air traffic hacking Message-ID: http://www.theaustralian.news.com.au/story/0,20867,19378061-23349,00.html Steve Creedy Aviation writer June 06, 2006 HACKERS armed with little more than a laptop computer could conjure up phantom planes on the screens of Australia's air traffic controllers using new radar technology, Dick Smith haswarned. The prominent businessman and aviator claims to have found another security flaw in the new software being introduced in the air traffic control system. He has challenged Transport Minister Warren Truss to allow him to set up a demonstration of the problem at a test of the technology in Queensland to show how hackers could exploit the automatic dependent surveillance broadcasting (ASD-B) system to create false readings on an air traffic controller's screen. The air space activist says he had been told of the flaw by staff at the US Federal Aviation Administration. "FAA officials have become aware that an electronics boffin, using a second-hand or 'borrowed' transponder from a small (general aviation) aircraft connected to a $5 data lead, a $5 aerial and a laptop computer, can create 10, 20 or even 50 false aircraft on an air traffic controller's screen," Mr Smith says in a letter to Mr Truss. "This will create total chaos in the air traffic control system." Australia is at the forefront of ASD-B, which uses the global positioning system and aircraft avionics to automatically broadcast information about a plane's position, speed and direction. Authorities are poised to introduce the system for high-level airspace, but are yet to make a decision on whether to use it at lower altitudes. The US is also rolling out ASD-B. The technology has been enthusiastically endorsed by senior executives of the aviation administration and the airline industry. But Mr Smith, who is campaigning against the scheme and has raised safety and security concerns about the design, said the system had no way of verifying whether a plane was where it claimed to be or if it existed at all. He said the FAA was looking at ways of encrypting signals or setting up multiple ground stations at each location to allow the traffic controllers to determine whether a signal came from a moving aircraft. This would significantly increase the cost of ADS-B. "As we all know, criminals create viruses for computer networks which have cost the world hundreds of millions of dollars," Mr Smith said. "Exactly the same people are likely to create spoofing for the air traffic control system." A spokeswoman for Mr Truss said yesterday the minister had received a lot of correspondence from Mr Smith on ADS-B. "This recent letter is being considered and we will be writing back formally to him," she said. "Mr Smith did meet the minister in the past few weeks and we would point out that no decision about ADS-B has been made, nor is a decision imminent." From isn at c4i.org Wed Jun 7 01:07:11 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 7 Jun 2006 00:07:11 -0500 (CDT) Subject: [ISN] Linux Security Week - June 5th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 5th, 2006 Volume 7, Number 23n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Post- Encryption Security," "Setup a transparent proxy with Squid in three easy steps," and "Small Security Risk Still Big Selling Point for Linux." --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Linux v3.0.6 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.6 (Version 3.0, Release 6). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and a couple of new packages available for installation. http://www.linuxsecurity.com/content/view/122648/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Password Hashing 29th, May, 2006 In this article I'm going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I've been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords http://www.linuxsecurity.com/content/view/122924 * Post-Encryption Security 3rd, June, 2006 Last month I reviewed Voltage Security's secure email product, a worthy exercise since email is the most common method of transmitting documents from one department to another. http://www.linuxsecurity.com/content/view/122982 * How To Automate Spamcop Submissions 29th, May, 2006 Spamcop is a service which provides RBLs for mailservers in order to reject incoming mail from spammers. Their philosophy is to process possible spam complaints from users. When they receive a certain amount of complaints during a time-period then they will blacklist the offender. This system is dependant on spam reporting from users. However, their submission process is not very user-friendly. http://www.linuxsecurity.com/content/view/122923 * Disaster Practice 4th, June, 2006 When the British government wanted to test the resiliency of its financial institutions, it commissioned "an afternoon from hell". The buildup started on a Monday morning last November. First, there was a failure in the clearing systems used to transfer money between banks after routine systems maintenance. Then, terrorists staged a series of bomb attacks around Britain, causing hundreds of casualties in London and considerable damage to major financial centres. Around the same time, malicious hackers tried their best to break into the banks' systems. All in all, 'twas was a bad day. The disaster recovery simulation was organized by the Tripartite Authorities, a group comprising the Financial Services Authority, the UK Treasury Department and the Bank of England. http://www.linuxsecurity.com/content/view/122979 * MicroWorld to Launch Futuristic Network Firewall 27th, May, 2006 MicroWorld Technologies launched its futuristic, enterprise class firewall eConceal. eConceal is a comprehensive network firewall developed to prevent unauthorized access to a computer or network connected to the Internet. It enforces a boundary between two or more networks by implementing default or user-defined Access Control Policies or Rules. These rules function as filters by analyzing data packets to see if they fulfill the filter criteria and then allow or block the traffic accordingly. http://www.linuxsecurity.com/content/view/122910 * Can single sign-on be simple sign-on? 29th, May, 2006 Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access. Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work? http://www.linuxsecurity.com/content/view/122917 * Taking Steps To Protect Customer Data 29th, May, 2006 With so much attention paid to malicious attacks by hackers, worms and viruses, it's a common misconception that outside forces pose the greatest danger to a company's data. The reality, however, is that internal elements are far more dangerous when it comes to data security than anything on the outside, including natural disasters. http://www.linuxsecurity.com/content/view/122922 * Biometrics - The Wave of the Future? 1st, June, 2006 Will biometrics be a factor in our future? Of course it will, at least to the extent that it has been in our past history. We as citizens must decide upon the best methods to use and the best way to utilize this technology. Biometrics can be defined in several ways such as the study of measurable biological characteristics. In reference to Information Security it specifically applies to the automated use of physiological or behavioral characteristics to determine or verify identity. http://www.linuxsecurity.com/content/view/122958 * Security Management From One Platform 28th, May, 2006 Managing network security gets harder every day as the number and types of threats multiply. Security is also a double-edged sword, and an incorrectly implemented or mismanaged security policy can prevent network commerce and stand in the way of the mission of the enterprise. http://www.linuxsecurity.com/content/view/122911 * Linux: Setup a transparent proxy with Squid in three easy steps 29th, May, 2006 Yesterday I got chance to play with Squid and iptables. The job was to setup Squid proxy as a transparent server. Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies. http://www.linuxsecurity.com/content/view/122925 * Follow the Appiant way to a more secure network. 29th, May, 2006 Hardly a day goes by that we don't hear new information about some company getting themselves hacked. Sure they all have firewalls, but HOW are the hackers getting in? I was hired to perform an application security audit for a local university. They wanted to make sure that they didn't become part of the growing statistics. http://www.linuxsecurity.com/content/view/122926 * Network auditing on a shoestring 30th, May, 2006 What do you do when the auditors are breathing down your neck, wanting to see an exhaustive report on the Windows network security of a 2,000-user network across eight sites? That's easy. Break out a text editor and start writing some Perl. That's what my colleague Matt Prigge and I did when we were tasked with locating every share available on a network and documenting who had access to their files. At first blush, it was a Herculean effort. When we started coding and the pieces began to fall into place, however, it became much simpler. http://www.linuxsecurity.com/content/view/122930 * Execs Express Top Security Concerns 30th, May, 2006 When it comes to protecting corporate assets there seems to be little security managers don't worry about. That the impression of security executives attending this week's Converge '06 conference - also known as security vendor Courion's annual customer meeting. http://www.linuxsecurity.com/content/view/122935 * Security expert recommends 'Net diversity 31st, May, 2006 What do you see as the top three information security threats that are most likely to hit U.S.-based multinationals? One of the biggest threats we have right now is deployment of resources intended either to save on cost or enhance features without thinking through the consequences. VoIP and wireless fall in this category. They have failure modes that are very different than what they are replacing and are not well understood. Perceived cost advantages are driving these technologies, but that is overcoming the caution that should be in place. That's a threat not in the sense of a particular attack, but it is a systemic problem that leads to weakness in security posture and therefore may lead to attacks. http://www.linuxsecurity.com/content/view/122942 * Most sites ready for SSL progress 2nd, June, 2006 Despite the enormous success of SSL for securing web traffic, there has been little technical change in the way that SSL is used for secure HTTP in the ten years since SSL version 3 was introduced. Although it has been around since 1996, most browsers have continued to make connections compatible with the older SSL version 2 protocol. But now the major browser developers are aiming to drop SSL v2 completely; export-grade encryption ciphers are also to be dropped. SSL version 2 was supported by Netscape 1.0, back in 1994, and it was made obsolete by SSL version 3, published in 1996. But while SSL version 3 was soon widely supported . and over 97% of HTTPS sites also support its successor, TLS . most browsers have continued to make SSL-v2-compatible connections, in order to stay compatible. http://www.linuxsecurity.com/content/view/122972 * The Games Hackers Play 2nd, June, 2006 This clash has nothing to do with the simulated battles on Gindis, Eternal Duel, Mobstar or any of the more hip gaming sites. No, this one's for real. The villains in this combat are criminal hackers and phishing scammers, and their targets: unsuspecting on-line gamers. http://www.linuxsecurity.com/content/view/122975 * Log Analysis for Intrusion Detection 29th, May, 2006 Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an antivirus, companies with multiple firewalls and even simple endusers buying the latest security related tools. However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs? I'm not talking about pretty usage statistics of your web logs (like what webalizer does). I'm talking about the crucial security information that only few of these events have and nobody notices. A lot of attacks would not have happened (or would have been stopped much earlier) if administrators cared to monitor their logs. We are not saying that log analysis is easy or that you should be manually looking at all your logs on a daily basis. Because of their complexity and generally high volume, automatic log analysis is essential. http://www.linuxsecurity.com/content/view/122919 * Cybersecurity Contests go National 1st, June, 2006 It has all the makings of a B-movie plot: A corporate network targeted by hackers and a half dozen high-school students as the company's only defense. Click here for Core!! Yet, teams of students from ten different Iowa high schools faced exactly that scenario during a single night in late May in the High School Cyber Defense Competition. The contest tasked the teenagers with building a network in the three weeks leading up to the competition with only their teachers, and mentoring volunteers from local technology firms, as their guides. http://www.linuxsecurity.com/content/view/122961 * Small Security Risk Still Big Selling Point for Linux 27th, May, 2006 When the Indiana Department of Education rolled out PCs running Linux to schools last year, it installed open source Latest News about open source antivirus software on the servers connected to the desktop systems to scan incoming e-mail. However, it didn't bother to put antivirus tools on the PCs themselves. "I hate to admit this, but I wasn't worried," said Forrest Gaston, a consultant who is managing the project for the Indianapolis-based agency. And despite heavy Internet usage by students, Gaston's optimism has been borne out thus far. Desktop security "hasn't been an issue," he said. http://www.linuxsecurity.com/content/view/122908 * 13 Ways To Get Your Developers On Board With Software Security 2nd, June, 2006 It's easy to understand that software security starts with writing secure code. Keep the flaws out from the beginning and you've bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task. At first glance, it might seem that selling software security to developers would require the same approach as getting buy-in from executive management and the average user. It's not quite that simple. http://www.linuxsecurity.com/content/view/122976 * Macro virus aims at OpenOffice, StarOffice 30th, May, 2006 An unknown virus writer has created the first macro virus that targets computers running the alternative word processors OpenOffice and StarOffice, antivirus firm Kaspersky Labs said on Tuesday. http://www.linuxsecurity.com/content/view/122937 * Linux comes to Sun SPARC servers 31st, May, 2006 Sun is officially giving customers a wider choice on its SPARC servers with the announcement that it will support Linux on its new multicore UltraSPARC T1 systems. http://www.linuxsecurity.com/content/view/122951 * Firefox 2.0 Bakes in Anti-Phish Antidote 31st, May, 2006 Mozilla has reached the latest development milestone for its next-generation Firefox 2.0 "Bon Echo" browser with a little anti-phishing help from Google. http://www.linuxsecurity.com/content/view/122953 * Red Hat releases testing and integration tools to Linux developers 1st, June, 2006 Red Hat has released development tools to the open source community, which are designed to make it easier for enterprises and developers to quickly test and integrate new applications with Red Hat Linux and other Linux distributions. http://www.linuxsecurity.com/content/view/122965 * The Intelligence Cycle for a Vulnerability Intelligence program on-the-cheap 30th, May, 2006 A Vulnerability Intelligence program should be a key component of any sound network security strategy. It should dovetail with a Vulnerability Assessment process and a patching/remediation process. While a Vulnerability Assessment process will tell you what needs to be patched, Vulnerability Intelligence should tell you what needs to be patched first and what new patches need to be evaluated. http://www.linuxsecurity.com/content/view/122929 * The Finnish security vendor said the services are for small to midsize ISPs and their private custom 30th, May, 2006 The Finnish security vendor said the services are for small to midsize ISPs and their private customers. The services are PC Protection, which includes virus and spyware detection and a firewall, and PC Protection Plus, which adds a parental and spam control features. http://www.linuxsecurity.com/content/view/122938 * John the Ripper Pro 30th, May, 2006 This is to announce three things at once: 1) I have started making and maintaining commercial releases of John the Ripper password cracker, known as John the Ripper Pro. 2) A new version of the tiny POP3 server, popa3d 1.0.2, has been released adding a couple of minor optimizations specific to x86-64 to the included MD5 routines. 3) A new version of the password hashing package (for use in C/C++ applications and libraries), crypt_blowfish 1.0.2, has been released adding a minor optimization specific to x86-64. http://www.linuxsecurity.com/content/view/122939 * Everybody's a Server 28th, May, 2006 The IT world has a reputation of being extremely fast-paced. And it is: an accounting program in the .80s would have been written in COBOL. In the .90s it would have been written with a RAD (Rapid Application Developer) environment such as Delphi or Visual Basic. In the... .00s (noughties?), today, the same application would probably be written as a web system, possibly using all of the .Web 2.0. technologies to make it responsive and highly usable. http://www.linuxsecurity.com/content/view/122909 * Application Security Hacking Videos 29th, May, 2006 With college campuses being hacked into on a seemingly daily basis, and student information being stolen and used for Identity Theft; I thought you might like to see how the hacks are being done, and how astoundingly easy they are. I have produced a video of a security audit I performed on a local college website that shows how easy these exploits are. There is also a brief training on the homepage that introduces non-experts to SQL injection concepts in a fashion that makes it easy to understand. http://www.linuxsecurity.com/content/view/122920 * Oracle exec hits out at 'patch' mentality 29th, May, 2006 Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers." Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said. http://www.linuxsecurity.com/content/view/122921 * Malware Challenges in a Cross-Platform World 30th, May, 2006 With the advent of the inexpensive and powerful personal computer, networks have evolved and are now implemented exclusively using small computers connected among themselves and to the Internet. Don't get me wrong, though -- the mainframe isn't dead yet. In fact, Gartner estimates that more than 80% of business applications are written in Cobol, one of the earliest high-level programming languages. But the truth is that, although still alive and kicking, the mainframe has nevertheless lost ground in our current environment, which is focused on PCs and distributed server architectures. http://www.linuxsecurity.com/content/view/122934 * Users Versus Hackers: Which Are Worse? 31st, May, 2006 It.s 5 p.m. on a Friday, and you're the lead security engineer for the headquarters site of a major corporation. Just as you.re getting ready to ease out the door for the weekend, the phone rings and there's a frantic voice on the other end of the line. It's one of the managers from your financial department, and it seems that someone has accessed the payroll records of a number of higher-ranking executives within the company and attempted changes to their salaries and monthly paychecks. http://www.linuxsecurity.com/content/view/122946 * Perspective: Hyperlink insecurity 31st, May, 2006 Imagine a world where no Web site or hyperlink can be trusted, and a simple click on a hyperlink could slam your computer with a malicious driveby download. Sound far-fetched? It's not. Today, trusted Web sites can no longer be trusted. Those of us who collectively click on the billions of hyperlinks generated each day by search engines, blogs and e-mail are playing Russian roulette with our computers. http://www.linuxsecurity.com/content/view/122952 * Chief Hacks Around With Google 1st, June, 2006 A reader asked me months ago to talk about the threat of 'Google Hacking' to an organization, and asked if I used 'Google Hacking' in any of my risk assessments. In short: hell yes. If you're not attempting to do any type of reconnaissance with Google on your organization or clients, you're setting yourself up for a very unwelcome surprise down the road. http://www.linuxsecurity.com/content/view/122957 * Security Spending Shifts 3rd, June, 2006 Lingering concern about the overall state of the economy has many CIOs forecasting a slowdown in IT spending in 2007, according to a new survey from analyst firm Merrill Lynch. But compliance concerns and the looming threat of organized crime online mean that security spending remains healthy. The survey of 75 U.S. and 25 European CIOs reveals that users expect 5.2 percent spending growth in 2006 and 4.8 percent in 2007. American execs predict only 4.4 percent spending growth over the coming 12 months, compared to their more bullish international counterparts who expect 6.1 percent growth. http://www.linuxsecurity.com/content/view/122978 * Hackers Found to Target University Systems 31st, May, 2006 Increasing numbers of university systems are becoming targets for hackers. The recent incident involves the Fairfield, Connecticut-based Sacred Heart University. The university's system containing information on 135,000 individuals was hacked recently and data consisting of personal information like names, addresses, and Social Security numbers were stolen. http://www.linuxsecurity.com/content/view/122945 * FAQ: The new 'annoy' law explained 1st, June, 2006 So what does the rewritten law now say? The section as amended reads like this: "Whoever...utilizes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet... without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person...who receives the communications...shall be fined under title 18 or imprisoned not more than two years, or both." http://www.linuxsecurity.com/content/view/122959 * Euro Security Initiatives Proposed 1st, June, 2006 The European Commission today issued a report that calls for greater education on IT security, and the creation of a common framework for collecting incident data. In its report, the EC states that European spending on IT security "represents only around 5 to 13 percent of IT expenditure, which is alarmingly low." The commission calls for a cross-border effort to educate users about security and to unify disjointed national efforts to track exploits. http://www.linuxsecurity.com/content/view/122963 * Study: Companies should do more to protect employees' personal information 2nd, June, 2006 A study on workplace privacy found that less than half of the people surveyed believe their employers are doing a good job protecting the privacy of their personal information. The independent study, "Americans' Perceptions about Workplace Privacy," was conducted by Elk Rapids, Mich.-based Ponemon Institute LLC, which looks at information and privacy management practices in business and government. The report, which was released yesterday, is based on 945 responses from adults across the U.S. who work for companies with at least 1,000 employees. http://www.linuxsecurity.com/content/view/122973 * Stolen YMCA Computer Contains Members' Personal Information 2nd, June, 2006 The Y-M-C-A of Greater Providence is reporting that one of its two missing laptop computers contains members information. The non-profit organization that provides a range of educational, social and recreational services says it discovered last week that the computers were missing. http://www.linuxsecurity.com/content/view/122974 * The growing challenge of identity management 2nd, June, 2006 Identity management is a security issue which is becoming increasingly challenging as the perimeter of the network crumbles. This is well illustrated by the DTI Information Security Breaches Survey of 2006, which shows that one in five larger businesses had a security breach associated with weaknesses in their identity management, with the number of incidents being less for smaller companies. http://www.linuxsecurity.com/content/view/122981 * Stronger cybersecurity bill passes House committee 31st, May, 2006 The U.S. House of Representatives Judiciary Committee today approved a bill that would significantly strengthen existing federal cybercrime law and provide law enforcement with increased enforcement tools.The bill also offers authorities greater enforcement powers and resources. Included is a section that provides an additional $10 million annually to the Secret Service, FBI and Department of Justice to investigate and prosecute cybercrimes. The bill makes failing to report breaches to the FBI or Secret Service than involve at least 5,000 customers a crime punishable by up to five years in prison. http://www.linuxsecurity.com/content/view/122941 * Fed plan for cybersecurity R&D released 2nd, June, 2006 The government has outlined its first steps for coordinating and expanding federal research and development efforts aimed at improving cybersecurity. The new Federal Plan for Cyber Security and Information Assurance Research and Development, issued in April and now available online, lays the groundwork for developing an R&D agenda that will help address critical gaps in current technologies and capabilities. http://www.linuxsecurity.com/content/view/122980 * Phar out! Phishers are now Pharming 29th, May, 2006 If the phishers don't get you the pharmers will, police have warned. People are now getting wary of the scam called phishing - where people are sent emails claiming to be from their bank asking them to "confirm" their account details and passwords. http://www.linuxsecurity.com/content/view/122918 * Hostage Threat to Home PCs 30th, May, 2006 Family photos and other priceless content stored in your home computer could one day be held hostage by a new breed of security threat called "ransomware". Ransomware typically takes the form of a trojan horse that holds personal computer files "hostage" and then then demands a ransom for their safe return. http://www.linuxsecurity.com/content/view/122933 * Video: Hacking A College... or Two 31st, May, 2006 Joel over at appiant.net has posted a great video of how he used SQL injection to bypass security controls on a college website. While his methods may seem 1-2-3 to web application security testers, they are a great example of just how simple this type of attack is, and a reminder that you MUST perform this same type of testing on EVERY web application you deploy, period. http://www.linuxsecurity.com/content/view/122943 * Turkish Hackers go on Defacement Rampage 31st, May, 2006 Two Sony websites were hacked yesterday by a Turkish hacker (thanks to Roberto Preatoni of Zone-H.org for heads up and explanation). The two site URLs are: http://sonymusic.it/index.php and http://sonymusicstudios.co.uk/ http://www.linuxsecurity.com/content/view/122944 * Woman Targeted by Web Hackers 1st, June, 2006 A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back. Helen Barrow, a 40-year-old nurse from Rochdale, is believed to be one of the first victims of the con in the UK. http://www.linuxsecurity.com/content/view/122962 * Swedish police Web site shut down by hacker attack 2nd, June, 2006 The Web site of Sweden's national police was shut down after a hacker attack that investigators on Friday said could be a retaliation for a crackdown on a popular file-sharing site called The Pirate Bay. http://www.linuxsecurity.com/content/view/122977 * Police will not pursue ransom hackers 4th, June, 2006 After a Manchester woman was held to ransom by hackers, experts and senior police officers have voiced concern that such cases are falling between the cracks. Greater Manchester Police (GMP) will not be pursuing the criminals who used a Trojan horse program to lock a Manchester woman's files and demanded a ransom to release them. http://www.linuxsecurity.com/content/view/122983 * Triangulation homes in on rogue WLan access points 30th, May, 2006 Although wireless access points use encryption to secure network traffic, access to the WLan is open to anyone with a valid log-in. Foundry Networks aims to control this access based on the physical location of the end-user. The technology uses triangulation between three access points to determine the location of a WLan user to within five metres, said the company. http://www.linuxsecurity.com/content/view/122931 * Wireless Authentication Solutions 1st, June, 2006 As is the case with any valuable resource, there must be limitations on who can access and use your wireless medium. In some situations, such as when offering wireless access to attract customers, these limitations will be minimal. In others, we want the greatest possible protection available. Controlling access to computer resources is best illustrated in the AAA framework: Authentication, Authorization, and Accounting. http://www.linuxsecurity.com/content/view/122964 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Thu Jun 8 05:03:57 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 8 Jun 2006 04:03:57 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-23 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-06-01 - 2006-06-08 This week: 79 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Multiple browsers are affected by a vulnerability rated "Less Critical", which can be exploited by malicious people to trick users into disclosing sensitive information. Additional details for the different affected browsers can be found in the referenced Secunia advisories below. References: http://secunia.com/SA20442 http://secunia.com/SA20467 http://secunia.com/SA20449 http://secunia.com/SA20472 http://secunia.com/SA20470 -- Updates have been released for several Mozilla based products, including Firefox and Thunderbird, which corrects several vulnerabilities. Further details can be found in the referenced Secunia advisories below. References: http://secunia.com/SA20376 http://secunia.com/SA20382 http://secunia.com/SA20394 -- VIRUS ALERTS: During the past week Secunia collected 44 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20384] Microsoft Windows "mhtml:" URI Buffer Overflow Vulnerability 2. [SA20376] Firefox Multiple Vulnerabilities 3. [SA20153] Microsoft Word Malformed Object Code Execution Vulnerability 4. [SA20442] Firefox File Upload Form Keystroke Event Cancel Vulnerability 5. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 6. [SA20449] Internet Explorer File Upload Form Keystroke Event Cancel Vulnerability 7. [SA20382] Thunderbird Multiple Vulnerabilities 8. [SA20365] MySQL Multibyte Encoding SQL Injection Vulnerability 9. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 10. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20462] LocazoList Classifieds "msgid" Parameter SQL Injection [SA20423] myNewsletter "UserName" SQL Injection Vulnerability [SA20419] aspWebLinks SQL Injection and Password Change Vulnerabilities [SA20416] ASPScriptz Guest Book "submit.asp" Script Insertion Vulnerabilities [SA20411] CodeAvalanche FreeForum Multiple Vulnerabilities [SA20483] WinGate WWW Proxy Server Buffer Overflow Vulnerability [SA20477] Microsoft NetMeeting Denial of Service Vulnerability [SA20449] Internet Explorer File Upload Form Keystroke Event Cancel Vulnerability [SA20425] ASP Discussion Forum "search" Parameter Cross-Site Scripting UNIX/Linux: [SA20487] Wikiwig "WK[wkPath]" File Inclusion Vulnerability [SA20473] HP Tru64 UNIX and HP Internet Express Sendmail Vulnerability [SA20415] iShopCart Buffer Overflow and Directory Traversal Vulnerabilities [SA20466] LoudHush iaxclient Unspecified Vulnerability [SA20457] SUSE Updates for Multiple Packages [SA20451] Debian update for postgresql [SA20446] Debian update for centericq [SA20435] Trustix update for postgresql [SA20422] Red Hat update for dia [SA20482] Red Hat update for spamassassin [SA20443] Debian update for spamassassin [SA20430] SpamAssassin "spamd" Shell Command Injection Vulnerability [SA20498] GANTTy Cross-Site Scripting and Information Disclosure [SA20476] Sylpheed-Claws URI Check Bypass Security Issue [SA20497] Asterisk IAX2 Channel Driver Denial of Service Vulnerability [SA20461] Debian update for freeradius [SA20424] Slackware update for mysql [SA20421] Red Hat update for quagga [SA20420] Red Hat update for zebra [SA20456] Avaya Products XScreenSaver Insecure Temporary File Creation Vulnerability [SA20445] Sun StorADE Privilege Escalation Vulnerability [SA20459] Avaya PDS HP-UX Kernel Denial of Service Vulnerability Other: [SA20479] Ingate Firewall and SIParator Two Vulnerabilities [SA20474] D-Link DWL-2100AP Exposure of Configuration Files Cross Platform: [SA20480] Clan Manager Pro cmpro_header.inc.php File Inclusion [SA20475] MiraksGalerie Multiple File Inclusion Vulnerabilities [SA20468] DreamAccount "da_path" File Inclusion Vulnerabilities [SA20463] dotWidget CMS "file_path" Parameter File Inclusion Vulnerability [SA20448] Informium "CONF[local_path]" File Inclusion Vulnerability [SA20440] CS-Cart "classes_dir" Parameter File Inclusion Vulnerability [SA20439] WebspotBlogging Multiple File Inclusion Vulnerabilities [SA20437] DotClear "blog_dc_path" File Inclusion Vulnerability [SA20434] Claroline Two File Inclusion Vulnerabilities [SA20429] DokuWiki Spell Checker Code Execution Vulnerability [SA20426] AssoCIateD "root_path" File Inclusion Vulnerabilities [SA20408] REDAXO "REX[INCLUDE_PATH]" File Inclusion Vulnerabilities [SA20486] Open Business Management Multiple Vulnerabilities [SA20471] Kmita FAQ Cross-Site Scripting and SQL Injection Vulnerabilities [SA20469] Alex News-Engine "newsid" Parameter SQL Injection Vulnerability [SA20465] Coppermine Photo Gallery usermgr.php Unspecified Vulnerability [SA20460] LifeType "articleId" SQL Injection Vulnerability [SA20458] MediaWiki Edit Form Script Insertion Vulnerability [SA20450] Dmx Forum Disclosure of Sensitive Information [SA20447] Weblog Oggi Script Insertion Vulnerability [SA20438] BlueShoes Framework Multiple File Inclusion Vulnerabilities [SA20433] FunkBoard Authentication Bypass and Cross-Site Scripting [SA20428] Particle Wiki Script Insertion and SQL Injection [SA20427] Particle Gallery "imageid" SQL Injection Vulnerability [SA20414] TAL RateMyPic Multiple Vulnerabilities [SA20413] Snort "http_inspect" Preprocessor Bypass Vulnerability [SA20410] Unak-CMS SQL Injection and Cross-Site Scripting Vulnerabilities [SA20409] SimpleBoard "sb_authorname" Script Insertion Vulnerability [SA20452] TIBCO Rendezvous HTTP Administrative Interface Buffer Overflow [SA20500] GD Graphics Library GIF File Handling Denial of Service [SA20491] Particle Links "username" Parameter Cross-Site Scripting [SA20490] Particle Whois "target" Parameter Cross-Site Scripting [SA20478] DokuWiki Restricted Page Content Disclosure Vulnerability [SA20472] Mozilla SeaMonkey File Upload Form Keystroke Event Cancel Vulnerability [SA20470] Netscape File Upload Form Keystroke Event Cancel Vulnerability [SA20467] Mozilla Suite File Upload Form Keystroke Event Cancel Vulnerability [SA20455] KnowledgeTree Open Source Cross-Site Scripting Vulnerabilities [SA20453] PHP ManualMaker Multiple Cross-Site Scripting Vulnerabilities [SA20444] PHP Pro Publish "catname" Parameter Cross-Site Scripting [SA20442] Firefox File Upload Form Keystroke Event Cancel Vulnerability [SA20441] OSADS Board Comments Script Insertion Vulnerability [SA20436] PyBlosxom Contributed Packages Cross-Site Scripting Vulnerability [SA20418] dotProject Cross-Site Scripting Vulnerability [SA20417] LabWiki Cross-Site Scripting Vulnerabilities [SA20412] Drupal Taxonomy Module Cross-Site Scripting Vulnerability [SA20431] TIBCO Hawk "tibhawkhma" Privilege Escalation Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20462] LocazoList Classifieds "msgid" Parameter SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-05 ajann has discovered a vulnerability in LocazoList Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20462/ -- [SA20423] myNewsletter "UserName" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-06 FarhadKey has discovered a vulnerability in myNewsletter, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20423/ -- [SA20419] aspWebLinks SQL Injection and Password Change Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Security Bypass Released: 2006-06-02 ajann has discovered two vulnerabilities in aspWebLinks, which can be exploited by malicious people to conduct SQL injection attacks and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20419/ -- [SA20416] ASPScriptz Guest Book "submit.asp" Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-06 omnipresent has discovered some vulnerabilities in ASPScriptz Guest Book, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20416/ -- [SA20411] CodeAvalanche FreeForum Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-02 Some vulnerabilities have been discovered in CodeAvalanche FreeForum, which can be exploited by malicious people to conduct script insertion attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20411/ -- [SA20483] WinGate WWW Proxy Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-06-07 kcope has discovered a vulnerability in WinGate, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20483/ -- [SA20477] Microsoft NetMeeting Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-06-07 HexView has reported a vulnerability in Microsoft NetMeeting, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20477/ -- [SA20449] Internet Explorer File Upload Form Keystroke Event Cancel Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-06 A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to trick users into disclosing sensitive information. Full Advisory: http://secunia.com/advisories/20449/ -- [SA20425] ASP Discussion Forum "search" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-02 omnipresent has discovered a vulnerability in ASP Discussion Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20425/ UNIX/Linux:-- [SA20487] Wikiwig "WK[wkPath]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-07 Kacper has discovered a vulnerability in Wikiwig, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20487/ -- [SA20473] HP Tru64 UNIX and HP Internet Express Sendmail Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-07 HP has acknowledged a vulnerability in HP Tru64 UNIX and HP Internet Express running sendmail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20473/ -- [SA20415] iShopCart Buffer Overflow and Directory Traversal Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2006-06-02 K-sPecial has reported some vulnerabilities in iShopCart, which can be exploited by malicious people to disclose potentially sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20415/ -- [SA20466] LoudHush iaxclient Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-06-06 A vulnerability with an unknown impact has been reported in LoudHush. Full Advisory: http://secunia.com/advisories/20466/ -- [SA20457] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2006-06-05 SUSE has issued updates for multiple packages. These fix vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), to disclose potentially sensitive information, and to compromise a user's system. Full Advisory: http://secunia.com/advisories/20457/ -- [SA20451] Debian update for postgresql Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-06-05 Debian has issued an update for postgresql. This fixes two vulnerabilities, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20451/ -- [SA20446] Debian update for centericq Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-05 Debian has issued an update for centericq. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20446/ -- [SA20435] Trustix update for postgresql Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-06-05 Trustix has issued an update for postgresql. This fixes two vulnerabilities, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20435/ -- [SA20422] Red Hat update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-02 Red Hat has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20422/ -- [SA20482] Red Hat update for spamassassin Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-07 Red Hat has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20482/ -- [SA20443] Debian update for spamassassin Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-06 Debian has issued an update for spamassassin, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20443/ -- [SA20430] SpamAssassin "spamd" Shell Command Injection Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-06 A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20430/ -- [SA20498] GANTTy Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-06-07 luny has reported two vulnerabilities in GANTTy, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20498/ -- [SA20476] Sylpheed-Claws URI Check Bypass Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-06-07 A security issue has been reported in Sylpheed-Claws, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20476/ -- [SA20497] Asterisk IAX2 Channel Driver Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-06-07 A vulnerability has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20497/ -- [SA20461] Debian update for freeradius Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2006-06-05 Debian has issued an update for freeradius. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20461/ -- [SA20424] Slackware update for mysql Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-06-05 Slackware has issued an update for mysql. This fixes two vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20424/ -- [SA20421] Red Hat update for quagga Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of system information, DoS Released: 2006-06-02 Red Hat has issued an update for quagga. This fixes two security issues and a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to bypass certain security restrictions, and to disclose system information. Full Advisory: http://secunia.com/advisories/20421/ -- [SA20420] Red Hat update for zebra Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of system information, DoS Released: 2006-06-02 Red Hat has issued an update for zebra. This fixes two security issues and a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to bypass certain security restrictions, and to disclose system information. Full Advisory: http://secunia.com/advisories/20420/ -- [SA20456] Avaya Products XScreenSaver Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-06 Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20456/ -- [SA20445] Sun StorADE Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-05 A vulnerability has been reported in Storage Automated Diagnostic Environment (StorADE), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20445/ -- [SA20459] Avaya PDS HP-UX Kernel Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-06-06 Avaya has acknowledged a vulnerability in Avaya Predictive Dialing System (PDS), which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20459/ Other:-- [SA20479] Ingate Firewall and SIParator Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2006-06-07 Two vulnerabilities have been reported in Ingate Firewall and SIParator, which can be exploited by malicious people to conduct cross-site scripting attacks and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20479/ -- [SA20474] D-Link DWL-2100AP Exposure of Configuration Files Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-06-07 A security issue has been reported in D-Link DWL-2100AP, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20474/ Cross Platform:-- [SA20480] Clan Manager Pro cmpro_header.inc.php File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-07 Sx02 has discovered two vulnerabilities in Clan Manager Pro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20480/ -- [SA20475] MiraksGalerie Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-07 Federico Fazzi has discovered some vulnerabilities in MiraksGalerie, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20475/ -- [SA20468] DreamAccount "da_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-06 David "Aesthetico" Vieira-Kurz has reported some vulnerabilities in DreamAccount, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20468/ -- [SA20463] dotWidget CMS "file_path" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-05 David 'Aesthetico' Vieira-Kurz has reported a vulnerability in dotWidget CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20463/ -- [SA20448] Informium "CONF[local_path]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-05 Kacper has reported a vulnerability in Informium, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20448/ -- [SA20440] CS-Cart "classes_dir" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-05 Kacper has reported a vulnerability in CS-Cart, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20440/ -- [SA20439] WebspotBlogging Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-05 Kacper has reported some vulnerabilities in WebspotBlogging, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20439/ -- [SA20437] DotClear "blog_dc_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-05 rgod has reported a vulnerability in DotClear, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20437/ -- [SA20434] Claroline Two File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-05 rgod has reported two vulnerabilities in Claroline, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20434/ -- [SA20429] DokuWiki Spell Checker Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-05 Stefan Esser has reported a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20429/ -- [SA20426] AssoCIateD "root_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-02 Kacper has discovered some vulnerabilities in AssoCIateD, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20426/ -- [SA20408] REDAXO "REX[INCLUDE_PATH]" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-02 beford has discovered some vulnerabilities in REDAXO, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20408/ -- [SA20486] Open Business Management Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-07 r0t has reported some vulnerabilities in Open Business Management, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20486/ -- [SA20471] Kmita FAQ Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-06 luny has reported two vulnerabilities in Kmita FAQ, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20471/ -- [SA20469] Alex News-Engine "newsid" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-06 ajann has discovered a vulnerability in Alex News-Engine, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20469/ -- [SA20465] Coppermine Photo Gallery usermgr.php Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-06-07 A vulnerability with an unknown impact has been reported in Coppermine Photo Gallery. Full Advisory: http://secunia.com/advisories/20465/ -- [SA20460] LifeType "articleId" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-05 rgod has discovered a vulnerability in LifeType, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20460/ -- [SA20458] MediaWiki Edit Form Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-06 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20458/ -- [SA20450] Dmx Forum Disclosure of Sensitive Information Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-06 DarkFig has discovered two security issues in Dmx Forum, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20450/ -- [SA20447] Weblog Oggi Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-05 luny has discovered a vulnerability in Weblog Oggi, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20447/ -- [SA20438] BlueShoes Framework Multiple File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-05 Kacper has reported some vulnerabilities in BlueShoes Framework, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20438/ -- [SA20433] FunkBoard Authentication Bypass and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-06-06 Some vulnerabilities have been reported in FunkBoard, which can be exploited by malicious people to bypass certain security restrictions and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20433/ -- [SA20428] Particle Wiki Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-05 Some vulnerabilities have been discovered in Particle Wiki, which can be exploited by malicious people to conduct script insertion attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20428/ -- [SA20427] Particle Gallery "imageid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-05 r0t has discovered a vulnerability in Particle Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20427/ -- [SA20414] TAL RateMyPic Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-02 Some vulnerabilities have been discovered in TAL RateMyPic, which can be exploited by malicious people to conduct script insertion attacks, cross-site scripting attacks, and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20414/ -- [SA20413] Snort "http_inspect" Preprocessor Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-06-02 Blake Hartstein has reported a vulnerability in Snort, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20413/ -- [SA20410] Unak-CMS SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-02 Some vulnerabilities have been reported in Unak-CMS, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20410/ -- [SA20409] SimpleBoard "sb_authorname" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-02 Yannick von Arx has discovered a vulnerability in SimpleBoard, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20409/ -- [SA20452] TIBCO Rendezvous HTTP Administrative Interface Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-06-06 A vulnerability has been reported in TIBCO Rendezvous, which can be exploited by malicious people to cause DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20452/ -- [SA20500] GD Graphics Library GIF File Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-06-07 Xavier Roche has discovered a vulnerability in the GD Graphics Library, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) against applications and services using libgd. Full Advisory: http://secunia.com/advisories/20500/ -- [SA20491] Particle Links "username" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-07 luny has discovered a vulnerability in Particle Links, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20491/ -- [SA20490] Particle Whois "target" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-07 luny has discovered a vulnerability in Particle Whois, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20490/ -- [SA20478] DokuWiki Restricted Page Content Disclosure Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-06-07 A vulnerability has been reported in DokuWiki, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20478/ -- [SA20472] Mozilla SeaMonkey File Upload Form Keystroke Event Cancel Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-06 A vulnerability has been reported in Mozilla SeaMonkey, which can be exploited by malicious people to trick users into disclosing sensitive information. Full Advisory: http://secunia.com/advisories/20472/ -- [SA20470] Netscape File Upload Form Keystroke Event Cancel Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-06 A vulnerability has been reported in Netscape, which can be exploited by malicious people to trick users into disclosing sensitive information. Full Advisory: http://secunia.com/advisories/20470/ -- [SA20467] Mozilla Suite File Upload Form Keystroke Event Cancel Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-06 A vulnerability has been reported in Mozilla Suite, which can be exploited by malicious people to trick users into disclosing sensitive information. Full Advisory: http://secunia.com/advisories/20467/ -- [SA20455] KnowledgeTree Open Source Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-06 r0t has reported two vulnerabilities in KnowledgeTree Open Source, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20455/ -- [SA20453] PHP ManualMaker Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-05 luny has reported some vulnerabilities in PHP ManualMaker, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20453/ -- [SA20444] PHP Pro Publish "catname" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-05 Soot has reported a vulnerability in PHP Pro Publish, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20444/ -- [SA20442] Firefox File Upload Form Keystroke Event Cancel Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-06 Charles McAuley has reported a vulnerability in Firefox, which can be exploited by malicious people to trick users into disclosing sensitive information. Full Advisory: http://secunia.com/advisories/20442/ -- [SA20441] OSADS Board Comments Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-05 A vulnerability has been discovered in OSADS, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20441/ -- [SA20436] PyBlosxom Contributed Packages Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-06 A vulnerability has been reported in Contributed Packages for PyBlosxom 1.3, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20436/ -- [SA20418] dotProject Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-05 A vulnerability has been reported in dotProject, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20418/ -- [SA20417] LabWiki Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-05 Two vulnerabilities have been discovered in LabWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20417/ -- [SA20412] Drupal Taxonomy Module Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-02 A vulnerability has been reported in Drupal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20412/ -- [SA20431] TIBCO Hawk "tibhawkhma" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-06 A vulnerability has been reported in TIBCO Hawk, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20431/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Thu Jun 8 05:03:21 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 8 Jun 2006 04:03:21 -0500 (CDT) Subject: [ISN] Hacker Said to Resell Internet Phone Service Message-ID: http://www.nytimes.com/2006/06/07/technology/07cnd-voice.html By KEN BELSON and TOM ZELLER Jr. June 7, 2006 Federal authorities arrested one man in Miami and another in Spokane, Wash., today in connection with what they said was a hacking scheme involving the resale of Internet telephone service. The suspects were said to have illegally tapped into the lines of legitimate Internet phone companies, saddling them with the expense of extra traffic, while collecting more than $1 million in connection fees. The case, one of the first involving this kind of elaborate Internet phone hacking, illustrated how Internet-based communications may be criminally exploited, and raised fresh questions about the security of phone traffic over largely unregulated networks. Prosecutors say that starting in November 2004, the man arrested in Miami - Edwin Andres Pena, 23, a Venezuelan who has permanent residency in the United States - used two companies he created to offer wholesale phone connections at discounted rates to small Internet phone companies. Instead of buying access to other networks to connect his clients' calls, Mr. Pena paid about $20,000 to Robert Moore, the man arrested in Spokane, to create "what amounted to 'free' routes by surreptitiously hacking into the computer networks" of unwitting Internet phone providers, and then routing his customers' calls over those providers' systems, according to the federal complaint. To evade detection, Mr. Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeering its unprotected servers to re-route phone traffic through them. These steps made it appear as if this company was sending calls to more than 15 Internet phone companies. In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook. In all, more than 15 Internet phone companies, including the one in Newark, were left having to pay as much as $300,000 each in connection fees for routing the phone traffic to other carriers, without receiving any revenue for the calls, prosecutors said. "Emerging technologies and the Internet represent a sea of opportunity for business, but also for sophisticated criminals," Christopher J. Christie, the United States Attorney for New Jersey, said in a statement. "The challenge, which we and the F.B.I. continue to meet with investigations and prosecutions like this one, is to stay ahead of the cyber-criminal and protect legitimate commerce." The companies in Newark and Rye Brook, and others said to have been victimized, were not identified by name in the complaint, which was filed with the United States District Court in Newark. Mr. Pena, however, appears to have used the money he received from his customers to go on a spending spree, buying real estate in south Florida, a 40-foot Sea Ray Mercruiser motor boat, and luxury cars including a BMW and a Cadillac Escalade. Mr. Pena appeared to be smitten with his possessions, frequently posting pictures of his cars on Web sites devoted to car enthusiasts. So far, most of the concern about the safety of Internet-based communications has focused on the ability of criminals to eavesdrop on calls, to fake caller ID's and to steal long-distance phone service. In this case, Mr. Pena is said to have mimicked legitimate telecommunications brokers, who typically help connect long distance calls by buying minutes from large carriers and reselling them for a profit to smaller phone companies. From isn at c4i.org Thu Jun 8 05:03:38 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 8 Jun 2006 04:03:38 -0500 (CDT) Subject: [ISN] Spies on the Hill: Former Capitol Police Chief Gainer Dishes About Secret Intel Unit Message-ID: http://public.cq.com/public/20060602_homeland.html By Jeff Stein CQ Staff June 2, 2006 No self-respecting federal agency goes without its own intelligence service these days, and the U.S. Capitol Police is no exception. The Capitol Police have a little-known intelligence unit that takes up a whole floor of its seven-story, century-old headquarters at First and D Streets Northeast, according to its just-retired police chief. Terrance W. Gainer, who turned in his badge, gun and police-issued Blackberry two months ago after four years of occasionally rough times with protesters and headstrong lawmakers, says his unit collaborated closely with the CIA and the FBI-led Joint Terrorism Task Force, and had liaison officers at most of the the 16 spy agencies that make of the U.S. intelligence community. Gainer also says his intelligence unit - fewer than 50 in a 600-strong corps, he indicated - often swept congressional hearing rooms and offices for secret electronic listening devices and fielded plainclothes officers to see who might be scouting the facilities for a terrorist attack. "We are a very, very full-service police department, and know for certain that the goal we have as counterterrorism police is stopping an attack before it starts," Gainer says. The intelligence unit's head, Deputy Chief Mike Jarboe, could not be reached for comment on the Capitol Police's counterintelligence and security activities. "I'm going to guess they're not going to be very talkative," Gainer said in the first of two interviews over the past few weeks." As a rule, I have a different philosophy on the press, as some might suspect, and it got me in trouble with some of the House members. "I think there ought to be a little open dialog," said Gainer, who was chief of the Illinois state police before coming to Washington in 1998, "and I don't like to deny that which is obvious. "I think in some respects you want our enemy to know that we are capable, but you don't want them to know the specifics of our capabilities. . . . And that's always a fine line." "Holy Cow" Every morning at 8:45, Gainer says he, his top officers and delegates from the House and Senate sergeant at arms offices gathered for an intelligence briefing in "a secure location" that he would not identify. That facility, as well as an area in Capitol Police headquarters, had a so-called Secure Compartmented Intelligence Facility, or SCIF, that prevented hostile intelligence agencies from listening in on conversations, Gainer said. "Our intel people would talk about threats picked up by other intel agencies, We'd also talk about major hearings, dignitary visits to the Hill, and so on." At least twice a month, and sometimes weekly, the Capitol Police intelligence unit and senior commanders got briefings from the CIA and FBI in the Hill's SCIF. "We had some 'holy cow' moments," Gainer said, declining to provide details. But overall, "It would be rare, in that kind of meeting, that I would learn something I hadn't already been briefed on." Moles As for finding "bugs" in Capitol facilities, Gainer would only say, "I wouldn't comment on that, but I will tell you this, that we feel comfortable with the meetings that are conducted in there and our sweeps." Gainer also revealed this little-known detail: Capitol Police carry out what he calls "counterintelligence" activities. "It's not putting people under cover to develop informants. We don't do that," he said. "We have plainclothes officers who go out and do counterintelligence work. We're always trying to figure out what the bad guys are trying to figure out in watching us or observing what we do." In the spy trade, counterintelligence usually means penetrating the opposition's spy service and looking for moles within its own. But that's not what Capitol Police "special agents" - a designation Gainer said he bestowed on his intelligence specialists for its "cachet" - do, the retired chief says. "Counterintelligence, from our perspective," Gainer explains, "is very limited in scope. It might be something as simple as, during the State of the Union address or the inauguration, having people out watching the crowd. "So we're looking at people who are watching us. If we got a phony call on a suspicious package, the terrorists might be watching to see how we respond - how many units, how many people, how we lay ourselves out. So we have people in plainclothes looking at the lookers. And we might decide to talk to someone who's doing some taping, we might tape people who are taping us, and cross-reference that with what's going on in other jurisdictions." In the investigation of last summer's London subway and bus bombings, authorities "captured tapes that showed different places in D.C. and on the Hill," said Gainer, 58. "Maybe it was pre-operational stuff." But the Capitol Police's intelligence unit's purview isn't necessarily confined to Capitol Hill, he said. Sharing All 535 members of Congress "and their families" are under the Capitol Police's protective wing. "We don't go out to their home towns, but our responsibility extends to where those men and women are, and their families. So either we or those local police departments stay on top of what's going on." "If there's something that is of greater scope than our area then we work with the the FBI and the Joint Terrorism Task Forces," he says. And the intel unit has "connections in each of the the states, with the local FBI field office, or places like L.A., New York, Chicago - they all have intelligence squads." It works the other way, too, Gainer said, with threats against members of Congress relayed quickly to Capitol Police intelligence. It wasn't always that way. Now the department's problem is information overload. "I think the biggest concern we have now is everybody is sharing so much because no one wants to be accused of not sharing. We would have a daily intel briefing telling us what was going on in the world, and sometimes you would say, 'Why in the world are we being told this, because it's laughable.'" "They might lay out a lot of information and then say the person giving this to us is unreliable, has given us bad information in the past and is crazy. And we'd go, 'then why share it with us?'" Today, he says, relations with the CIA, FBI and other intelligence agencies are tight. During the CIA and FBI briefings, there's a lot of unprecedented give and take with Capitol Police analysts, many of whom are drawn from the military intelligence services. Those who aren't are sent to the military intelligence schools and the FBI for training, Gainer said. "At the end of those briefs, the FBI and CIA would give more details and answer your questions. In other words, they would let those 'intellectual' discussions go on. They might say, 'This is our read of this bit of intelligence, give us yours,' " Gainer says. "Sometimes our analytical people would write reports that ran counter to [theirs], which was the accumulated intel from 18 agencies. Our guys would write theirs from our perspective and say, 'Why couldn't it mean this?'" Despite the new collaboration between the Capitol Police and federal spy agencies, along with bag checks, floating security units, New Jersey barriers and anthrax mail sniffers, a determined terrorist can probably get through, Gainer volunteered. "Because it's an open campus, someone can ride a bus up there - but not a truck - a bike with saddlebags on us. That presents a challenge. But our concern was the smaller events. Working with our federal intelligence agency partners, we think we have a pretty good handle on the potential for our adversaries to do big stuff." Big stuff? "A 9/11, a nuclear attack, a dirty bomb - all those are possible," he says. But the Capitol is much better protected than when he arrived, he maintained, despite such panicky moments as the "shooting" in the Longworth House Office Building garage last week that shook the whole city but most likely was a construction crew dropping pipes. "Between us and some of the other federal brethren, I feel we have a pretty good handle on what's in the air," Gainer said, "and which way the wind is blowing. . . ." [...] From isn at c4i.org Thu Jun 8 05:04:17 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 8 Jun 2006 04:04:17 -0500 (CDT) Subject: [ISN] Fighting cyber crime in Nigeria Message-ID: http://www.tribune.com.ng/08062006/infosys2.html By OLUWASEUN AYANTOKUN Info Systems Lagos 8th June, 2006 When efforts are being made to remove the rebellious shoot of the proverbial tump, it obstinately sprouts another.So is cybercrime, which has continued to grow by leaps and bounds, just as the government frantically keeps on fighting financial crimes. hile the war is yielding results by enhancing the image of Nigeria abroad,cybercrime has continued to dent it. The Internet creates unlimited opportunities for commercial, social and educational activities. But as we can see with cybercrime, the net introduces its own peculiar risks. The convenience associated with IT and the Internet is now being exploited to serve criminal purposes. Cybercrime covers internet fraud not just online 419 - the use of computers and or the internet to commit crime. Computer-assisted crime include e-mail scams, hacking, distribution of hostile software (viruses and worms), denial of service attacks, theft of data, extortion, fraud and impersonation. Recently, a report indicated that Nigeria is losing about $80 million(N11.2 billon) yearly to software piracy.The report was the findings of a study, conducted by Institute of Digital Communications(IDC), a market research and forecasting firm, based in South Africa, on behalf of Business Software Alliance of South Africa. As it is now, cybercrime is an image nightmare for Nigeria.When you come across phrases like "Nigerian scam", the assumption that crosses your mind is that all (or conservatively, most) scam emails originate from Nigeria, or Nigerians. In 2004, the federal government established a cybercrime working group,the Nigeria Cyber Working Group(NCWG),with the purpose of aiding Nigeria's demystification of the hydra-headed monster.The NCWG is an Inter-Agency body made up of all key law enforcement, security, intelligence and ICT agencies of government, plus major private organisations in the ICT sector. Some of these agencies include the Economic and Financial Crimes Commission (EFCC), Nigeria Police Force (NPF), the National Security Adviser (NSA), the Nigerian Communications Commission (NCC), Department of State Services (DSS), National Intelligence Agency (NIA),Nigeria Computer Society(NCS), Nigeria Internet Group(NIG), Internet Services Providers' Association of Nigeria (ISPAN); National Information Technology Development Agency (NITDA), and Individual citizens representing public interest. The working group has two chairpersons and one coordinator. The duties of the Working Group include: Engaging in public enlightenment programs, building institutional consensus amongst existing agencies, providing technical assistance to the National Assembly on cyber crime and in the Drafting of the cyber crime act; laying the groundwork for a cyber crime agency that will eventually emerge to take charge of fighting cyber crime in Nigeria. In addition, the working group was tasked with the responsibility of working with global cyber crime enforcement agencies in the USA , the UK and other countries, who are at fore-front of fightingcyber crime. All this has quite created a lot of talk about fighting cybercrime without a significant result to show for it.Early this year, an on-line news magazine doubted Mr Nuhu Ribadu, the executive chairman of the Economic and Financial Crimes Commission, who vowed that Nigeria would"deal fatal blow" to cybercrime networks? According to Mr. Ribadu, Nigeria "will monitor cybercafes and take on a 'significant' number of cases against such criminals based in Nigeria" The news magazine,InfoSec News queried,"prosecution of cyberscams is fine, but are there sufficient laws for this? If there are laws, why weren't they enforced so far, and if there are no laws, why is this not the first step?" How effectively then can the war against cybercrime be prosecuted since there is an awareness of the menace it poses to society? "Fighting cybercrime requires not just IT knowledge but IT intelligence on the part of the security agencies. For now,there is an IT security divide - a serious shortage of skills to deal with the threats associated with IT. Shouting and moaning about cybercrime isn't enough. All the talk is meaningless unless the gap is closed. Security agencies need to be equipped with the skills, the know-how and the insight necessary to fight cybercrime effectively.While resources are needed to fight the menace, it is imperative to avoid the misdirected approach of'throwing money' at the problem. The approach must be based on policies and strategies. Such policies must be based on knowledge. Knowledge not just for the operatives, but also for those that will commit resources. For example, do the decision makers have any REAL, PRACTICAL appreciation of technology, not to talk of cybercrime? What is their stake on the basics of information security in today's high-tech, business environment? The cybercriminals seem to have the technology advantage. "Essentially, cybercrime is information and intelligence- based activity. You cannot fight cybercrime with ignorance, strong directives or boastful talk?, Mr Jide Awe, an ICT expert, said in a conference paper presented in 2004. Furthermore, legislation needs to keep pace with e-crime, especially as it becomes more prevalent and sophisticated. "Apart from awareness and culture, security measures (technical and non technical) will need to be put in place and enforced, as part of the solutions. This might involve raising penalties and increasing the seriousness of e-offences. The right culture should create a high level of awareness amongst stakeholders", added the ICT expert. Cybercrime cannot be divorced from the prevalent high level of corruption and wide spread poverty and unemployment in the Nigerian society.Heavier punishments and enlightenment, closing down cyber caf?s, issuing draconian directives may therefore not be meaningful without addressing the causes. To fight crime you attack the causes of crime.Littlewonder then that after the initial excitement after the set up of the NCWG and some spineless fight by the security agencies, the noise died down. Also in terms of strategy, it is crucial to thoroughly address issues relating to enforcement whenever the bill before the National Assembly to curb the crime is passed into law. "Mishandling of enforcement can backfire. Enforcement can only work if it avoids harassment, abuse of privacy and extortion. Care must be taken not to throw out the baby with the bath water. Don't create a situation where genuine users of the Internet are frustrated out and unable to benefit from the Internet.In today's world, computing tools and the Internet are used to effectively promote social development and business growth. Strategies must strike a balance between security concerns and other developmental needs",Mr Awe suggested. In April, at Heinrich Boll Foundation (HBF) Conference Hall where some stakeholders in the ICT industry gathered to discuss how to facilitate information security, reduce security breaches, and steps to contain cyber crime in Africa,Dr. Martins Ikpehai, chief executive officer, Computer Audit andSecurity Associates Ltd, Lagos stated that"Computer security and cyber crime awareness should be created with a view to sensitising all users of the internet facility with the emerging indicators of crime and fraud being committed through computer". Other participants at the three-day conference agreed in various papers presented that the law enforcement agencies and judiciary in the continent have roles to play in devising ways of curbing internet fraud and enhancing their skills in computer security and risk management.The group was also hopeful that the Computer Security and Cybercrime Bill it sponsored to the National Assembly, will be passed on time and that its passage would mark the beginning of the war against internet crime in the country. Of course how far can the country go withiut an active legislation in place?According to the participants,it is also very necessary for relevant authorities to conduct survey and research with a view to containing cyber-related crimes and computer security breaches.Mr Awe who also paticipated at the conference charged the information security expertise in the continent toidentify threats to computer security, protect both internal and external threats among which human error is a major concern which needs human approach. The situation on the ground, therefore, shows the country still has a long way to go. ? 2004 - 2006 African Newspapers of Nigeria Plc. From isn at c4i.org Thu Jun 8 05:04:39 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 8 Jun 2006 04:04:39 -0500 (CDT) Subject: [ISN] Privacy Lost Message-ID: http://www.cbsnews.com/stories/2006/06/07/opinion/main1690428.shtml By Tom Kellerman CBS June 7, 2006 In today's age of digital everything, one can reminisce about the days of true privacy. Much of the discussion of late has centered upon the NSA's domestic spying program. Americans from the deep red states to the blue have felt betrayed by Uncle Sam as a result of his anti-terror efforts. The naivet? exhibited by privacy advocates everywhere stems from a lack of appreciation that the world is truly flat - privacy has been traded for convenience. True privacy has become pure nostalgia in this age of digital everything. All the fretting about the National Security Agency's domestic spying program is understandable, but it misses one spectacularly big point: domestic privacy in America simply does not exist anymore. Those who use e-commerce most are at greatest risk. The Privacy Rights Clearinghouse reported that more 80 million Americans have had their personal information jeopardized by data breaches since Feb. 15, 2005. A more recent study conducted by IBM claimed that three times more Americans thought they were more likely to be victimized by cybercrime than physical crime. Most Americans are unaware that government Big Brother no longer has a monopoly on domestic spying. There are in fact thousands upon thousands of Big Brothers in cyberspace and on the digital airwaves. These Big Brothers are intent upon criminal gain rather than national security. These Big Brothers exist in the underground hacker community, among other places. Since the wide spread adoption of e-commerce and e-finance the burgeoning hacker community has evolved into a force to be reckoned with on the world stage. An entire subculture of highly educated and sophisticated cyber criminals exists. Much as the Italian Mafia in the U.S. moved into narcotics trafficking in the 1970's, other organized criminal syndicates have realized that identity theft, funds transfer and extortion are the most lucrative business models in the information age. A recent FBI study determined that 9 out of 10 American businesses fell victim to cyber crime last year. The FBI Director, Robert Mueller, declared cyber crime his number one criminal priority. According to the Organization for Economic Cooperation and Development one in three computers is compromised ? remotely controlled by someone other than you. The virtual takeover of Americans' privacy has been largely due to the proliferation of Trojan Horse programs. Trojan Horse programs are smaller, digital, and far more prolific than in the days of Troy. Trojans cloak malicious code by appearing as innocuous attachments in order to gain access inside a user's computer system. Once a Trojan Horse has been introduced into a user's computer system, it plants a program that listens for a variety of user communications and secretly installs secret passageways into a user's computer. Through these backdoors, remote hackers can launch malicious code and vandalize, alter, steal, move, or delete any file on the infected computer. They can also harvest sensitive user information such as financial account numbers and passwords from the data in local files, and then transmit them through backdoors. Most Americans think that one must be very technical to invade someone else's privacy in this fashion. That belief is dangerously misguided. Much as one need not understand the inner workings of a handgun to use one, you don't need to be a sophisticated programmer to be an adept cyber crook. By merely running query in a search engine for Trojan horse programs or keyloggers one will find tens of thousands of relevant downloadable programs at their fingertips. One merely needs to comprehend the lexicon associated with hacker tools to launch cyber attacks. The Internet has become a virtual arms bizarre. The free distribution of cyber weapons takes place millions of times every day. Underground Internet Relay Chat rooms and Web sites like http://astalavista.box.sk have mirrored the American gun shows; the only exception being that all the guns and ammo are free. Some examples might shock you: Did you know that the Pentagon the most secure infrastructure in the world was hacked for over eight months by a network of Chinese computers named Titan Rain? These computers were implanted within the DOD's internal networks so as to steal our aeronautical specifications for advanced jets and space craft. Did you know that the greatest threat facing our banks is not armed robbers but cyber thieves stealing your identity and setting up fraudulent lines of credit in your name? Only 2 percent of mounting bank crime losses are from physical robberies now. Today's bandits now hide safely in a hotel room halfway around the world while they steal your financial futures. Did you know that the 202 deaths of foreigners in Bali in 2002 were financed by cyber crime? Imam Samudra was convicted of engineering the devastating Bali nightclub bombings four years ago. Samudra published a jailhouse autobiography that contained a chapter titled "Hacking, Why Not?" Samudra urged fellow Muslim radicals to take the holy war into cyberspace by attacking U.S. computers, with the particular aim of committing credit card fraud online. Today's' digital world has become a boon to an illegal underground economy that trades in our secrets. Governments no longer have a monopoly on technology and thus no longer have a monopoly on being Big Brother. Indeed, the proliferation of criminal, digital Big Brothers far exceeds the government's ability to protect citizens in cyberspace. A good place to begin reclaiming privacy and real cyber security in vital areas of life and commerce is with the banks and corporations that we do business with. Just as some corporations do a better job at protecting the environment there are those who do a better job at ensuring our privacy and cyber security. There is no way government can do the job itself; the resources and resourcefulness of the entire private sector are necessary. In cyberspace privacy cannot exist without cyber security. You might attempt to protect your computer and the information on it. But you can't protect the security of every institution that holds information about you. Much like the concept of "rewind" the concept of personal privacy is becoming ancient history. -=- Tom Kellermann is a cyber security consultant who formerly held the position of Senior Data Risk Management Specialist for the World Bank Treasury Security Team. He was responsible for cyber intelligence and policy management within the World Bank treasury and regularly advised central banks around the world. He is a Certified Information Security Manager (CISM). ?MMVI, CBS Broadcasting Inc. All Rights Reserved. From isn at c4i.org Thu Jun 8 05:04:56 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 8 Jun 2006 04:04:56 -0500 (CDT) Subject: [ISN] DOD data center worked overtime on stolen personnel files Message-ID: http://www.fcw.com/article94816-06-07-06-Web By Bob Brewin June 7, 2006 The Defense Manpower Data Center (DMDC) worked during the past weekend to determine that a stolen Department of Veterans Affairs database, which contained sensitive personnel information on 26.5 million veterans, also contains information on as many as 1.1 million active-duty personnel, a DOD spokesman said. Army Lt. Col. Jeremy Martin, a Pentagon spokesman, said the VA informed DOD June 1 that the stolen database may have included information on active personnel. DOD then asked the VA to transmit an original of the file stolen from the home of a VA data analyst May 3 to DMDC. That file, Martin emphasized, was encrypted and then transmitted over a secure link from the VA to DMDC. DMDC employees then worked over the weekend to compare records in the VA file with records of active-duty and reserve personnel and determined that records for as many as 1.1 million out of 1.4 million active duty-personnel may have been included in the stolen VA database, Martin said. He added that records on 430,000 members of the National Guard and 645,000 members of the Reserves -- or roughly 90 percent of Reserve and Guard personnel -- may have been on the stolen database. Martin said DMDC employees worked over the weekend because "responding to the compromise of service personnel's information was an urgent priority and required immediate attention." Once DMDC completed its work, DOD informed the VA June 5, and VA Secretary Jim Nicholson announced the latest fallout from the data theft June 6, which has consumed the agency since it surfaced in late May. The VA "committed to providing updates on this incident as new information is learned," Nicholson said. The department is working with DOD to notify all affected personnel. Nicholson said the VA is in discussion with several entities to provide credit-monitoring services for active-duty and military personnel potentially at risk from the data theft. David Rubinger, a spokesman for Equifax, a large credit-reporting service, said the company has not received any such request from the VA, but added that individual fraud alerts by veterans has spiked ever since the VA announced the theft. Martin said DMDC is still comparing its files with the VA database, a process which it should complete by the end of the week, at which time the center could determine a smaller number of records are at risk from the VA data theft. Martin said the number of records at risk from the theft could lower, but it will not increase. From isn at c4i.org Thu Jun 8 05:05:21 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 8 Jun 2006 04:05:21 -0500 (CDT) Subject: [ISN] IRS Laptop Lost With Data on 291 People Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/07/AR2006060701987.html By Christopher Lee Washington Post Staff Writer June 8, 2006 An Internal Revenue Service employee lost an agency laptop early last month that contained sensitive personal information on 291 workers and job applicants, a spokesman said yesterday. The IRS's Terry L. Lemons said the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants, Lemons said. Slightly more than 100 of the people affected were IRS employees, he said. No tax return information was in the laptop, he said. "The data was not encrypted, but it was protected by a double-password system," Lemons said. "To get in to this personal data on there, you would have to have two separate passwords." Lemons said the Treasury Department's inspector general for tax administration is investigating the loss. The IRS is notifying affected individuals and advising them on steps to guard against identity theft. Lemons declined to name the airline or the employee, or to say whether the worker was disciplined, citing the ongoing investigation. The Department of Veterans Affairs suffered a much larger data breach last month when thieves broke into a VA data analyst's home and stole a laptop and external hard drive containing personal information of 26.5 million veterans and active-duty military members. Colleen M. Kelley, president of the National Treasury Employees Union, said IRS employees are worried. "The first thing that comes to mind is identity theft and why care and caution wasn't taken to encrypt their data," she said. Lemons said tax return information is always encrypted if IRS workers carry it into the field. He could not cite a similar policy for personal employee data but said, "typically it's our policy to encrypt any sensitive information." Kelley said she is pressing the IRS to give employee data the same care and protection as taxpayer information. "They are taking this seriously and I would expect to see some changes in policy and procedures in the future," she said. ? 2006 The Washington Post Company From isn at c4i.org Fri Jun 9 12:43:20 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:43:20 -0500 (CDT) Subject: [ISN] CPA group says hard drive with data on 330, 000 members missing Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001030 By Jaikumar Vijayan Computerworld June 07, 2006 Adding to the lengthening list of organizations reporting data compromises, the American Institute of Certified Public Accountants (AICPA) today confirmed that a computer hard drive containing the unencrypted names, addresses and Social Security numbers of nearly all of its 330,000 members has been missing since February. The hard drive had been accidentally damaged by an AICPA employee and was sent out for repair to an external data-recovery service in violation of the AICPA's policies, said Joel Allegretti, a spokesman for the New York-based organization. It was on its way back to the AICPA via FedEx but failed to arrive. Allegretti did not say when exactly the drive went missing except to note that the package containing it was due back at the AICPA "toward the end of February." It took the organization until March 31 to "re-create the drive" and determine what data it contained. The AICPA began notifying affected members of the potential compromise of their personal data on May 8 and has since completed the task, Allegretti said. Jim McClusky, a spokesman for FedEx Corp., said it is unclear what exactly happened to the drive. But he stressed that it is a mistake to characterize the package as being lost. "We did handle the shipment, and we are working closely and cooperatively with our customer to determine where the package might be," he said. "It is still being investigated. At this point, we are looking at it as a missing shipment; that doesn't mean it's lost." Based on investigations so far, it does not appear that information on the hard drive has been misused, Allegretti said. Following the loss, the AICPA is offering affected members a year's worth of free credit-monitoring services. The incident has also prompted the group to begin deleting all Social Security numbers from its member database. While a note posted on the organization's Web site says the collection of Social Security numbers has been a long-standing procedure, it added that "we will cease collecting and maintaining them, except in limited circumstances. And even for those, we are accelerating our efforts to develop other means of uniquely identifying our members." News of the AICPA breach comes amid a flurry of similar disclosures in recent days. By far, the biggest was the May 22 disclosure by the U.S. Department of Veterans Affairs that it had lost personal data on more than 26.5 million veterans discharged since 1975. Since then, the agency has admitted that the breach may have exposed personal information on about 2.2 million active-duty National Guard and Reserve troops as well (see "Personal info on 2.2M troops part of VA data theft" [1]). Since then, there have been similar disclosures elsewhere, including Texas Guaranteed Student Loan Corp., a Round Rock, Texas-based nonprofit organization. TG said that an outside contractor lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers. On May 26, Sacred Heart University in Fairfield, Conn., announced that one of its computers had been hacked into, resulting in the potential compromise of data belonging to 135,000 alumni and would-be students. And earlier this month, a password-protected laptop containing credit card information on more than a quarter-million Hotels.com LP customers was stolen from the car of an auditor at Ernst & Young LLP. [1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000992 From isn at c4i.org Fri Jun 9 12:43:41 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:43:41 -0500 (CDT) Subject: [ISN] VA cuts telework, bans employee-owned computers Message-ID: http://www.govexec.com/story_page.cfm?articleid=34291 By Daniel Pulliam June 8, 2006 The Veterans Affairs Department has suspended use of employee-owned computers for official agency business and has limited telework at one of three major divisions, in an effort to prevent security breaches. The agency also is issuing a directive reminding employees that failure to comply with department policy regarding the protection of personal data could result in administrative, civil or criminal penalties, VA Secretary James Nicholson testified Thursday at a House Government Reform Committee hearing. The panel called the hearing to discuss the department's response to the early May theft of sensitive records from the home of a VA employee. A June 6 directive to the Veterans Benefits Administration bars employees from removing claim files from their offices to work on them from alternative locations, such as their homes. From June 26 until June 30, all VA facilities will observe a Security Awareness Week. Nicholson said about 35,000 employees have some level of access to the department's servers through a virtual private network, also known as a VPN, for the purpose of off-site access such as at an employee's home. Under recently issued policies, employees no longer will be allowed to access the agency's VPN from personal computers. Every 30 days the VPN settings will change, forcing laptop users to return to the agency for updates and security screening, Nicholson testified. But several outside observers have said that the data breach could have been prevented if the VA employee had accessed the information he needed over a network, rather than bringing it home on computer disks. The GS-14 employee, who had worked at the department for 34 years, was not authorized to telework, according to Nicholson, but he had been taking data to his Aspen Hill, Md., home for the last three years. A laptop computer owned by the employee and an external hard drive containing the personal information of 26.5 million people was stolen May 3 in what authorities say was a routine break-in. VA officials took steps late last month to initiate the employee's firing. Nicholson said law enforcement authorities have apprehended a few people who have committed burglaries similar to the one at the employee's home, but the equipment did not match that containing the data. While the extent of the breach expanded this week to affect the records of 2.2 million military personnel in addition to nearly all of the nation's veterans, Nicholson said the agency has its hands "around the four corners" of the hard drive's contents. "I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies," Nicholson said in his testimony. "We remain hopeful that this was a common theft, and that no use will be made of the VA data." Nicholson said the VA's chief information officer currently lacks enough authority to guard against data breaches, but as of last October, the department started centralizing its information technology functions around the CIO office. At the hearing, David M. Walker, chief of the Government Accountability Office, proposed that all federal agencies conduct a privacy impact assessment to determine how personal information is collected, accessed and stored. He also recommended that agencies ensure they are in compliance with the 2002 Federal Information Security Management Act. Walker urged lawmakers to consider legislation that would require agencies to disclose breaches involving personal data, and create additional requirements for accessing such information. "There is a gap here when it comes to sensitive personal information," Walker said. Clay Johnson, deputy director for management in the Office of Management and Budget, testified that he believes the administration has enough authority to prevent future breaches across the government, but a review will be conducted to see if "extra teeth" are needed. "I'm told that there are dozens of security breaches involving laptops [each year]," Johnson said. "None of these involved 26 million names. This is the 100-year storm of security breaches." Johnson said it is the administration's policy that all sensitive data on laptops be encrypted, but it's not always enforced. In the VA case, the information on the employee's stolen laptop and external hard drive was not encrypted, leaving it vulnerable to identity thieves. From isn at c4i.org Fri Jun 9 12:43:55 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:43:55 -0500 (CDT) Subject: [ISN] NIST supplies IT security handbook to managers Message-ID: http://www.fcw.com/article94829-06-08-06-Web By Wade-Hahn Chan June 8, 2006 The National Institute of Standards and Technology has released a draft of its Information Security Handbook. The handbook provides an overview of information security measures to give managers a better understanding of how to implement an information security program. According to NIST's computer security resource center, the purpose of the handbook is to inform the information security management team about expected implementation and oversight of various aspects of information security in their organizations. The publication includes summaries of existing NIST publications and standards. The 124-page document includes a section on designing, implementing and overseeing a program for awareness and training for information security standards. Other topics include summaries of the responsibilities of agency heads, developing a life cycle for systems development and detailing specific performance metrics for systems evaluation. There is an extensive Frequently Asked Questions section toward the end of the publication. NIST is requesting that comments on the handbook be sent to handbk-100 at nist.gov. NIST will be accepting comments until August 7. From isn at c4i.org Fri Jun 9 12:44:12 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:44:12 -0500 (CDT) Subject: [ISN] Microsoft product phones home every day Message-ID: http://www.theregister.co.uk/2006/06/08/ms_wga_phones_home/ By John Oates 8th June 2006 Microsoft has admitted that Windows Genuine Advantage (WGA) will phone Redmond every day - something it neglected to tell users before they installed it. WGA is designed to detect pirated copies of MS software but is also creating some false positives - two UK dealers have contacted the Reg to report customers complaining that WGA had branded their software as an illegal copy. The software checks what is installed on your machine and then reports back to Microsoft - it sends your IP number and information on your software set-up. If your software is dodgy you will start receiving pop-up reminders from Microsoft. Michaela Alexander, head of anti-piracy at Microsoft UK, told the Reg: "First of all this is a pilot - customers have the choice to subscribe or not. WGA is very careful about which license keys are checked - some numbers have been leaked and therefore have been culled by Microsoft. If customers bought a genuine copy of Windows but as a result of a poor installation or a repair a different license key was used then WGA would flag it as not genuine." But Alexander said all this was detailed in the opt-in process. But she added: "The last thing we want is unhappy customers so we are investigating this - but it is a pilot and this is part of the process." The word from the US is that Microsoft will change WGA so it only phones home once a fortnight, instead of every day, and will do a better job of letting users know what the software is doing. More from Seattle Post Intelligencer here [1]. One of the dealers with the original problem emailed us the following: The problem was caused by an active-x control being blocked by IE security. The fix was to go to http://www.microsoft.com/genuine/diag and following instructions. This runs through a series of checks to ensure that the validation process can operate correctly, then advises of the necessary changes in IE setup to permit correct validation. In the case of our clients, the problem was correctly diagnosed and the resolution worked fine. It's just alarming that for a simple security problem, Microsoft had informed the end user (by way of a message displayed on their screen) that they might be [quote] "The victim of software counterfeiting". ? [1] http://seattlepi.nwsource.com/local/6420AP_WA_Microsoft_Monitoring_Piracy.html From isn at c4i.org Fri Jun 9 12:44:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:44:29 -0500 (CDT) Subject: [ISN] Academy hackers under investigation Message-ID: http://www.theoaklandpress.com/stories/060806/loc_2006080604.shtml By DAVE GROVES Of The Oakland Press June 8, 2006 BLOOMFIELD HILLS - The principal of the acclaimed International Academy said he believes the school's image will not be marred by what he describes as serious but immature mistakes made by five students. Bert Okma said he and other academy employees are completing an investigation into the mostly freshmen students' hacking of a school information system and the alteration of several academic grade records. "I think they saw it as a game ... and a chance to improve their academic standing," the principal said. "If they had been willing to dedicate as much time to their studies as they did to this, we wouldn't be dealing with the issue." Administrators have had extensive conversations with the students, who came forward after several teachers recognized disparities between grades in their personal records and those appearing on the school's computer system. An investigation revealed that sometime in November, the students had installed software on the system that provided them with faculty user names and passwords. International Academy's Joint Steering Committee has reviewed the situation and determined that the five students will face disciplinary action ranging from loss of academic credit to expulsion. The extent of the consequences will be determined through hearings conducted with school officials, the students and their parents in coming weeks. Okma said mitigating circumstances will be considered individually at that time. Students also could face criminal charges depending on the investigation fi ndings and desires of school administrators. Lt. Steve Cook of the Bloomfield Township Police Department said that the school has not yet requested police involvement in the matter. "Depending on what their investigation reveals, could there be criminal charges issued? I would say there is that possibility," he said. Cook did not want to speculate on potential charges. Meanwhile, academy staff are undertaking the daunting task of reviewing all test grades recorded for all students this year. This is because the students responsible for the computer security breach are suspected to have changed both their own grades and those of others. Okma said that while teachers are frustrated, disappointed and hurt by the revelation, they remain resolved not to let it mar the overwhelmingly positive view they have of the student body as a whole. Okma believes the same sentiment will prevail outside the school. "The reputation of the International Academy is sound and well-earned, and I don't see this impacting that," he explained. "Everybody understands that young people can make mistakes." And such mistakes on the part of local youth are not unprecedented. Last month, three North Farmington High School students were suspended after obtaining staff passwords to district computers. Officials are working to fi gure out what the students intended to do with the information. The Farmington Hills Police Department is investigating the matter. Chief William Dwyer said felony charges could come next month. "It's still ongoing," he said. "This is an extensive investigation." Farmington school officials were alerted to the theft after a student came forward to report the incident. With the passwords, the students would have had to access the system while at school and not at home. Officials do not know if any of the students accessed the system. No information on the students has been released. From isn at c4i.org Fri Jun 9 12:45:02 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:45:02 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - June 9th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 9th, 2006 Volume 7, Number 24n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for motor, typespeed, lynx-cur, xmcd, postgresql, centericq, freeradius, spamassassin, dia, tetex, squirrelmail, mc, gdm, gnome-panel, dovecot, evolution, x11, libtiff, openldap, MySQL, postgresql, quagga, zebra, and rug. The distributors include Debian, Fedora, Mandriva, Red Hat, and SuSE. --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Linux v3.0.7 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation. The following reported bugs from bugs.engardelinux.org are fixed in this release: #0000067 SIMAP AND SPOP3 packages are built disabling plaintext auth Several other bugs are fixed in this release as well. New features include: * A new package (hwlister) which can be used to generate an inventory of all the hardware which comprises your system. This package is now installed by default with EnGarde Secure Linux. * PHP was re-build with cURL support and a race condition was fixed in shadow-utils. * The latest stable versions of: MySQL (5.0.22), apache (2.0.58), asterisk (1.2.8), bacula (1.38.9), imap (2004g), openssl (0.9.8b), php5 (5.1.4), postfix (2.2.10), snort (2.4.4), sudo (1.6.8p12), syslog-ng (1.6.11), vim (6.4.010), and zaptel (1.2.6). * Several new packages: - binstats (1.08) Binstats is a statistics generation tool for installed programs. It is also useful for cleaning up a system by helping find duplicate executables, unused libraries, statically linked binaries and duplicate man pages. - bitchx (1.1) BitchX is an IRC (Internet Relay Chat) client that is based on ircII (but heavily modified). It is ncurses based and allows the user to get onto IRC without requiring the use of GUI client. - bittorrent (4.9.2) Bittorrent is a scatter-gather network file transfer protocol used for distributing files. It works in the opposite method of regular downloads with regard to the fact that the more people are currently downloading a file using bittorrent, the faster it will go. - ethereal (0.99.0) Ethereal is a network protocol analyzer. This version is ncurses based and allows the user to examine and capture data from a live network. - hyperion (1.0.2) Hyperion is an IRC daemon that allows clients to connect to it. This is the server that is used by Freenode. - john (1.7.0.2) "John" is a password cracker whose primary purpose is to detect weak passwords in order to strengthen the overall security of a system. - libapache-mod_fcgid (1.09) mod_fcgid is an apache web server module that acts as a binary compatibility alternative to mod_fastcgi. It comes with a new process management strategy. - libapache-mod_mono (1.1.14) mod_mono is an apache web server module that provides ASP.NET support for the apache web server. - libapache-mod_security (1.9.3) mod_security is an apache web server module that acts as an intrusion detection and prevention engine for web applications. It acts as another line of defense between improperly coded applications and the webserver. - makejail (0.0.5) Makejail, in conjunction with binstats, determines which binaries a program is going to need to be chrooted and creates a chroot jail for it. - mc (4.6.0) Midnight Commander is a console based ncurses visual file manager similar to Norton Commander. It has the ability to handle archives, FTP site, and many other files built in. - paketto (1.10) The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. scanrand is said to be faster than nmap and more useful in some scenarios. - psad (1.4.5) PSAD is a collection of utilities that work with the linux firewalling code (IPTables) to detect port scans and other suspect traffic. It also includes the ability to configure threshold levels based on how stringent your ruleset is. - slat (2.0) SLAT provides a systematic way of determining if your SE Linux policy achieves your desired security goal. This is a useful tool when creating or modifying SELinux policy. All new users downloading EnGarde Secure Linux for the first time or users who use the LiveCD environment should download this release. Users who are currently using EnGarde Secure Linux do not need to download this release -- they can update their machines via the Guardian Digital Secure Network WebTool module. http://www.linuxsecurity.com/content/view/123016/65/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New motor packages fix arbitrary code execution 31st, May, 2006 Updated package. http://www.linuxsecurity.com/content/view/122940 * Debian: New typespeed packages fix arbitrary code execution 31st, May, 2006 Niko Tyni discovered a buffer overflow in the processing of network data in typespeed, a game for testing and improving typing speed, which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122948 * Debian: New lynx-cur packages fix several vulnerabilities 1st, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/122956 * Debian: New xmcd packages fix denial of service 2nd, June, 2006 The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1. http://www.linuxsecurity.com/content/view/122971 * Debian: New PostgreSQL packages fix encoding vulnerabilities 3rd, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/122984 * Debian: New centericq packages fix arbitrary code execution 3rd, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/122985 * Debian: New freeradius packages fix arbitrary code execution 3rd, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/122986 * Debian: New spamassassin packages fix remote command execution 6th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123002 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Extras 5 update: dia-0.95-3 6th, June, 2006 This update fixes CVE-2006-1550, CVE-2006-2453, CVE-2006-2480. http://www.linuxsecurity.com/content/view/123007 * Fedora Core 4 Update: spamassassin-3.0.6-1.fc4 6th, June, 2006 Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration. http://www.linuxsecurity.com/content/view/123011 * Fedora Core 5 Update: spamassassin-3.1.3-1.fc5 6th, June, 2006 3.1.3 Resolves CVE-2006-2447. Note that you are affected by this bug only if you launched spamd with both --vpopmail and --paranoid, which is not a common configuration. Also included are bug fixes from 3.1.2. http://www.linuxsecurity.com/content/view/123015 * Fedora Core 4 Update: tetex-3.0-10.FC4 7th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123033 * Fedora Core 4 Update: squirrelmail-1.4.6-7.fc4 7th, June, 2006 CVE-2006-2842 Squirrelmail File Inclusion http://www.linuxsecurity.com/content/view/123034 * Fedora Core 5 Update: mc-4.6.1a-13.FC5 7th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123035 * Fedora Core 5 Update: gdm-2.14.4-1.fc5.3 7th, June, 2006 This update resolves an issue in gdm-2.14.4-1.fc5.2 where GDM would choose the wrong X server path. http://www.linuxsecurity.com/content/view/123036 * Fedora Core 5 Update: gnome-panel-2.14.2-1.fc5.1 7th, June, 2006 The gnome-panel package has been rebuilt against the latest evolution-data-server package. http://www.linuxsecurity.com/content/view/123037 * Fedora Core 5 Update: squirrelmail-1.4.6-7.fc5 7th, June, 2006 CVE-2006-2842 Squirrelmail File Inclusion Vulnerability http://www.linuxsecurity.com/content/view/123038 * Fedora Core 5 Update: dovecot-1.0-0.beta8.1.fc5 7th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123039 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated evolution packages fix DoS (crash) vulnerability on certain messages. 1st, June, 2006 Evolution, as shipped in Mandriva Linux 2006.0, can crash displaying certain carefully crafted images. http://www.linuxsecurity.com/content/view/122966 * Mandriva: Updated xorg-x11 packages to address bug with keyboard layouts. 5th, June, 2006 A misapplied patch in a recent X.org updated caused keyboard layout problems which resulted in some users being unable to use the CTRL-ALT-function key combination to switch to a console, as well as other keyboard mapping issues. Updated packages have been re-patched to correct these issues. http://www.linuxsecurity.com/content/view/123000 * Mandriva: Updated libtiff packages fixes tiffsplit vulnerability 5th, June, 2006 A stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. http://www.linuxsecurity.com/content/view/123001 * Mandriva: Updated openldap packages fixes buffer overflow vulnerability. 7th, June, 2006 A stack-based buffer overflow in st.c in slurpd for OpenLDAP might allow attackers to execute arbitrary code via a long hostname. Packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/123029 * Mandriva: Updated MySQL packages fixes SQL injection vulnerability. 7th, June, 2006 SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input. MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue. Packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/123030 * Mandriva: Updated postgresql packages fixes SQL injection vulnerabilities. 7th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123032 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: quagga security update 1st, June, 2006 Updated quagga packages that fix several security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122967 * RedHat: Moderate: zebra security update 1st, June, 2006 Updated zebra packages that fix several security vulnerabilities are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122968 * RedHat: Moderate: dia security update 1st, June, 2006 Updated Dia packages that fix several buffer overflow bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122969 * RedHat: Moderate: spamassassin security update 6th, June, 2006 Updated spamassassin packages that fix an arbitrary code execution flaw are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123010 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: cron local privilege escalation 31st, May, 2006 The code in do_command.c in Vixie cron does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits. This problem is known to affect only distributions with Linux 2.6 kernels, but the package was updated for all distributions for completeness. This problem is tracked by the Mitre CVE ID CVE-2006-2607. http://www.linuxsecurity.com/content/view/122947 * SuSE: kernel (SUSE-SA:2006:028) 31st, May, 2006 Multiple vulnerabilities have been fixed in the linux kernel. http://www.linuxsecurity.com/content/view/122949 * SuSE: rug (SUSE-SA:2006:029) 31st, May, 2006 Updated package. http://www.linuxsecurity.com/content/view/122950 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Fri Jun 9 12:42:47 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:42:47 -0500 (CDT) Subject: [ISN] Social Engineering, the USB Way Message-ID: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1 By Steve Stasiukonis JUNE 7, 2006 We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees. The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network. In the past we had used a variety of social engineering tactics to compromise a network. Typically we would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time I knew we had to do something different. We heard that employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element. We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us. The next hurdle we had was getting the USB drives in the hands of the credit union's internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks. I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software. After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management. Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly. You've probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets. Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself. - Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading From isn at c4i.org Fri Jun 9 12:43:00 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 9 Jun 2006 11:43:00 -0500 (CDT) Subject: [ISN] 'BlueBag' PC sniffs out Bluetooth flaws Message-ID: http://www.infoworld.com/article/06/06/07/79045_HNbluebag_1.html By Robert McMillan IDG News Service June 07, 2006 If you happened to fly through Milan's Malpensa Airport last March, your mobile phone may have been scanned by the BlueBag. Billed as a research lab on wheels, BlueBag was created by Milan's Secure Network SRL to study how malicious software might be able to spread among devices that use the Bluetooth wireless standard. Basically, it's a Bluetooth-sniffing computer hidden in a suitcase [1] (Note: PDF file) that was rolled through train stations, a shopping center, and even a computer security conference show floor this year to see how many Bluetooth-enabled devices attackers could potentially infect with a worm or a virus. The answer: quite a lot. In just under 23 hours of travel, BlueBag was able to spot more 1,400 devices with which, in theory, it could have connected. Among the discoverable devices were a number of Nokia Corp.'s mobile phones and TomTom International BV's Go global positioning systems, said Stefano Zanero, Secure Network's co-founder and chief technology officer. "Most of the devices that we found were from the same manufacturers because their default Bluetooth connection setup is to be discoverable, which is very good for ease of use, but very bad for security," he said. Though many Bluetooth devices are designed to be hidden or detectable for very short periods of time, some manufacturers make their products detectable by default to simplify hook up with other Bluetooth-enabled machines -- a car sound system for example. Unfortunately, this practice also makes life easier for hackers, Zanero said. "Any discoverable device is potentially vulnerable to attacks," he said. For example, BlueBag found 313 devices with the OBEX (Object Exchange) vCard and vCalendar exchange service enabled, making them prey for known Bluetooth virus attacks. BlueBag's data is going to help Zanero and his researchers understand how attackers might use Bluetooth's ability to connect with other devices to create a targeted attack. In a scenario they've envisioned, the bad guys could infect Bluetooth devices in a train station one morning, telling them to infect other equipment and seek out specific pieces of information. "You can deliver your malware, leave it for a few hours, and then catch it when [the user] goes home," Zanero said. "This makes it possible to perform the targeted attack that we have in mind." At the August Black Hat USA 2006 conference in Las Vegas, the Secure Network team plans to unveil some proof of concept malware showing how this type of attack might work. The hard part has been devising a protocol that will allow the malware to report back to an attacker. And since the researchers can't actually infect a bunch of Bluetooth phones, they need BlueBag to provide them with data so they can estimate how such malware might spread. "This gives you the figures you need for creating some small, not-very-reliable models of how these worms could interact," Zanero said. Secure Network's research, which was co-sponsored by antivirus vendor F-Secure Corp. is not the first to highlight Bluetooth's security vulnerabilities. A year ago, hackers showed how they could connect to hands-free Bluetooth systems in some cars [2] to eavesdrop on telephone conversations and even talk to unsuspecting drivers. The software, called Car Whisperer, took advantage of poor security programming techniques on the part of the car manufacturers. And variants of the Cabir Bluetooth viruses [3] have been around for two years now. Cabir, which has never become widespread, preys on the kind of discoverable phones that BlueBag measured. To avoid being bitten by Bluetooth attacks, Zanero says users should check their settings and make sure their device is set to be "hidden" or "non-discoverable." This isn't a panacea, but it will make things harder for attackers. Using Bluetooth is "like sex," Zanero said. "It's better with precautions." [1] http://www.securenetwork.it/bluebag_brochure.pdf [2] http://www.infoworld.com/article/05/08/03/HNcarwhisperer_1.html [3] http://www.f-secure.com/v-descs/cabir.shtml From isn at c4i.org Mon Jun 12 04:22:44 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:22:44 -0500 (CDT) Subject: [ISN] Another federal breach exposes employee records Message-ID: http://www.govexec.com/dailyfed/0606/060906tdpm1.htm By Heather Greenfield National Journal's Technology Daily June 9, 2006 The Energy Department disclosed to Congress on Friday that it suffered a security breach from a hacker in September that compromised 1,500 personnel records. The news broke just as a House Energy and Commerce Oversight and Investigations Subcommittee was supposed to start a hearing on how secure Energy Department computers are in light of recently reported data breaches at the Internal Revenue Service and Veterans Affairs Department. Kentucky Republican Ed Whitfield, chairman of the Subcommittee, said there is no excuse for the department to have its current "F" in cyber-security compliance -- or for waiting eight months to tell the Energy secretary or his committee about the security breach. "It's unbelievable [that] 1,500 personnel files can be compromised with Social Security numbers," Whitfield said. "The impact that can have on individuals is quite disturbing." Full Energy and Commerce Committee Chairman Joe Barton, R-Texas, visited the hearing room to express his outrage at the data breach and later called Energy Secretary Samuel Bodman. "If the administration won't do something about this incident, this committee will," he said. While most of the details of the hacking incident were discussed later in executive session, a government agency that tests the department by breaking into its computer system said the attack was at the National Nuclear Security Administration. NNSA Administrator Linton Brooks said he learned of the "sophisticated" hacking incident in September. He said he did not know whose job it was to tell Bodman, but he wished he had. "Mr. Brooks, I'm going to recommend you be removed from office, and I think you would do the country a service if you resigned," Barton said. Brooks said that because the breach was labeled a counterintelligence issue, the two sides of the organization each assumed the other had notified the secretary. Barton called that explanation "hogwash." Energy Chief Information Officer Thomas Pyke said he was aware of various hacking incidents but only learned of the personnel data involved two days ago. Pyke said the department faces hundreds of thousands of attacks each day. In the event where the records were exposed, he said the attack penetrated both a firewall and a detection system. Glenn Podonsky, director of the office of security and safety performance assessment, told lawmakers that in November, his team successfully accessed Energy's unclassified computer system. He said they gained access to financial and personal data, and could have impersonated or monitored department executives. "We basically had domain control," Podonsky said. He said with security improvements made since then that the office could break in but not gain domain control. He said his office believes Energy is moving too slowly in making security improvements and noted that part of the problem is because of work done by outside contractors. Whitfield also wanted to know why the Energy Department has failed to report 50 percent of attacks to its computer systems. Podonsky said he agreed they should be reported to help law enforcers track them. ?2006 by National Journal Group Inc. All rights reserved. From isn at c4i.org Mon Jun 12 04:24:18 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:24:18 -0500 (CDT) Subject: [ISN] Washington Whispers Message-ID: http://www.usnews.com/usnews/politics/whispers/articles/060619/19whisplead.htm By Paul Bedard 6/19/06 'Secretary of Tech' Is No Fan of E-mail He may be in charge of the gizmos used to find illegal border crossers and deadly chemicals in subways, but Homeland Security Secretary Michael Chertoff likes to keep his personal tech simple. "I don't use E-mail," he confides. "You just get deluged with a lot of garbage." Chertoff describes his experience with electronic mail as "picking through genuine work E-mails and invitations to baby showers." Worse: "People sometimes will think you've gotten something that you actually haven't gotten." Been there. Chertoff insists he's not out of touch just because he isn't glued to a BlackBerry. "I rely on people communicating with my staff," he says. "At any moment, I can request an update, and I can always be reached." His E-mail discipline has roots in last year's Hurricane Katrina, when unfiltered messages about the levee breach flooded in after he'd left for the night. "It is unhelpful to have 15 or 16 E-mails coming from all different directions being thrown at you," he says. "When people rely on E-mail chains, it can sometimes leave the decision maker unable to sort out good information from information that's just plain wrong." His new rule for aides: Verify the info before clicking "forward." As for this hurricane season, he's doing better than E-mail by personally traveling to the Gulf region to view rescue drills. "I'm going down there," he says, "and kicking the tires myself." [...] From isn at c4i.org Mon Jun 12 04:24:32 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:24:32 -0500 (CDT) Subject: [ISN] Audit finds security weaknesses at NASA center Message-ID: http://www.gcn.com/online/vol1_no1/40990-1.html By Patience Wait GCN Staff 06/09/06 At a time when the public has a heightened awareness of computer security problems at government agencies, the NASA inspector general has found that one of the space agency's centers has not put in place sufficient IT security to protect data and systems from possible compromise. "Weaknesses in these areas could lead to the compromise of the computer network," the IG found. The center audited by the IG was not identified, and only a summary of the report [1] was released June 2. According to the report summary, NASA system administrators at the center did not: * Periodically review critical firewall audit logs and modems used to protect the computer network * Monitor for the use of files and commands with security risks * Consistently perform system backups * Meet NASA requirements for storing backup media. The IG's audit found other problems as well. System administrators also accessed a key server containing security information without adequate encryption and did not remove unnecessary services from the network. Software patches were not installed in a timely manner to fix security weaknesses in the network servers, and vulnerabilities found during security scans of the systems were not promptly fixed. Finally, NASA had no formal policy governing foreign nationals' use of laptops or other electronic devices while visiting the NASA center or working onsite. "We recommended that the NASA center take actions to improve security controls over the network, to include developing, implementing, and enforcing procedures and controls over auditing and monitoring, the use of software and unnecessary services, the installation of patches, and system backups," the summary concluded. "We also recommended that the center develop and implement a formal policy to prohibit foreign nationals' onsite use of their own laptops and other electronic devices." Of 13 specific recommendations made by the IG, NASA agreed with nine, and has already taken or planned corrective actions. The internal auditors planned follow-up actions on those issues not yet resolved. [1] http://www.hq.nasa.gov/office/oig/hq/audits/reports/FY06/ig-06-008-summary.pdf From isn at c4i.org Mon Jun 12 04:27:24 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:27:24 -0500 (CDT) Subject: [ISN] Ex-Boss Describes Sys Admin's Anger During PaineWebber Sabotage Trial Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=188703100 By Sharon Gaudin InformationWeek Jun 8, 2006 Newark, N.J. -- On the day a system administrator at UBS PaineWebber learned his annual bonus had fallen short by about $15,000, he leveled an ultimatum at his boss: give him a written contract for more money or he was walking out the door, according to testimony Thursday in the federal criminal computer sabotage trial. But prosecutors charge that quitting his job wasn't the only thing on his mind in late February of 2002. They say Roger Duronio, a three-year employee in the financial giant's IT department, had already hatched a plan to plant malicious code on the network that would wipe out critical data across the country and drive down the company's stock price. Once Duronio packed up and was escorted out the building that day, he headed straight to a broker's office to buy stock options that would pay out if UBS suffered a setback. And that, the government contends, put the final stages of Duronio's plot into action. "On the day the actual bonuses were paid out.... Roger came into my office and, in somewhat of an upset tone, said he wanted a written contract for his compensation," Rajeev Khanna, manager for UBS's Unix Systems Group at the time of the attack, told the jury in his second day of testimony in U.S. District Court before Judge Joseph Greenaway. "He said if he did not have a contract by the end of the day, he was going to start packing.... He was visibly upset. It was his tone and there was some redness on his face." Duronio faces four counts, including computer sabotage, securities fraud, and mail fraud, in connection with the incident, which left about 8,000 of the company's brokers without the ability to trade for a day or more, and 9,000 other workers without the ability to access their desktops. It also leveled servers in the company's home office in Weehawkin, N.J., and in nearly every branch office around the country. Duronio reportedly wanted to take home $175,000 a year. At the time he quit his job at UBS, he was making a base salary of $125,000 and had an opportunity for a maximum bonus of $50,000. It was the loss of that $15,000 that pushed Duronio to walk away from his job and try to make bigger money by investing in short-term "put options," which are a type of investment that only pay out if the company's stock price falls. The shorter the term--in this case 11 days--the bigger the payout. The prosecution says Duronio started building components of the malicious code " what they're calling a logic bomb " the previous November. By the time Duronio found out for sure in February that he wasn't getting the bonus he'd been expecting, the logic bomb was already built and loaded onto the main host server in UBS's data center in Weehawkin, N.J., and on about 370 branch servers around the country. When he quit his job that day, the government says, the code was already sitting quietly on the servers just waiting for 9:30 a.m. on March 4 to go off. In earlier testimony at the trial, PaineWebber employees described how the network still hasn't recovered, four years later. But Chris Adams, Duronio's defense attorney and a partner at Walder, Hayden & Brogan in Roseland, N.J., says his client not only didn't commit the crime, he was a valuable employee at UBS PaineWebber, which changed its name to UBS Wealth Management USA in 2003. UBS' network was riddled with security holes that left them wide open to attack, Adams said in his opening statements Tuesday. The network also left Duronio wide open to someone else using his ID and passwords to masquerade as the system administrator and move around undetected in the system. On cross examination Thursday, Adams asked Khanna, who had been Duronio's supervisor, if the defendant had been a good worker and integral to the IT team. Khanna replied that he "would not say" Duronio had been outstanding. But he agreed with Adams that he had marked Duronio as someone who "consistently meets and sometimes exceeds" expectations. Khanna described Duronio as a valuable worker even in his main testimony in front of the prosecutor, Assistant U.S. Attorney Mauro Wolfe. "Overall, I gave him a satisfactory rating," he testified. "He did what he was asked to do and he did it well." Khanna said that's why he went to bat for Duronio and sought a raise for him in 2000, not long after the defendant started work at UBS. Duronio's pay went up $10,000 that year. "He expressed some concerns about cash flow and not having enough money coming in on a monthly basis," said Khanna. But by the fall of 2001, it became clear that the drooping economy and the troubled market were taking a toll on UBS. Khanna said he simply had a much smaller pool of bonus money to work with that year. As the manager of a few people himself, Duronio was even in on some of the conversations about having to lessen workers' bonuses that year, Khanna added. And even when Duronio threatened to quit on the spot if he wasn't given a contract that day, Khanna says he went to his supervisor and to Human Resources to see if anything could be done. Later, when Khanna escorted Duronio back to his desk to collect his things, he said he had already packed them up into a box. The defense will continue its cross-examination of Khanna on Friday morning. Copyright ? 2006 CMP Media LLC, All rights reserved. From isn at c4i.org Mon Jun 12 04:23:03 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:23:03 -0500 (CDT) Subject: [ISN] China's hi-tech military disaster Message-ID: http://www.timesonline.co.uk/article/0,,2089-2220162,00.html By Michael Sheridan Far East Correspondent The Sunday Times June 11, 2006 A DULL boom shook the misty bamboo forests of Guangde county, 125 miles southwest of Shanghai, last Sunday, and a plume of smoke rose in the sky, causing Chinese villagers to look up in alarm from their tasks. Within 24 hours China officially admitted that a "military aircraft" had crashed, that President Hu Jintao had ordered an investigation and that state honours would be bestowed on the victims. Security teams sealed off the area, carting away the charred remains of 40 people and collecting wreckage with painstaking care. It looked like a routine military accident. In fact the crash would reverberate all the way to Washington and Tel Aviv, revealing details of a covert Chinese espionage effort to copy Israeli technology in an attempt to match the United States in any future air and sea battle. The first clues were given by two Chinese-controlled newspapers in Hong Kong, Ta Kung Pao and Wen Wei Po. On Monday they printed articles disclosing that the plane was a Chinese version of the formidable Airborne Warning and Control System (Awacs) aircraft flown by the United States to manage air, sea and land battles. They indicated that it was a Russian Ilyushin four-engined cargo jet, rebuilt to house a conspicuous array of radars and codenamed KJ-2000. The doomed flight, they implied, had been a test mission. The disaster robbed China of 35 of its best electronic warfare technicians, according to sources in Hong Kong. There were also five crew members on board. With memories fresh in Beijing of a Boeing 767 bought for the use of former president Jiang Zemin and found to be riddled with eavesdropping devices, there were bound to be suspicions of sabotage. The Communist party showed how seriously it took the crash by entrusting the inquiry to Guo Boxiong, vice-chairman of the party?s central military commission, who handles sensitive security matters. It was without question a calamity for the Chinese military. But for the Americans, who lost a spy plane forced down by a Chinese interceptor jet in 2000, it was not a cause for sincere mourning. The US Seventh Fleet is ranged off the Chinese coast, in constant contact with Chinese planes and submarines probing its readiness to defend the self-ruled democracy on Taiwan. Both America and Taiwan spend undisclosed billions trying to penetrate the wall of secrecy that surrounds China's military build-up, which was criticised once again last week by Donald Rumsfeld, the US defence secretary. Spies from Taiwan are known to have scored remarkable successes. In one recent case reported by The Washington Post, they placed in their president's hands the proceedings of a secret standing committee meeting on Taiwan policy within days of its taking place. American intelligence, by contrast, concentrates on a war fought with science and stealth to preserve its technological advantage. For as long as the Chinese have tried to buy, steal or copy high-grade military technology - at least since the early 1990s - the CIA and the White House have sought to frustrate them. China relies on foreign know-how. British propellers from the Dowty company are fitted to its Y-8 early warning aircraft and radars made by Racal Electronics are installed on its naval surveillance planes. But the crown jewels of electronic warfare are made in America, which means that China's hunger for secrets can be exploited by its foes. Late in the cold war, the CIA supplied faulty computer items to the Soviets, which resulted in death and destruction. So suspicions of treachery in Beijing are bound to be reinforced by the tale of intrigue and deception that unfolded upon examination of what led to the fatal end of the KJ-2000. "The PLA [People's Liberation Army] air force and navy have long required airborne early warning aircraft," stated a report by the US Congressional Research Service in November 2001. "Each is looking for 8-10 aircraft to supplement their own unsuccessful efforts." In 1999 the Chinese thought they had the perfect deal. A Russian Ilyushin-76 transport, serial number #762, was bought and flown to a military airfield in Israel, where it was fitted with the world's most advanced Awacs system, the Phalcon, perfected by technicians at Israel Aircraft Industries. The cost: $250m (?135m). Inevitably, the CIA heard of the deal and the issue went all the way to the White House, which exerted tremendous pressure on Israel. On July 11, 2000, Ehud Barak, then the Israeli prime minister, broke off from peace talks at Camp David to tell President Bill Clinton that the sale had been cancelled. Barak confided that he had sent a personal letter of regret to Jiang Zemin. But Chinese persistence ensured the matter did not end there. In 2002, according to aviation specialist websites, aircraft #762, stripped of the Phalcon system, was flown from Israel back to Russia and on to an airfield in east China that is home to the Nanjing Research Institute of Technology. Moreover, the Chinese technicians had not wasted their time in Israel. "It's not unreasonable to believe that the Israelis offered the Chinese industrial participation to seal this high dollar deal," said a US Department of Defence analyst, quoted in a report for the US Army War College. "The Phalcon system makes extensive use of commercial off-the-shelf products, which gives easy access to the basic building blocks of the system," the unnamed analyst added. In 2003 aviation specialists photographed two IL-76 Awacs prototypes, by then codenamed KJ-2000, on test flights over Nanjing. One was #762, the other was coded B-4040. Late last year the local aviation authorities - which in China are controlled by the military - bought sophisticated Monopulse secondary surveillance radars from Telephonics Corp, a New York-based subsidiary of the Griffon Corporation, which supplies the US Awacs fleet. The radars were due for delivery early in 2006. Their purpose was stated to be civil aviation, but critics in Congress say the Chinese buy such items for "dual use" in military systems. According to specifications published by the Federation of American Scientists, such radars can be closely integrated with an Awacs plane to enhance targets. There is now speculation among military and aviation attach?s in the region that the ill-fated KJ-2000 may have been testing a hitherto unproven technical capability of precisely this nature when it crashed. That should provide more than enough questions for Vice-Chairman Guo and his bloodhounds from the military commission to get their teeth into. Copyright 2006 Times Newspapers Ltd. From isn at c4i.org Mon Jun 12 04:23:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:23:15 -0500 (CDT) Subject: [ISN] Microsoft to ease up on piracy check-ins Message-ID: http://news.com.com/Microsoft+to+ease+up+on+piracy+check-ins/2100-7348_3-6082334.html By Joris Evers Staff Writer, CNET News.com June 9, 2006 Microsoft is cutting the cord on its antipiracy tool. The software maker this month plans to update the Windows Genuine Advantage Notifications program so that it only checks in with Microsoft once every two weeks, instead of after each boot-up, a company representative said Friday. By year's end, the tool will stop pinging Microsoft altogether, the representative said. The changes come after a critic likened the antipiracy tool to spyware. He found that the program, designed to validate whether a copy of Windows has been legitimately acquired, checks in with Microsoft on a daily basis. Microsoft did not disclose in any of its documentation that the application would phone home. Microsoft earlier this week had vowed to better disclose the actions of WGA Notifications. Now the company says it will gradually let go of the program once it is installed on Windows PCs. "We are changing this feature to only check for a new settings file every 14 days," Microsoft said in a statement on its Web site. "Also, this feature will be disabled when WGA Notifications launches worldwide later this year." No meaningful data is exchanged during the check-in with Microsoft, the software maker said. Unlike the initial validation, which sends system information to Microsoft, the check-in operation is limited to the download of the new settings file, the company said. Microsoft launched WGA in September 2004 and has gradually expanded the antipiracy program. It now requires validation before Windows users can download additional Microsoft software, such as Windows Media Player and Windows Defender. Validation is not required for security fixes. Originally, people had to validate their Windows installation only when downloading additional Microsoft software. Since November last year, however, Microsoft has been pushing out the WGA Notifications tool along with security updates to people in a number of countries, including the U.S. The first time that users run WGA Validation to check if their Windows version is genuine, the information sent to Microsoft is the Windows XP product key, PC maker, operating system version, PC bios information and the user's local setting and language. Microsoft discloses in the WGA tool license that this information is being sent. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Mon Jun 12 04:23:57 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:23:57 -0500 (CDT) Subject: [ISN] Linux Security Week - June 12th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 12th, 2006 Volume 7, Number 24n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Building a heterogeneous home network for Linux and Mac OS X," "Fundamentals of Storage Media Sanitation," and "Password Cracking and Time-Memory Trade Off." --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Linux v3.0.7 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation. http://www.linuxsecurity.com/content/view/123016/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Cleaning up data breach costs 15x more than encryption 7th, June, 2006 Protecting customer records is a magnitude less expensive than paying for cleanup after a data breach or massive records loss, a research company said Tuesday. Gartner analyst Avivah Litan said in a research note that data protection is cheaper than a data breach. She recently testified on identity theft at a Senate hearing held after the Department of Veterans Affairs lost 26.5 million vet identities. http://www.linuxsecurity.com/content/view/123023 * A Comparison of SNMP v1, v2 and v3 5th, June, 2006 During its development history, the communities of researchers, developers, implementers and users of the DARPA/DoD TCP/IP protocol suite have experimented with a wide range of protocols in a variety of different networking environments. The Internet has grown, especially in the last few years, as a result of the widespread availability of software and hardware supporting this system. The scaling of the size and scope of the Internet and increased use of its technology in commercial applications has underscored for researchers, developers and vendors the need for a common network management framework within which TCP/IP products can be made to work. http://www.linuxsecurity.com/content/view/122997 * Disaster Practice 4th, June, 2006 When the British government wanted to test the resiliency of its financial institutions, it commissioned "an afternoon from hell". The buildup started on a Monday morning last November. First, there was a failure in the clearing systems used to transfer money between banks after routine systems maintenance. Then, terrorists staged a series of bomb attacks around Britain, causing hundreds of casualties in London and considerable damage to major financial centres. Around the same time, malicious hackers tried their best to break into the banks' systems. All in all, 'twas was a bad day. The disaster recovery simulation was organized by the Tripartite Authorities, a group comprising the Financial Services Authority, the UK Treasury Department and the Bank of England. http://www.linuxsecurity.com/content/view/122979 * May's Security Streams 5th, June, 2006 Here's May's summary of all the security streams during the month. This is perhaps among the few posts in which I can actually say something about the blog, the individual behind it, and its purpose, which is to - question, provoke, and inform on the big picture. After all, "I want to know God's thoughts... all the rest are details", one of my favorite Albert Einstein's quotes. The way we often talk about a false feeling of security, we can easily talk about a false feeling of blogging, and false feeling of existence altogether. It is often assumed that the more you talk, the more you know, which is exactly the opposite, those that talk know nothing, those that don't, they do. There's nothing wrong with that of refering to yourself, as enriching yourself through past experience helps you preserve your own unique existence, and go further. Awakening the full potential within a living entity is a milestone, while self preservation may limit the very development of a spirit -- or too much techno thrillers recently? :) http://www.linuxsecurity.com/content/view/122995 * (IN)SECURE Magazine Issue 7 Has Been Released 9th, June, 2006 (IN)SECURE Magazine is a free digital security magazine in PDF format. In this issue you can read about SSH port forwarding, server monitoring with munin and monit, compliance vs. awareness, and much more. Get your copy today! http://www.linuxsecurity.com/content/view/123055 * Abandon E-mail! 5th, June, 2006 Back in 1972, by some accounts, a new form of communication known as e-mail was born. It was a practical implementation of electronic messaging that was first seen on local timeshare computers in the 1960s. I can only imagine how much fun and revolutionary it must have been to use e-mail in those early years, to have been at the bleeding edge of the curve. Almost ten years later, in November 1981, Jonathan Postel published RFC 788 (later deprecated by RFC 821, also by Postel, and RFC 822 by David Crocker), thereby inventing the foundations of the Simple Mail Transport Protocol (SMTP) - a proposal that would revolutionize e-mail again. Since that time, e-mail has become as important an invention to the world as the telegraph and the telephone, and it has long been synonymous with the Internet itself. http://www.linuxsecurity.com/content/view/122992 * Building a heterogeneous home network for Linux and Mac OS X 8th, June, 2006 You can find plenty of information online about building heterogeneous networks involving Windows, but relatively little about connecting Macs with Linux PCs in a home or small office network. Mac OS X's Unix base, however, means there are plenty of good options for networking a Mac with a Linux PC, despite the relative lack of documentation. In this article, I'll discuss how to set up Mac-Linux printer and file sharing using NFS and SSH. http://www.linuxsecurity.com/content/view/123057 * Security Without Firewalls: Sensible Or Silly? 6th, June, 2006 For years, infosec experts have called the firewall a critical ingredient to security, whether it's in a large enterprise or on a home PC. But the San Diego Supercomputer Center (SDSC) has defied that logic with what some would consider surprising success. Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained how companies can maintain strong firewall-free security at the 2006 USENIX Annual Technical Conference Thursday. He has also produced a presentation (.pdf) on the subject. http://www.linuxsecurity.com/content/view/122999 * Standards In Desktop Firewall Policies 7th, June, 2006 The idea of a common desktop firewall policy in any size organization is a very good thing. It makes responses to external or internal situations such as virus outbreaks or network-oriented propagation of viruses more predictable. In addition to providing a level of protection against port scanning, attacks or software vulnerabilities, it can provide the organizations local security team a baseline or starting point in dealing with such events. The purpose of this article is to discuss the need for a desktop firewall policy within an organization, determine how it should be formed, and provide an example of one along with the security benefits it provides an organization. http://www.linuxsecurity.com/content/view/123025 * Users hit by multi-browser threat 8th, June, 2006 Security vendors have warned of a flaw that affects an unusually broad cross-section of browsers -- Internet Explorer, Firefox and the Mozilla suite on Windows, Linux and Mac OS X -- and could be used to hoover up files from vulnerable systems. The problem is in the way the browsers implement scripting -- JavaScript in Firefox and Active Scripting in IE. Both browsers have a design error in which a script can cancel certain keystroke events when users are entering text. http://www.linuxsecurity.com/content/view/123042 * UTM - Preparing for New Generation of Security Threats 6th, June, 2006 Securing networks has rapidly taken center stage among most enterprises as the threat from increasingly sophisticated attacks becomes more complex and costly to manage. According to the research group IDC, enterprises worldwide spent an estimated $32.6Bn in 2005 on network security but are still faced with an ever-changing landscape of new security threats. Traditional network defense solutions such as firewalls and intrusion prevention devices must be supplemented by secure content management devices in order to block the full range of sophisticated attacks including viruses, spyware, spam and phishing. http://www.linuxsecurity.com/content/view/122998 * Social Engineering, The USB Way 7th, June, 2006 We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees. The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network. http://www.linuxsecurity.com/content/view/123031 * Researchers eye machines to analyze malware 8th, June, 2006 The reverse engineer--better known amongst security researchers by his nom de plume, Halvar Flake-- created an automated system for classifying software into groups, a process he believes for which machines are much better suited. Research using the system has underscore the sometimes-arbitrary decisions humans make in classifying malicious programs, he said. http://www.linuxsecurity.com/content/view/123050 * The top five ways to prevent IP spoofing 9th, June, 2006 The term "spoofing" is generally regarded as slang, but refers to the act of fooling -- that is, presenting a false truth in a credible way. There are several different types of spoofing that occur, but most relevant to networking is the IP spoof. Most types of spoofing have a common theme: a nefarious user transmits packets with an IP address, indicating that the packets are originating from another trusted machine. http://www.linuxsecurity.com/content/view/123066 * How To Analyze HijackThis Logs 5th, June, 2006 HijackThis is a free tool developed by Merijn Bellekom, a student in The Netherlands. Spyware removal software such as Adaware or Spybot S&D do a good job of detecting and removing most spyware programs, but some spyware and browser hijackers are too insidious for even these great anti-spyware utilities. HijackThis is written specifically to detect and remove browser hijacks, or software that takes over your web browser, alters your defaut home page and search engine and other malicious things. http://www.linuxsecurity.com/content/view/122989 * How-To: Back-up your blog (Linux) 7th, June, 2006 Bad things happen. If you've ever worried that the over caffeinated tech might spill his latte down your web server, then today's How-To will help you out. Forgetting to back up your blog (or your website) is something that isn't a big deal until you need it -- like backing up anything, really. But your blog's files and databased aren't really so simply accessible as the files on your PC, so today we're showing you how to automatically back up your blog (or website) with some freely available tools that will use a minimum amount of your precious bandwidth. http://www.linuxsecurity.com/content/view/123019 * EnGarde Secure Community 3.0.7 6th, June, 2006 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation. http://www.linuxsecurity.com/content/view/123016 * Symantec to Port Veritas Storage Software to IBM Linux Platform 8th, June, 2006 Software security and storage specialist Symantec June 7 announced an agreement with IBM to port its Veritas Cluster Server, Veritas Storage Foundation family and NetBackup recovery technology to IBM's Linux on POWER platform, opening a new door to the open-source enterprise storage market. http://www.linuxsecurity.com/content/view/123056 * Announcement: RSBAC 1.2.7 9th, June, 2006 The RSBAC team is happy to announce that RSBAC 1.2.7 has just been released for both kernels 2.4.32 and 2.6.16. http://www.linuxsecurity.com/content/view/123060 * Non-standard Incident Prediction 5th, June, 2006 We are all familiar with the use of firewall logs, intrusion detection alerts, antivirus warnings, and watching for "funny" entries in our system logs as ways to indicate that somebody on the Internet is up to no good. But those traditional detection systems don't do any good against attacks that are not oriented on one of the traditional seven layers of the OSI model. http://www.linuxsecurity.com/content/view/122988 * The Enterprise Gets Googled 5th, June, 2006 On February 14, 2006, many Google e-mail users received an unexpected Valentine's Day present. When they logged in to their accounts, there it was: instant messaging, fully integrated with their e-mail system. Gmail users could now chat in the same browser window as their inbox. Just as with e-mail, the system would save a transcript of every chat and, better yet, the text of archived transcripts would be searchable. There was nothing to download, nothing to install. http://www.linuxsecurity.com/content/view/122990 * Spyware infections spreading, security expert says 5th, June, 2006 Spyware programs are increasing in number and growing in sophistication to avoid detection, making it harder to guard against infections and more costly to repair their damage, according to a security expert whose company tracks them on a regular basis. http://www.linuxsecurity.com/content/view/122993 * Open source consortium addresses security 5th, June, 2006 The Open Web Application Security Project (OWASP) has announced the availability of a process guide that it hopes will help a broad range of developers incorporate security into the software application development lifecycle (SDLC). http://www.linuxsecurity.com/content/view/122994 * Fundamentals of Storage Media Sanitation 6th, June, 2006 One of the most fundamental principles of information security is that its all about the data. Data in transit or at rest is the primary focus of administrative, physical, and technical safeguards. Security professionals are doing better every day when it comes to protecting information in static production environments. But what happens when magnetic, optical, or semiconductor media is repurposed or retired? In this paper, I define media sanitation and how it fits into an overall security program. Next, I examine how attackers can extract information from electronic media even after its been overwritten. Finally, I explore ways you can protect your organization from attacks both casual and highly motivated. http://www.linuxsecurity.com/content/view/123003 * How to win friends and influence people with IT security certifications 7th, June, 2006 The public and private sectors put IT Security on top of their agenda these days, and, as a result, the IT and Information Security job market is growing. At some point though, the market will saturate as businesses seek to curb their investments, security services become more standardized and IT as a whole moves to a more service-oriented business model. Is your career strategy ready? http://www.linuxsecurity.com/content/view/123009 * A Continuing Work in Progress: The State of Linux 2006 7th, June, 2006 To label Linux a purely enthusiast or hobbyist operating system is overly facile; such a stance also categorically denies that Linux has any real industry presence. On the contrary, prominent top-tier manufacturers such as Dell, IBM, Sun Microsystems, and Hewlett-Packard all openly support Linux in select product lines, and many lower-tier manufacturers have adopting this platform to establish cost-effective price points in various highly competitive marketplaces. Government support for Linux also comes in a variety of forms. Most notably, this includes the NSA-sponsored Security Enhanced Linux (SELinux) policy extensions adopted into the mainstream by Red Hat starting with Fedora Core 2 (the current version is Fedora Core 5). SELinux extends basic security functionality to the Linux platform, and makes it easier to create a hardened installation. These are only a few examples of where Linux is actively developed by high-visibility organizations, all of which take this platform very seriously. http://www.linuxsecurity.com/content/view/123020 * JavaScript security threat to Internet Explorer and Firefox 7th, June, 2006 A JavaScript security bug has been discovered in both the Internet Explorer and Firefox browsers. The threat covers the Windows, Linux, and Mac operating systems, say internet security software companies. http://www.linuxsecurity.com/content/view/123022 * Cybercrime Spurs College Courses In Digital Forensics 7th, June, 2006 One of the hottest new courses on U.S. college campuses is a direct result of cybercrime. Classes in digital forensics - the collection, examination and presentation of digitally stored evidence in criminal and civil investigations - are cropping up as fast as the hackers and viruses that spawn them. About 100 colleges and universities offer undergraduate and graduate courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University and the University of Central Florida. Five years ago, there were only a handful. http://www.linuxsecurity.com/content/view/123026 * Cyber extortion, A very real threat 7th, June, 2006 Criminal gangs are increasingly using the internet as a tool to extort money from businesses. Thousands of distributed denial of service attacks (DDoS) are occurring globally every day and it is vital that senior management wakes up to the very real risk of such an assault. http://www.linuxsecurity.com/content/view/123028 * Password Cracking and Time-Memory Trade Off 8th, June, 2006 Every time I go on line, I usually am up to no good. My intentions are often never hostile, but I do take part in the shady business of password cracking. Meaning I actively use unorthodox methodology, that I know for a fact the FBI frowns down upon, to obtain hashes. Once obtained I usually spend a few hours cracking these hashes via good old fashion bruteforcing. Now, bruteforcing is the most reliable method of password cracking in existence today. http://www.linuxsecurity.com/content/view/123041 * The top 9 ways to secure mobile devices 8th, June, 2006 In the past six months a disturbing trend has emerged involving the theft of laptops containing sensitive personal information -- most recently from the home of a U.S. Department of Veterans Affairs data analyst. http://www.linuxsecurity.com/content/view/123048 * Digital forensics hits U.S. college campuses 9th, June, 2006 About 100 colleges and universities offer undergraduate and graduate courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University and the University of Central Florida. Five years ago, there were only a handful. http://www.linuxsecurity.com/content/view/123062 * British Library to secure its digital treasures 9th, June, 2006 The British Library is adopting a new data security system that will enable it to safely store web publishing content. The library has selected nCipher to protect the integrity of its National Digital Library. This library will contain everything from digitised versions of centuries-old manuscripts to digital journals and web archives, and is expected to amass up to 300 terabytes of content over the next five years. http://www.linuxsecurity.com/content/view/123063 * Browsers, Phishing, and User Interface Design 6th, June, 2006 Occasionally a criminal is so, well, clever that you have to admire him even as you wish that he spends the rest of his life in jail. Take Arnold Rothstein, for instance. One of the kingpins of organized crime in New York City during Prohibition and before, the "Great Brain," as he was termed, was more than likely behind the infamous Black Sox scandal, in which the 1919 World Series was fixed in favor of the Cincinnati Reds. http://www.linuxsecurity.com/content/view/123005 * Personal Displays Keep Data Private 7th, June, 2006 The dueling needs for privacy and data sharing played out here at the annual SID (Society of Information Display) International Symposium. Vendors showed new technologies that can keep neighbors on a flight from getting a glimpse of the corporate secrets on a laptop screen and new ways to share video on an iPod or handheld. http://www.linuxsecurity.com/content/view/123024 * When data walks 7th, June, 2006 The recent theft of data on 26.5 million veterans sends agencies a chilling message: Lock down your own data security and privacy policies immediately or you might wind up with confidential data walking out your own door. The Veterans Affairs Department probably is not the only agency whose security and privacy policies have gaping holes, government and industry experts agree. http://www.linuxsecurity.com/content/view/123027 * IRS missing laptop with employee data 7th, June, 2006 The IRS said that one of its laptops containing data about 291 IRS employees and job applicants went missing in early May when it was lost in transit to an agency event. The information contained on the laptop included fingerprints, names, dates of birth and Social Security numbers for the 291 individuals. http://www.linuxsecurity.com/content/view/123021 * Ervin: DHS Fails Security Mission 8th, June, 2006 Clark Ervin was strolling down a Manhattan street in April 2005 when the red light on his BlackBerry indicated he had a message. The former inspector general of the Homeland Security Department looked at the device and saw that the Associated Press had reported the results of the latest IG investigation on airport security. Those results showed no improvement in screeners abilities to detect deadly weapons, compared with the results of similar investigations done in 2001 and 2003. It was far easier than it should have been even after the [Sept. 11, 2001] attacks for government investigators to sneak these weapons through, said Ervin, who served as the department's first IG for about two years. He recounted the story in his keynote speech today at the 26th Annual Management of Change Conference sponsored by the American Council for Technology and by the Industry Advisory Council, to illustrate an important point. http://www.linuxsecurity.com/content/view/123051 * House rejects Net neutrality rules 9th, June, 2006 The U.S. House of Representatives definitively rejected the concept of Net neutrality on Thursday, dealing a bitter blow to Internet companies like Amazon.com, eBay and Google that had engaged in a last-minute lobbying campaign to support it. http://www.linuxsecurity.com/content/view/123067 * Police will not pursue ransom hackers 4th, June, 2006 After a Manchester woman was held to ransom by hackers, experts and senior police officers have voiced concern that such cases are falling between the cracks. Greater Manchester Police (GMP) will not be pursuing the criminals who used a Trojan horse program to lock a Manchester woman's files and demanded a ransom to release them. http://www.linuxsecurity.com/content/view/122983 * A degree in hacking 6th, June, 2006 The University of Advancing Technology (UAT) in Phoenix, Ariz., is marketing its new Network Security program as a way to get a degree in hacking. The school is drawing the interest of geeks who use Windows, Linux, and Macintosh, according to UAT's IT manager Raymond Todd Blackwood, and even a few who want to go to the dark side of network security. Hackerdegree.com's Web page looks like a non-Windows desktop with a few terminals open, inviting the curious to learn more about fighting "cybercrime," "cybertheft," and even "cyberterrorism." http://www.linuxsecurity.com/content/view/123004 * Forget your password? Be google! 8th, June, 2006 For more and more websites you need to register or pay to have full access. The odd thing is that Google has the complete and full index of the website. So what's going on here? Why must regular users pay or register to have access when the google search engine bot has full access?. The reason is simple; every site wants to use the benefits of the wonderful world of Google, for webmasters free advertising is always welcome. But there is a simple way to be the Google (search)Bot. In this little article i will try to explain it. http://www.linuxsecurity.com/content/view/123040 * Man charged with selling hacked VOIP services 8th, June, 2006 A Miami man was charged Wednesday with stealing more than 10 million minutes of VOIP (Voice over Internet Protocol) telephone service and then selling them to unsuspecting customers for as little as US$0.004 per minute. http://www.linuxsecurity.com/content/view/123052 * PC hidden in 'BlueBag' exposes Bluetooth flaws 8th, June, 2006 If you happened to fly through Milan's Malpensa Airport last March, your mobile phone may have been scanned by the BlueBag. Billed as a research lab on wheels, BlueBag was created by Milan's Secure Network SRL to study how malicious software might be able to spread among devices that use the Bluetooth wireless standard. http://www.linuxsecurity.com/content/view/123053 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jun 12 04:27:37 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 12 Jun 2006 03:27:37 -0500 (CDT) Subject: [ISN] Researchers eye machines to tackle malware Message-ID: http://www.theregister.co.uk/2006/06/10/machines_analyse_malware/ By Robert Lemos SecurityFocus 10th June 2006 The reverse engineer - better known amongst security researchers by his nom de plume, Halvar Flake - created an automated system for classifying software into groups, a process for which he believes machines are much better suited. Research using the system has underscored the sometimes-arbitrary decisions humans make in classifying malicious programs, he said. Among other anomalies, he found that Sasser.D has only a 69 per cent correlation to previous members of the Sasser family, while two examples of bot software, Gobot and Ghostbot, are more similar. "It's like putting donkeys and bunnies in the same class because they both have long ears," Dullien, the founder and CEO of reverse-engineering tool maker Sabre Security, said in a recent interview. The current problems with classifying and naming viruses are among the reasons that automated classification technology has once again become a focus of research. The plethora of names for specific malicious programs has caused confusion amongst consumers, despite a project that seeks to provide guidance, if not to consumers, to software analysts and incident responders. In January, when a new computer virus appeared on the internet, anti-virus companies rushed to issue alerts and inundated consumers with a confusing array of names: Blackmal, Nyxem, MyWife, KamaSutra, Blackworm, Tearec and Worm_Grew all describe the same mass-mailing computer virus. Several research projects hope to improve upon that record. Last month, at the annual conference of the European Institute for Computer Anti-Virus Research (EICAR), Microsoft released early results of its development of a system to automate classification of malicious software based on the actions performed by the code at runtime. "A significant challenge we have today is the large number of active malware samples, totaling on the order of tens of thousands, and increasing rapidly," Microsoft researcher Tony Lee said in a recent blog posting following the conference. "It has become apparent to us that the traditional manual analysis process is not adequate in dealing with malware of this order of magnitude, and that we should seek automation technologies to aid human analysts." The researchers modeled a piece of malicious software as the series of actions that the software takes at the operating system level. Referred to as "events" in a paper written by Lee and anti-malware program team manager Jigar Mody, the actions can include data copying, changing registry keys and opening network connections. The researchers then trained a recognition engine using an adaptive clustering algorithm - similar to self-organising maps - and classified a previously unseen subset of malware using the trained system. Using more clusters typically resulted in better classification. When the software samples were classified based on 100 events, accuracy fell below 80 per cent, while classification based on 500 and 1,000 events typically has accuracy rates above 90 per cent. Reverse engineer Dullien takes a different approach. Working with other researchers at Sabre Security, he used automated tools to deconstruct the actual code of virus and bot software, removing any common libraries that the code might use and then comparing the relationships between functions to characterise the software. Using a database of 200 samples of bot software, a test case for the automated process resulted in two major families of code, three smaller groups, and several pairs and singletons. The system also identified variants of bot software not recognised by a signature-based anti-virus system. Dullien believes that static analysis is a better approach to malware classification than Microsoft's runtime analysis. Actions that a malicious program does not perform right away - known as time-delayed triggers - can foil runtime analysis, he said. And virus and attack-tool writers could add a few lines of code to a program to confuse runtime analysis, he added. "The approach presented in the paper can be trivially foiled with very minor high-level-language modifications in the source of the program," he stated in a blog entry analysing Microsoft's system. Microsoft declined to make its researchers available for interviews. However, in the paper, the authors argued that a combination of both static analysis and runtime analysis would likely perform best. For example, static analysis appears to deliver results more quickly; Microsoft's behavioral classification requires three hours to cluster 400 files at the 1,000 event limit, according to the paper. In some ways, software classification resembles the state of biological classification back in the time of Carl Linnaeus. The 18th century botanist pushed the scientific community of his day into accepting a hierarchical classification system for plants and animals. However, early classifications relied on external similarities, much in the way that many of today's classifications rely on external attributes of programs rather than their internal processes. At least one other project hopes to help human analysts do a better job of classification. OffensiveComputing.net, a project founded by researchers Val Smith and Danny Quist, aims to create a database of malware that records a number of basic attributes of the code, including checksums, anti-virus scanner results, and what type of packer the malware uses to compress itself. The project started in response to the increase in code sharing amongst virus and attack-tool writers and the faster development of exploits and the faster incorporation of those exploits into existing malicious software, OffensiveComputing's Smith said. "The biggest benefit is more rapid response to complex threats. As the synergy between viruses, Trojans, worms, rootkits and exploits grows, waiting for a solution becomes more dangerous." OffensiveComputing's database gives incident response workers and analysts access to meaningful data about malicious software, which is especially necessary until automated analysis programs, such as Microsoft's and Dullien's classification systems, mature. The project strives to be adaptable, involve the community, have measurable results, and remain open, Smith said. "There is an arms race going on between analysts and malware authors, so any solution will have to keep pace with advances on both sides." This article originally appeared in Security Focus. Copyright ? 2006, SecurityFocus From isn at c4i.org Tue Jun 13 08:07:07 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 13 Jun 2006 07:07:07 -0500 (CDT) Subject: [ISN] OU has been getting an earful about huge data theft Message-ID: http://www.athensnews.com/issue/article.php3?story_id=25220 By Jim Phillips Athens NEWS Senior Writer 2006-06-12 Ohio University has spent more than $77,000 sending letters to alumni and students affected by a computer security breach. It's harder to put a price tag on the blow to alumni goodwill, as the number of people affected by hacking of OU computer databases continues to rise with the discovery of new hacking incidents. "This is damaging OU's reputation far more than its drunk football coach, magazine pictorials or its #2 party-school ranking, and you can tell (OU President Roderick) McDavis that this really sucks. A lot!" wrote one incensed alum May 10. Another signed off his May 3 e-mail with, "You incompetent f---ing a--holes. I will never donate a penny to you." After announcing two computer security breaches in May, OU got hundreds of e-mails from alums regarding the issue. The Athens NEWS has examined more than 600 of them, provided by the university in response to a records request. The great majority were simply requests for information, trying to learn whether the sender's personal data were accessed by the hackers, and to get more detailed guidance on what to do if they were. A number of writers, however, expressed anger, frustration and in some cases, a distinct reluctance to donate any more money to OU. "It was my intention to leave a sizable endowment to OU, but not any longer," announced one. "My husband has graciously given to the university's alumni association many times; we will now think twice before we do it again," warned another. Other comments along these lines include: "I am disgusted with you and will NEVER do anything to help you financially." "I will definitely be reflecting on this incident the next time I receive an appeal for a donation to OU." "I have donated to the university for many years, but this shortcoming, and other matters having to do with the university, make me hesitant to make further contributions." Some alums questioned why OU keeps Social Security numbers on long-gone graduates, including those who haven't been donors. Some asked to have their data removed from OU computers - a request the university promptly grants. Dozens wanted to know if OU will cover the expenses they rack up in taking precautions against identity theft, or financial losses if they're the victim of such thefts. A handful talked about lawsuits, and one alum simply sent OU a bill. Molly Tampke, interim vice president for university advancement, admitted last week that she can't gauge how the alumni perception of the computer data breaches will affect giving to OU. Tampke acknowledged that the incidents seem to have undermined alumni confidence in some cases, but she continued to hold out hope that alums will look past the problems when it comes time to open their checkbooks. "It does concern me that alumni would feel like they couldn't trust us," Tampke said. "In terms of long-term effects for financial support, I don't think we know. But I think ultimately people believe in us, and want to support Ohio University... I don't want to look cavalier by any means, but I believe in the loyalty of our alums." THE PICTURE JUST GOT darker, however. While investigating the previous cases in which hackers gained access to personal data - including Social Security numbers - on close to 200,000 students and alums, OU recently found two more such incidents. These affect the personal data of about 2,480 university subcontractors and an additional 4,900 current and former students. According to a story in the Columbus Dispatch Saturday, the latest hackings put OU at the top of universities nationally for the amount of computer data stolen, well ahead of the next school on the list, the University of Southern California. More than one alum correspondent has questioned the competency of those watching over OU's data cache, and one question in particular keeps coming up in the e-mails sent by alums: Why did you have my Social Security number on file, anyway? "I'm trying to fathom a situation in which a serious breach of Social Security numbers could occur and not be discovered for 13 months," wrote one alum who works in fraud and compliance for Microsoft. "How could this possibly happen without utter rank incompetence and a carefree attitude toward data security?... I hope your IT staff was fired." Another writer noted that "the trend across the country is to de-link Social Security numbers from other important identifying information" in computer databases. Tampke said the reason for holding the numbers is "primarily to track lost alumni." When an alum moves and doesn't leave a forwarding address, she said, OU will give the person's Social Security number to a tracking service, to find the new residence. Given the risk of data theft, is this convenience worth it? "That's a good question," Tampke said, adding that the issue is "something that we want to sit down and have a very structured conversation about," once the university has the fallout from the hacking cases under control. A recent internal memo on OU's damage-control efforts estimates that the university has spent approximately $77,090 on printing and mailing almost 244,000 letters to alums and donors affected by the security breaches. OU has sent out close to 126,000 e-mails in connection with the incidents as well, the memo shows. Tampke said these numbers should be pretty much up to date, and that the volume of correspondence over the case has ebbed considerably. "It's tapered off a lot," she said. "We're not getting nearly so many e-mails. I got maybe three letters this week." Some of the e-mails received by OU, however, suggest that the story is far from over. Dozens of writers have hinted - or come right out and said - that OU should pick up the tab for any credit-monitoring services affected alums have to pay for, or any losses they suffer through identity theft. A smaller number have implied, with varying degrees of specificity, that they may take the matter to court. "If there is any financial damage or compromise to my other accounts stemming from this breach of security, I will hold Ohio University at fault and seek legal counsel to recover any and all loss, with punitive damages," one alum threatened. "I will further network with my other alumni to seek a class-action suit for the same." OU has responded to questions about money liability with a standard statement, which says that before OU would cover any losses related to identity theft, it "would need some sort of definitive evidence that an individual had experienced financial liability not otherwise remedied by the laws that protect victims of identity theft and that such harm had occurred as a direct result of this particular database system compromise rather than a similar compromise of some other organization's system in which the individual might also have a record." Some alums have called this a dodge. "As far as proving that identity theft was a direct result of your system 'compromise,' you know as well as anyone that you cannot prove that it was the only place that information could have been received," one writer complained. Barb Nalazek, OU's assistant legal affairs director, said that while it may seem unfair to require an alum to prove that an identity theft stemmed from OU's computer breach and not some other hacking incident, in today's world of widespread data theft, this is only realistic. "We're seeing breaches all the time," she said. "I don't want to sound like I'm making excuses, but you really have to say, 'Do you really know that no other company that has all that information on you didn't breach that?'... It sounds like an excuse, but it's true." On the expense issue, Nalazek noted that there are a few companies that will provide one free 90-day credit watch per year. By using all of these companies, she said, a person can keep an ongoing watch on his or her credit record, "and it doesn't cost anything... For what is an appropriate sort of due diligence, it really is something we all should be doing, and there doesn't have to be any financial cost." As for losses incurred through identity theft, Nalazek pointed out that the law already limits a person's individual financial liability in the case of, say, misuse of a credit card. "As long as you're monitoring your credit-card statements, your liability is extremely limited," she said. No one, apparently, has yet sued OU over the security breach, but the e-mails contain a handful of veiled threats, not-so-veiled threats, and queries on this issue. "Is there already a class-action lawsuit against Ohio University at this time?" asked one alum. "Like many of my classmates, I'm also investigating Ohio University's potential criminal and civil liability," noted another. "If there is a lawsuit, believe me I will happily join it," announced a third. Nalazek confirmed that the idea of a class-action suit has apparently crossed the mind of more than one OU alum, but said she knows of no organized effort to file one. "It's certainly not that we haven't heard those two words bandied about by people contacting us," she acknowledged. "But as far as that happening, there's nothing that we know of." One resourceful alum dispensed with hints, threats and allegations, and simply billed OU for the time she spent checking her credit status. Calling the university "fully liable" for her outlay of time, she e-mailed an invoice for three hours of work at her "usual billing rate" of $165 an hour. In its latest response, OU Legal Affairs Director John Burns has contacted the firm the woman works for, asking for confirmation of her hourly rate. "(The alum's) hourly compensation claim is unique so far, and I am not sure what Ohio University's decision will be," Burns states in a June 1 e-mail. Not everyone who expressed an e-mail opinion about the data breach was outraged. Some were understanding, a few sympathetic. One was nearly whimsical. "Please stop giving my information to identity thieves," the alum asked politely. "Thank you for your consideration." In a postcript he added, "I would give you the rest of my contact information, but I am afraid it would be stolen." From isn at c4i.org Tue Jun 13 08:07:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 13 Jun 2006 07:07:31 -0500 (CDT) Subject: [ISN] Data breaches raise more questions about computer security law Message-ID: http://www.govexec.com/dailyfed/0606/06126p1.htm By Daniel Pulliam dpulliam at govexec.com June 12, 2006 Recently reported breaches compromising sensitive data held by four agencies have officials looking at ways to improve federal information security laws. Security experts and former government officials started pointing fingers at alleged weaknesses in the 2002 Federal Information Security Act earlier this year. In recent interviews, some said they believe that the incidents could lead to changes in the law. Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, called the compromise of personnel records of 1,500 Energy Department employees revealed last week, combined with last month's theft of personal data on 26.5 million people from a Veterans Affairs Department employee's home, "an indictment of FISMA." In two unrelated incidents, laptop computers containing the personal information -- including Social Security numbers, birthdates and names -- of about 200 employees at the Social Security Administration and the Internal Revenue Service were lost recently. FISMA requires agencies to identity and categorize risks to their information technology systems and then implement security controls based on those risks. Paller said agencies are using their technology security funds to pay independent contractors to write FISMA-required reports as part of the certification and accreditation process, leaving little money for implementing actual security measures. A certification and accreditation process is necessary, but it should be continuous and automated, Paller said. "There was a thought that to check security, you had to check with people and talk to people, but because most attacks are done by systems, you need systems to check the security," Paller said. "The VA spent tens of millions of dollars certifying and accrediting these systems, and they are not secure." A VA spokesman said that the agency received $77 million for information security in fiscal 2006 and $78 million has been proposed for fiscal 2007. Paller and Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, have been critical of FISMA in the past, and both met with staffers from the House Government Reform Committee recently to discuss possible changes to the law. Brody, who also served as chief information security officer at the Energy Department until December 2005, said that the Energy security breach occurred during his tenure at the agency, but within the National Nuclear Security Administration, which is autonomous from the department under the National Nuclear Security Act. Paller said he believes that effective reform is possible, but Brody said the policy and legislative communities are unlikely to get the changes right unless information security practitioners are involved. Clay Johnson, the Office of Management and Budget's deputy director for management, said last week OMB has 95 percent of the laws and policies it needs to hold agencies accountable for locking down their information systems, but "extra teeth" may be needed. He did not specifically refer to FISMA. Johnson said in testimony before the House Government Reform Committee that the administration believes it generally has good policies and laws for protecting data, but is "prepared to take more action as necessary." In a request for comment on the matter, OMB gave no indication that changes to FISMA are being considered. OMB spokeswoman Andrea Wuebker said that FISMA was established to ensure that agencies meet consistent standards for security requirements for information systems. Agencies are responsible for ensuring that they are FISMA compliant and that their employees are trained to work with tough security measures, Wuebker said. "Sound standards and policies are in place, and OMB works with agencies to make sure practices match these policies," Wuebker said. ?2006 by National Journal Group Inc. All rights reserved. From isn at c4i.org Tue Jun 13 08:06:32 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 13 Jun 2006 07:06:32 -0500 (CDT) Subject: [ISN] Lights out Message-ID: http://www.fcw.com/article94825-06-12-06-Print By Brian Robinson June 12, 2006 Most federal agencies and an increasing number of state and local offices have made significant investments in communications services that run over government-owned or commercial fiber-optic networks. Fiber can carry much more data than traditional copper lines and at lower costs. Besides government operations, a growing part of the country's economy depends on the Internet and its fiber-based backbone - everything from online shopping and entertainment to banking and health care. But given its vital importance as a communications medium and general concerns about terrorist threats to the country's economic and critical infrastructure, just how secure are the country's fiber networks? Experts say fiber, like any network technology, is indeed vulnerable to a determined eavesdropper with the know-how and right equipment. That means agencies should safeguard sensitive data. From a broader, more systemic perspective, however, the country's fiber-optic infrastructure is more redundant and thus more resilient than it was a few years ago, reducing the chances that an attacker could cripple large segments of it, experts say. But localized problems stemming from physical damage to the infrastructure - intentional or not - still have the potential to affect its availability. Not a priority For an increasingly technology-dependent country, the security of fiber-optic networks is apparently low on the list of concerns for those whose job it is to worry about such threats. For example, in its recently published "Federal Plan for Cyber Security and Information Assurance," the National Science and Technology Council identified the Internet's Domain Name System, network routing protocols and a host of other process control systems most in need of security research and development. The report did not address fiber networks and other infrastructure issues. Meanwhile, the U.S. Cyber Consequences Unit (US-CCU), an independent research group that advises the Homeland Security Department, did not include the fiber infrastructure in a recent draft of a cybersecurity issues checklist it gave to DHS. That checklist identified measures at the enterprise or organizational level, said Scott Borg, director of the US-CCU. The unit will probably investigate fiber infrastructure security issues later, he said. With technology budgets tighter than ever, organizations may decide that fiber security is just not that pressing compared with other cybersecurity issues, said Bernard Skoch, executive vice president of Suss Consulting and a former principal director for network services at the Defense Information Systems Agency. "People in government are in a classic fight over funding and have to prioritize their needs," Skoch said. "In some ways, it takes a greater level of sophistication to say why something is not needed, and right now, I think there are a lot of people who have concluded that the fiber infrastructure mesh is well-enough protected." Hacking fiber Some experts say the notion that fiber networks are sufficiently secure may not be a well-informed conclusion. Tapping fiber without detection is difficult but certainly not impossible, they say. One of the classic assumptions about such networks is that it is inherently more secure than copper cable. A signal traveling over copper tends to leak outside the cable, so anyone with a sensitive scanner could pick up those signals and access the data. Because fiber uses various wavelengths of light rather than electrons to carry data, it does not routinely suffer from similar leakage. Stealing data in transit - between the two ends of the fiber - means someone has to physically break a fiber strand to tap it or somehow bend the fiber enough to induce light to exit the fiber. That is not an easy task, some experts say. Physically tapping into fiber means you will interrupt the data stream, which will alert a network operator, said Frank Dzubeck, president of Communications Network Architects, a network integrator. "To detect the light passively, you have to first strip away all of the shielding around the fiber and then put something in place to catch the light bouncing off the glass of the fiber strand," he said. "And then you have to determine what the data is that you are capturing. This is all involved specialty equipment. It's not something you can purchase on the open market." But Seth Page, chief executive officer of New York-based Oyster Optics, which makes intrusion-detection equipment, said he believes that the fiber infrastructure is vulnerable to hackers who can tap fiber with common maintenance tools that are available worldwide. "This same equipment with modifications can be used to capture 100 percent of the voice, video and data going across the network," Page said. "All you need to do is get access to the fiber loop serving a particular building." Hackers don't even need to get all of the data traveling on the fiber, he said. The packet headers reveal information about phone numbers, IP addresses and the fiber service provider. Even if an organization encrypts data and a hacker does not have the means to decrypt it, the packet headers would not be encrypted, he said. The hacker could save the rest of the data and attempt to decrypt it later. The equipment that can capture light from the fiber can also easily inject light into it, Page said. That would allow a hacker to modify or jumble the data going through the fiber, corrupting it or causing a denial-of-service attack on the network. Perhaps the biggest danger to fiber networks is the so-called backhoe effect, a decidedly low-tech danger. It happens when contractors or private landowners dig into the ground and inadvertently break fiber cables that telecommunications companies have laid. As recently as 2004, telecom facilities were still among the most likely to be affected by excavation work. The Common Ground Alliance, an industry organization aimed at limiting damage caused by such events, said telecom operations made up 27.5 percent of the reports it received about such accidents. "It's still probably the most significant threat," said M.E. "Mich" Kabay, associate professor of information assurance at Norwich University in Vermont. Nerve-wracking map Fiber's vulnerability to errant digging underscores the notion that deliberate tampering poses a real risk, Kabay said. "The telcos are so concerned about making sure people don't dig where their fiber-optic cables are," he said. "But on the other hand, if you were a terrorist, where would you then go to bring down all of the northeast corridor communications?" The potential chaos that such sabotage could cause was highlighted in 2003 when a doctoral thesis written by George Mason University graduate student Sean Gorman sparked widespread consternation in industry and government. Gorman used public sources to compile a map of all the major business and industrial sectors in the country and overlay a representation of the fiber infrastructure that connected them. With a single mouse click, anyone could see the location of communications choke points for vital sectors of the U.S. economy. The infrastructure's resiliency has improved in recent years, however, through an effort to re-engineer it into a hierarchical structure of fiber rings that mesh together, Dzubeck said. "Nothing is centralized in one spot anymore, so if you want to take out one of these [rings], you'd have to take out many, many sections at once," he said. "There are multiple paths communications can take through these rings, and if you do cut a cable, you are only cutting one small section." All of the fiber in place in the United States now is redundant because of this new configuration, said Ron Martin, vice president of service provider development for optical networking at Cisco Systems. "Every fiber now has an alternate path through which the data can be sent," Martin said. "If there is a fiber breakage or an equipment failure, the communication reroutes itself, causing maybe hundreds of milliseconds of disruption at most." IP design also enables this dynamic rerouting. IP breaks data streams into various packets that a network can route via different paths and then reassemble at the final destination. "We've not figured out a way to stop people [from] digging up our fiber with backhoes, so the key is having some way to allow customers to recover from those events," said Steven Parrott, a product development manager at Sprint. "With IP, if you lose a particular fiber path, it's very simple just to reroute the data." The bottom line for users is that there is minimal, if any, disruption in their communications, Parrott said. Despite continuing instances of fiber breakages, the Alliance for Telecommunications Industry Solutions reported that facility outages were at a record low in 2004, and it was one of the best years for network reliability. Nobody fixes leaks in a roof unless it's raining, said John Pescatore, vice president and research fellow at Gartner Research, who previously worked at the National Security Agency and the U.S. Secret Service. Without a smoking gun to indicate a threat or attack, most officials do not worry about fiber's security, Pescatore said. "People don't care." [...] From isn at c4i.org Tue Jun 13 08:07:57 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 13 Jun 2006 07:07:57 -0500 (CDT) Subject: [ISN] Backdoors, Bots Biggest Threats To Windows Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=189400457 By Gregg Keizer TechWeb.com Jun 12, 2006 Backdoor Trojans are a clear and present danger to Windows machines, Microsoft said Monday as it released the first-ever analysis of data collected by the 15-month run of its Malicious Software Removal Tool, a utility that seeks out and destroys over five-dozen malware families. According to Microsoft's anti-malware engineering team, Trojans that, once installed, give an attacker access and control of a PC, are a "significant and tangible threat to Windows users." Of the 5.7 million unique PCs from which the Malicious Software Removal Tool (MSRT) has deleted malware, 3.5 million of them -- 62 percent -- had at least one backdoor Trojan. "Backdoor Trojans are a large part of the malware landscape," said Matt Braverman, program manager on the team, and the author of a report on the tool's data that was released Monday at Boston's TechEd 2006 conference. Bots, a subset of Trojan horses, were especially "popular" on infected PCs, Microsoft's data showed. Bots are small programs that communicates with the controlling attacker, usually through Internet Relay Chat (IRC) channels, less frequently via instant messaging. Of the top 5 on the MSRT's removed malware list, three families -- Rbot, Sdbot, and Geobot -- were bots. Once backdoors and bots are accounted for, all other malware types were seen on only a minority of machines. "Rootkits are certainly present, but compared to other [malware types] they're not extremely widespread yet," added Braverman. A rootkit was present on 14 percent of the nearly 6 million computers that had to be cleaned. Since it debuted in January 2005, the MSRT has been run some 2.7 billion times on an increasing number of PCs. In March 2006, the last month for which data was compiled, 270 million unique systems ran the tool, which is automatically downloaded and run on systems with Windows/Microsoft Update turned on. Over those 15 months, the MSFT found malware on one in every 311 computers. "I think that's a valid, accurate number," argued Braverman, even though the MSFT doesn't detect and delete every form of malicious software, and runs predominantly on Windows XP SP2 (and not at all on older operating systems, such as Windows 98 and Windows NT). The MSFT data also seemed to validate the long-standing premise that Windows XP SP2 is more secure than earlier Microsoft operating systems, said Braverman. Although Windows XP SP2 systems account for 89 percent of all machines from which malware was deleted, when the numbers are "normalized" -- to take into account the number of tool executions on each OS -- SP2's rate falls precipitously to just 3 percent. Together, Windows XP Gold (the original edition launched in October 2001) and Windows XP SP1 account for 63 percent of the deletions when the numbers are normalized. "This makes sense," Braverman's report read. "Windows XP SP2 includes a number of security enhancements and patches for vulnerabilities not found in earlier versions of Windows XP, making it more difficult to be infected by malware in some cases. "And it is likely that a user who has not yet upgraded to the latest service pack would be more susceptible to social-engineering-based attacks. In fact, this seems to hold true for Windows 2000 and Windows Server 2003 as well, where the latest versions of the service packs for those operating systems have the lowest number of normalized disinfections compared with the older versions of the operating systems." "No, I couldn't claim that Windows XP SP2 itself was the only reason why its normalized numbers are so low," admitted Braverman, who pointed to the prodding those users get to turn on Automatic Update (which not only patches their OS, but also runs MSFT monthly) and the idea that they're less likely to engage in potentially risky behavior, like opening attachments or visiting dangerous parts of the Internet. Microsoft uses a combination of internally-generated metrics and outside feedback -- including the WildList and customer comments -- to decide which malware is added to the list targeted by the tool. Anti-virus scan results of Microsoft's for-a-fee security service, OneCare, and its for-free Windows Live Safety Center, said Braverman, are taken into account, as is data from the crash analysis tool that users can invoke when Windows dies. While the MSFT data has been used mostly by the anti-malware team itself to develop new tools -- such as ones to more quickly crank out signatures for bots -- Braverman sees it as a way for Microsoft and its partners to get a better feel for the current security situation. "It demonstrates Microsoft's understanding of the malware landscape," he said even as that landscape -- and the tool itself -- change. "We've already morphed our thinking about how to best attack malware families," he added. A version of the tool for Windows Vista Beta 2 will be released within weeks, said Braverman, via Windows/Microsoft Update to help protect users trying out the new operating system. The newest edition of the MSFT will be released Tuesday as part of Microsoft's monthly security update. Copyright ? 2006 CMP Media LLC, All rights reserved. From isn at c4i.org Tue Jun 13 08:08:27 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 13 Jun 2006 07:08:27 -0500 (CDT) Subject: [ISN] Japanese virus shares private info Message-ID: http://www.smh.com.au/news/security/japanese-virus-shares-private-info/2006/06/13/1149964511797.html The Sydney Morning Herald June 13, 2006 A computer virus that targets the popular file-sharing program Winny isn't the most destructive bug or even the most widespread. But it's the most talked about in Japan as it generates headline after headline, month after month. The malware, called Antinny, finds random files on Winny users' PCs and makes them available on the file-sharing network. So far, the data leaked have been varied and plentiful: passwords for restricted areas at airports, police investigations, customer information, sales reports, staff lists. The constantly updated virus seems to have spared no one airlines, local police forces, mobile phone companies, the National Defence Agency. Even an antivirus software manufacturer has suffered. "The virus has been quite effective in getting information off a user's computer and onto the Internet. The data is supposed to be secret, so people are quite sensitive about it," said Tsukuba University computer scientist Kazuhiko Kato. Compared to attacks on Microsoft Corp's Windows software, the scope of the Antinny outbreak is narrow. But the Winny mess has caused an enormous brouhaha in Japan. Antinny also may have the dubious distinction of being the first virus to exploit the nature of file-sharing itself in Japan, if not in the world, said Mamoru Saito of Telecom Information Sharing and Analysis Centre Japan. Other viruses and spyware are often found on such networks, though none appears to take advantage of the underlying technology to spread personal data. And while Antinny's writers seem to be limiting themselves to Japanese file-sharing software for now, he said, the code theoretically could be modified to attack other file-sharing networks such as Gnutella and BitTorrent. The outbreak has triggered a broad damage-control effort by government and businesses. They have banned Winny from in-house computers and fired employees who use it on them. They've also demanded that staff not take work home and delete Winny from any home PCs used for work. "The most secure way to prevent the leakage of information is not to use Winny on your computer," Chief Cabinet Secretary Shinzo Abe, the government's top spokesman, told reporters. But the outbreak shows little sign of abating. "The problem has shown that many people just don't know how to use the internet safely," said Takeshi Sato of the government's National Information Security Centre. File-sharing programs like Winny are used to find and get files from music to video to documents from the computers of other people also using the software. The PC owner typically has control over what is made available by limiting sharing to a specific folder. The virus takes advantage of this culture to propagate itself by playing a "social" trick on users, said Telecom ISAC Japan's Saito. When the virus is activated on a computer, it first chooses a new name for itself by taking the names of other files users are likely to be searching for usually photos or music. The resulting new name becomes so long that, under normal Windows' settings, the three-letter file extension that indicates the type of file disappears from view, he said. Careless users who download the file will see only the name and think it is something they wanted say, a photo of a favorite movie star. They don't see that they are actually trying to open an application, not a picture. When they do, the virus then looks on the computer for the Winny application, grabs random files off the hard drive and uses Winny to make those files and itself available for download on the network. And so the cycle repeats. New strains of Antinny appear all the time. Software maker Trend Micro listed 46 variations of the virus in its database as of mid-May. Trend itself lost sales data due to a Winny leak in 2005. "Just keeping your antivirus software up to date isn't enough, because the updates can't keep up with all the new strains of the virus," the government's Sato said. The government's concerns about Winny go beyond viruses. It's often used to share files and that often means illegally exchanging copyrighted materials. Winny was already on the government's radar screen in November 2004, when its creator then an instructor at the prestigious University of Tokyo was handed a three-year suspended sentence on charges of violating copyright laws. But now it is confidential data rather than hit songs that have Winny back in the spotlight. Japan Airlines, for example, discovered last December that an Antinny-infected computer owned by one of its co-pilots leaked passwords for restricted areas at 16 airports around Japan as well as Guam's international airport. The airline was forced to alert the airports to have passwords changed as a precaution. In early March, Japan's National Defence Agency said it lost "confidential information" due to a Winny leak, again from an employee's home computer. While defence officials refused to say what data had been lost, a news report said it included reports on training exercises conducted in Okinawa with U.S. troops in 2005. In the aftermath of the leaks, the agency ordered employees not to use Winny on any computers used for work. It also announced plans to purchase 56,000 computers so employees would no longer have to use their own equipment for work. Schools, internet providers and electric companies are among the others who can tell of similar losses. Making matters worse, reports began surfacing in May that the virus was now attacking another Japanese file-sharing application called Share (pronounced "shah-ray"), opening the door to yet more embarrassing leaks. The excitement being generated is all the more remarkable when one considers the outbreak's scale. Because Antinny needs Winny to spread, both the virus and the files it picks up are limited to a small section of internet users anywhere from 300,000 to 600,000 people, based on government and industry estimates. Government statistics show Antinny was responsible for a minuscule fraction of the 24,155 virus outbreaks reported between November 2005 and April 2006. "Reports of the leaks make for good drama," Tsukuba's Kato said. "Still, they show that people need to be careful if they connect their computers to the Internet." The government and businesses are trying to help, with everything from educational pamphlets and Web sites to free software that can remove Antinny, Winny or both. But there are limits to what they can do. "The industry is providing information about how to deal with the problem," said Telecom ISAC-Japan's Saito. "The question is whether or not the users do anything about it." Copyright ? 2006. The Sydney Morning Herald. From isn at c4i.org Wed Jun 14 04:03:36 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:03:36 -0500 (CDT) Subject: [ISN] Computer Security Market to Grow 13% Message-ID: http://times.hankooki.com/lpage/biz/200606/kt2006061320215011910.htm 06-13-2006 SEOUL (Yonhap) - South Korea??s computer security market is forecast to grow 13 percent annually over the next five years as spending on Internet security software rises in both the public and private sectors, a report indicated on Tuesday. The country??s digital security market is predicted to rise to 815 billion won ($850) by 2010, and the security appliance market is projected to post an annual growth rate of 17.6 percent, according to the report compiled by the South Korean unit of the International Data Corp. IDC Korea said the country??s computer security market posted 8.5 percent growth last year reaching 443 billion won. The security appliance sector, in particular, is expected to grow sharply in the future, the report said. adding that more and more public institutions and private companies in the country are trying to keep their computer networks safe from burgeoning cyber threats. From isn at c4i.org Wed Jun 14 04:03:05 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:03:05 -0500 (CDT) Subject: [ISN] Hanford workers warned about security breach Message-ID: http://seattlepi.nwsource.com/local/273650_hanfsecurity13.html By SHANNON DININNY THE ASSOCIATED PRESS June 13, 2006 The U.S. Energy Department has warned about 4,000 current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. The discovery marks the second time in less than a week that the Energy Department has warned employees and its contractors' employees that their personal information may have been compromised. Police in Yakima discovered the list while investigating an unrelated criminal matter, the Energy Department said, adding that the list included the names of people who worked for a former Hanford contractor, Westinghouse Hanford, who were transferring to Fluor Hanford or companies under contract to Fluor Hanford in 1996. The Energy Department awarded Fluor Hanford the contract to clean up the highly contaminated nuclear site in December 1996. The list also included workers' Social Security numbers and birthdates, as well as work titles, assignments and telephone numbers. The department began notifying workers about the discovery Sunday. Employees at seven companies were warned to monitor their financial accounts and billing statements for any suspicious activity. There was no indication that Hanford's computer network was compromised. The Energy Department and Fluor Hanford were working with law enforcement officials to determine how the list was obtained and why it was in the home, the Energy Department said in a statement Monday. "We, along with Fluor, are taking this very seriously," said Karen Lutz, an Energy Department spokeswoman at the south-central Washington site. "Obviously, there's a concern to get the word out, because so many workers transfer to other contractors and other federal sites." Also on Monday, Energy Department officials began contacting 1,502 individuals by phone to inform them that their Social Security numbers and other information might have been compromised when a hacker gained entry to a department computer system eight months ago. The workers, mostly contract employees, worked for the National Nuclear Security Administration, a semiautonomous agency within the department that deals with the government's nuclear weapons programs. The computer theft occurred last September, but Energy Secretary Samuel Bodman and his deputy, Clay Sell, were not informed of it until last week. It was first publicly disclosed at a congressional hearing on Friday. Following the Hanford report Monday, Sen. Maria Cantwell, D-Wash., demanded corrective actions to ensure that federal employees' personal information remains secure. "Today's news that the personal information of 4,000 Hanford workers has been floating around in the open shows that we still have a long way to go when it comes to keeping sensitive information out of the wrong hands," Cantwell said. Workers from the following companies were urged to check their financial statements: Fluor Daniel Hanford, Lockheed Martin Hanford, Rust Federal Services of Hanford, B&W Hanford, Numatec Hanford, DynCorp Tri-Cities Services and Duke Engineering and Services Hanford. From isn at c4i.org Wed Jun 14 04:03:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:03:21 -0500 (CDT) Subject: [ISN] Elections hacks don't guard us against hackers Message-ID: http://www.miami.com/mld/miamiherald/14803773.htm By FRED GRIMM fgrimm at MiamiHerald.com Jun. 13, 2006 For a county supervisor of elections needing someone to test the vulnerabilities of his voting system, Dan Wallach's the man. Wallach, who runs the security computer lab at Rice University, is a nationally regarded expert on computer network security and voting system vulnerabilities. He's associate director of ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). Besides, his parents live in Lauderdale-by-the-Sea. He is a perfect choice. But not in Florida. Wallach and his associates at ACCURATE may represent academia's leading experts on voting system security, but under the new rules promulgated by the Florida Secretary of State, they don't qualify. Any security test, the secretary of state's office insists, must be performed by someone certified by the American Software Testing Qualifications Board, the American Society for Quality or the EC (E-Commerce) Council. Not only is Wallach not certified by the three organizations, ''I've never heard of them,'' he says. TRAINING COURSE Actually, the first two organizations are concerned with the overall quality of manufactured software, not security. The EC Council website offers a five-day training course into something called ''ethical hacking.'' Five days of training, under the new rules, would trump the most sophisticated r?sum?s in computer science. Computer professor David Dill, of Stanford University, who served on California's Ad Hoc Task Force on Touch Screen Voting, and whose degree -- not the five-day kind -- comes from MIT, added his apprehensions to the comments on the proposed rules the Florida Secretary of State's office collected Monday. He said they would ``would exclude the most competent evaluators, such as those who have found most of the reported security holes in existing voting systems. ''I have checked with several computer security experts, who not only do not have these qualifications, but, like me, have never heard of them. A little research on the Web reveals these certifications to be of dubious relevance to voting system evaluation,'' Dill wrote. Other rules would require that the voting-machine vendors and the secretary's office get advance notice of any security test. And a supervisor of elections contemplating a security test must first take special pains to protect the machine manufacturer's secret operating code. CERTIFIED HACKERS Wallach and Dill seemed puzzled. Wallach noted that a voting machine ought to be secure no matter who tries to hack the system. The notion that a would-be hacker must first be properly certified and possess special qualifications (like a five-day online course), and the vendors need advance notice becomes utterly irrelevant in cyberspace. ''If someone is malicious and his goal is to throw the election, they're not going to ask permission.'' Wallach said. Of course, the new rules aren't really about protecting the integrity of elections. Only one Florida supervisor of elections allowed outside experts to test his voting system security. And when Ion Sancho's hackers discovered they could alter the outcome of an election and wipe out all trace of the tampering last year, it was a huge embarrassment to the Secretary of State's office. Instead of trying to fix the flaws, state officials and Diebold -- a maker of voting machines -- went after Sancho, disparaging his findings and suggested that he ought to be tossed from office. Then California -- not Florida -- directed a panel of computer science experts to look into the Leon County findings. The panel found the same flaws and more. Florida election bureaucrats were humiliated. ''The new rules are designed to make sure that they're never embarrassed again, '' Sancho said Monday. Florida first priority is to protect the vendors. We'll let California worry about the damn voters. From isn at c4i.org Wed Jun 14 04:03:48 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:03:48 -0500 (CDT) Subject: [ISN] KDDI suffers massive data breach Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001150 Martyn Williams June 13, 2006 IDG News Service Personal data on almost 4 million customers of Japanese telecom carrier KDDI Corp. has been breached, the company said Tuesday. The data includes the name, address and telephone number of 3,996,789 people who had applied for accounts with KDDI's Dion Internet provider service up to Dec. 18, 2003, KDDI said. Additionally the gender, birthday and e-mail addresses of some of the people was also leaked. KDDI is Japan's second largest telecommunications carrier. It operates fixed line, dial-up Internet, broadband and cellular services through a number of different companies. The carrier became aware of the leak on May 31 this year when it received a phone call from someone claiming to possess a CD-ROM of the data, said Yoko Watanabe, a spokeswoman for the Tokyo-based carrier. The original source of the data has yet to be determined and Watanabe declined to comment on other aspects of the case, which is being investigated by the police, she said. The leak is just the latest of several to hit the headlines in Japan this year. Personal information has been leaked by companies a number of times onto the Internet through viruses that infect PCs running file sharing programs. While the source of the data lost by KDDI is not yet clear, the episode is likely to increase fears of identity theft and other fraud in Japan. In recent years the number of frauds committed against consumers using such information has been on the rise. Armed with the name and address or telephone number of a consumer, fraudsters can send out bills or make calls demanding payment for services that were never delivered. The slick frauds often dupe consumers into sending money before they realize they have been tricked. From isn at c4i.org Wed Jun 14 04:05:40 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:05:40 -0500 (CDT) Subject: [ISN] PCs to developing world 'fuel malware' Message-ID: http://www.theregister.co.uk/2006/06/13/pc_donation_peril/ By John Leyden 13th June 2006 Programs to send PCs to third world countries might inadvertently fuel the development of malware for hire scams, an anti-virus guru warns. Eugene Kaspersky, head of anti-virus research at Kaspersky Labs, cautions that developing nations have become leading centres for virus development. Sending cheap PCs to countries with active virus writing cliques might therefore have unintended negative consequences, he suggests. "A particular cause for concern is programs which advocate 'cheap computers for poor third world countries'," Kaspersky writes. "These further encourage criminal activity on the internet. Statistics on the number of malicious programs originating from specific countries confirm this: the world leader in virus writing is China, followed by Latin America, with Russia and Eastern European countries not far behind." But what about all the positive uses in education, for example, possible through the use of second-hand PCs in developing nations? We reckon these more than outweigh the possible misuse of some computers at the fringes of such programs. We wanted to quiz Kaspersky more closely on his comments but he wasn't available to speak to us at the time of going to press. A spokesman for Kaspersky Labs agreed that PC donation programs have benefits but maintained that in countries with "fewer legitimate openings" for work the possibility of "unintended side effects" can't be overlooked. He said that Eugene Kaspersky's comments should be viewed in the context of a wider discussion of criminal virus writing, contained in an essay on the anti-virus industry here. ? From isn at c4i.org Wed Jun 14 04:06:05 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:06:05 -0500 (CDT) Subject: [ISN] Black Hat Speakers + 2005 Content on-line Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ISN readers, I have a brief announcement I would like to make. The speaker selection for Black Hat USA 2006 is now complete. We have a fantastic line up of Briefings presentations and our largest selection of Training this year. Briefings: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-schedule.html Training: http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html For the first time in four years, we have been able to expand our speaking line. This is due to Caesars Palace has expanded their conference space, and Black Hat will be getting the entire fourth floor to ourselves! This means that for the first time in four years, we were able to expand the number of presentation tracks, panels as well as offer more opportunities for networking in our Human Network area. Some notes from the schedule: *A Root-kit focused track draws attention to the amount of work, and the speed of advancement, going into this field. *Ajax to Fuzzers--web app sec is taken to a new level. The largest number of talks dealing with web application security ever delivered at a Black Hat. As the web moves to a more interactive "web 2.0" model of participation it is only natural for there to be more risks involved. *A Windows Vista Security track which has been garnering a lot of press lately... this will be an unprecedented first comprehensive look at Vista security issues *Jim Christie is bringing his "Meet the Fed" panel over from DEF CON, and the Hacker Court is back along with panels on Disclosure, a Public Forum on Corporate Spyware Threats hosted by The Center for Democracy and Technology Anti-Spyware Coalition, and a new challenge will be presented by the Jericho Forum. Remember, prices increase July 1st for both the Briefings and Trainings. Register now to get the best rates! http://www.blackhat.com/html/bh-registration/bh-registration.html#us Other News: Black Hat is pleased to release the presentations from last years Black Hat 2005 Briefings in both audio and video format. Also a first they will be available for download in both H.264 .mp4 format (iPod compatible) as well as .mp3 audio. Currently you have to subscribe to the Black Hat .rss feed to get them, but in the coming weeks we will make them available through the past conventions archive page. http://www.blackhat.com/BlackHatRSS.xml Black Hat would like to welcome the ISSA as a world wide supporting association. http://www.issa.org/ Thank you, Jeff Moss -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBRI9L4kqsDNqTZ/G1AQKjlQgAnLKMSLL6Uc4BznLQ+sGkCf+v4kBXmSR2 ogJYZ8eciZxwJMrAFGhXGhJOHGQJxp2U/HEnISNhg+3W6TGhyl9rVO62z+2aBSfw bvb+RSWWgMitiQqZcsRO8LkPorJlnpHSLzNxpH1GaVLFyJ17YwSCm1a/n2QPv+Pq 4nlC3KLKwgmFXY6uAkg95InvOeLly5uIelAGEllzIZ676A4fp5VMBeXtT/PDJwbs 49nZE8IPmxFPL1d9V47eWmjNpqMZBtNHuTaEhBhpWc1YbY0oE7Txv0EFWY2HGBLZ S4XnlJCO9rbD1y0fbd1qof3BKVGW/nXaBG9SBOnctbFSDeyEVUTD3w== =++JQ -----END PGP SIGNATURE----- From isn at c4i.org Wed Jun 14 04:04:58 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:04:58 -0500 (CDT) Subject: [ISN] ...and now a word from one of our long time sponsors Message-ID: http://attrition.org/news/content/06-06-13.001.html Cliff Notes: If you drink Coca-Cola products, email the 'coke reward' code to cokerewards at attrition.org to support a bunch of wack job heathens How many times have you thought, "If everyone sent me one penny, i'd be rich!?" In the case of attrition staff, maybe you thought "If everyone sent me one beer, i'd need a new liver in three months!" Attrition has been going strong for almost eight years now. In that time we haven't plagued the site with ad banners, pop-ups, or even the cute little google ad-words. We've accepted PayPal donations for several years and raked in a whopping 250 bucks (which we are honestly very thankful for). Our Amazon wishlists are never used, half the mail we get is mindless drivel complaining about insipid crap that is usually answered by actually reading the web pages. The box has been fully replaced two times due to hardware problems, payments are routinely made to our landlord for the bandwidth abuse and to keep him too drunk to find our power plug. In short, this isn't a site based around profit or self reward. We're more like those monks that inflict self pain thinking it brings them closer to a higher power. Misguided, pain-ridden, stupid monks. Since we've long been fans of the sci-fi idea of 'micro payments', and no system is in place for such a beast to really work, we've come up with one. Now you too can actually support the site without sending us money or hate mail. Chances are, you are a cracked-out coke fiend like most of us. I prefer the hard-core street drug they call "Coke Zero" these days, moving on from the weak suburban "Diet Coke" or that old-folks home "Caffeine Free Diet Coke" that Munge sips on between shots of Everclear. If you support Coca-Cola like a true patriot, and not those Pepsi jerks like a terrorist would, then you are in the perfect position to contribute. Coca-Cola is running a promotion where you receive a code for each purchase you make. With those codes, you register on one of their web sites and type in the codes to earn points. Enough points and you can earn various prizes, most of which are not worth the time to read about on the web site. If you click around enough, you get to the distant "10,000+ Points" reward list, and things become brighter. In this "pipe dream" category is a pretty swell Sony LCD HDTV that would be a nice reward for the pain and suffering we're put through. So, next time you are getting your fix, take a few seconds to type in the coke code and mail it to us. Only takes a minute of your time and you can spend the rest of the day bragging about how you supported a non-profit site on the intarweb. The codes can be found inside the bottle caps of 2 liter, 1 liter or 20oz bottles, or in the tear off flap of 12-pack cases. They can be found in just about every variety of Coca-Cola products and look something like BNMW7 Y49XR 4X7VJ. This is it net denizens. Some 100,000,000 of you out there, and all it takes is 2,000 of you to mail in the code from a single 12-pack to reach our goal. You would be showing a small token of appreciation for eight years of hard work and it doesn't even require a visit to the post office. If you send in 100 points worth of codes (ten cases, or 33 bottles), we'll hook you up with private access to the old image gallery we used to make available (shut down long ago due to bandwidth abuse), which is up to 5,263 unique images of all varieties, and zero advertisements. That's it, simple and possibly rewarding. cokerewards at attrition.org Cut this out and post it at your work lounge! .------------------------------. | | | E-mail Coca-Cola Reward Code | | to the heathens at | | cokerewards at attrition.org | | | `------------------------------' From isn at c4i.org Wed Jun 14 04:05:27 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 14 Jun 2006 03:05:27 -0500 (CDT) Subject: [ISN] ADSM endorses XBRL technology Message-ID: http://www.itp.net/business/news/details.php?id=21007 By David Ingham 13 June 2006 Abu Dhabi Securities Market (ADSM) has recently taken further steps to boost market transparency and improve its information technology systems. ADSM has declared its aim to become ISO 17799 compliant and has thrown its weight behind the XBRL information reporting standard. EXtensible business reporting language (XBRL) enables computer-readable tags to be applied to individual items of financial data in business reports. This helps to turn them from blocks of text into information that can be understood and processed by computer software. "XBRL complements ADSM's programme to adopt international best practise standards of regulation and governance throughout the UAE markets," said Rashed Al Baloushi, acting director general of ADSM. "It will give investors better access to a company's financial information, allowing them to make more informed decisions. "Furthermore, analysts will be able to compare detailed data more efficiently and with increased accuracy. Under the current system, it can be difficult to benchmark data efficiently." ADSM said it will encourage all listed companies to adopt the technology, which it says can reduce data processing costs in addition to improving transparency. It has already held one educational seminar, which was attended by listed UAE companies and representatives from other markets in the region. Separately, ADSM has said that it plans to become the first UAE bourse to achieve ISO 17799 certification. ISO 17799 is a set of procedures designed to help companies improve their level of information security. It covers ten aspects of e-security, including policies & procedures, access control and business continuity. Company and Cybertrust have been appointed to help ADSM benchmark its systems against the ISO 17799 requirements. "Since ADSM was established, we have been constantly reviewing and updating our security systems in line with our growth," said Khalfan Al Mazrouei, IT manager of ADSM. "But, in order to bring our systems up to an international standards we need ISO 17799 certification." From isn at c4i.org Thu Jun 15 02:24:27 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:24:27 -0500 (CDT) Subject: [ISN] Stolen computer server sparks ID theft fears Message-ID: http://msnbc.msn.com/id/13327187/ By Jim Popkin, Tim Sandler & the NBC Investigative Unit NBC News June 14, 2006 WASHINGTON - A thief recently stole a computer server belonging to a major U.S. insurance company, and company officials now fear that the personal data of nearly 1 million people could be at risk, insurance industry sources tell NBC News. The computer server contains personal electronic data for 930,000 Americans, including names, Social Security numbers and tens of thousands of medical records. The server was stolen on March 31, along with a camcorder and other office equipment, during a break-in at a Midwest office of American Insurance Group (AIG), company officials confirm. An AIG spokesman says that there's no evidence that the thief has accessed the personal data on the server or used it for any illicit purpose. The server is password protected, the AIG spokesman adds. The server contains detailed personal data from 930,000 prospective AIG customers, whose information had been forwarded to the insurance firm from 690 insurance brokers around the country. The potential customers' employers were shopping with AIG for rates for excess medical coverage, the spokesman says, when they forwarded the personal data to AIG. AIG has not yet notified any of the people whose personal data are on the stolen server. AIG security officials have been conducting a forensic analysis of the theft, and warned the 690 insurance brokers of the problem on May 26. The AIG spokesman tells NBC: "There is no indication that the thieves were seeking data, rather than valuable hardware....To date, we are unaware of any of this information being compromised." In a police report on the incident, officers in the Midwestern city state that the stolen server was worth $10,000. The police write that the thief "came through the ceiling, going into their [AIG's] server room." NBC News is not identifying the city at the company's request, so as to not tip off the thief who may not realize he/she has valuable personal information. AIG describes itself as "the leading international insurance organization with operations in more than 130 countries and jurisdictions." Ironically, an AIG member company announced earlier this year that it now offers identity-theft insurance coverage. ? 2006 MSNBC Interactive From isn at c4i.org Thu Jun 15 02:24:48 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:24:48 -0500 (CDT) Subject: [ISN] Intelligence can be pretty dumb Message-ID: http://www.theinquirer.net/?article=32411 By Nick Booth 14 June 2006 SECURITY FIRMS must be ruthlessly cunning and intelligent to stay ahead of the fiendish legions of hackers, crackers and cunning con artists they constantly warn us about. Or so you'd think. But not if this recent example of 'intelligence' is typical. All companies keep tabs on the opposition. Usually, they employ competitive intelligence companies, who use all kinds of dirty tricks to find out about rival's products, their marketing strategies and the incentives offered to resellers. A typically fiendish scam would be to set up a phoney head hunting agency, then invite everyone that matters, at the target firm, for an "off the record" interview. Flattered by the attention, most CTOs and marketing directors are only too pleased to boast of the projects they're working on, the budgets they're in charge of and how many people are under them. This information is all tabulated, and sold for hundreds of thousands of dollars, to the client. Clients like to outsource this furtive behaviour so they can distance themselves from it if they get caught. Very cunning. Some security firms are slightly less sophisticated, it seems. When security vendor Countersnipe launched its latest product, it expected a few bogus enquiries from its rivals. But a request from an outfit calling themselves Ychange seemed genuine enough. 'Jeff' from Ychange saw a demo and was so impressed he promised to show the product to Superluminal, his financial services client, which was just gagging to place a multi-million dollar order. But a quick Whois check revealed that Superluminal's web site was owned by one of Countersnipe's rivals, Sourcefire. Perhaps Sourcefire didn't think anyone else would know about this new-fangled Internet thing. "This has to be the least sophisticated attempt at spying I've ever seen," laughed Countersnipe's Amar Rathore, "I wouldn't mind, but they're a security firm, for God's sake. You'd think they'd know some cleverer tricks than that." Sourcefire was unavailable for comment. ? From isn at c4i.org Thu Jun 15 02:25:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:25:24 -0500 (CDT) Subject: [ISN] Spam Is Good for Antispam Vendors Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. St. Bernard Software http://list.windowsitpro.com/t?ctl=2E774:4FB69 Patchlink http://list.windowsitpro.com/t?ctl=2E786:4FB69 CrossTec http://list.windowsitpro.com/t?ctl=2E76E:4FB69 ==================== 1. In Focus: Spam Is Good for Antispam Vendors 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Releases Rebranded Antigen Products - 180solutions Merges with Hotbar, Renames Company Zango - Two-Factor Authentication Tokens 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Host-Based IPS Monitors Application Behavior ==================== ==== Sponsor: St. Bernard Software ==== Get the #1 Ranked Internet Filtering Appliance Free iPrism, ranked #1 by IDC, gives you comprehensive protection from Web-based threats at the perimeter - spyware, IM and P2P are stopped before they can invade your networks. Now, get the appliance at no charge when you purchase a multi-year subscription. This is a limited- time offer, so get a Quick Quote today. http://list.windowsitpro.com/t?ctl=2E774:4FB69 ==================== ==== 1. In Focus: Spam Is Good for Antispam Vendors ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about Okopipi--the current successor to Blue Security's Blue Frog antispam service. In closing that article, I described a dream situation in which Microsoft philanthropically backs the Okopipi project and bundles the antispam solution with every copy of Windows. This week, I'll point out some statistics and financial figures that show why I think that dream will never become a reality-- not with Microsoft or any other major antispam-solution provider. First, let's look at the cost of spam for businesses: In February 2005, Ferris Research said, "Lost productivity and other expenses associated with spam will cost US businesses $17 billion in 2005.... Worldwide costs could reach $50 billion, primarily because of lost employee productivity. Not included in these figures are immeasurable items, such as the missed opportunity cost of a new customer order that's incorrectly discarded as spam." That's a lot of incentive for businesses to implement antispam solutions. http://list.windowsitpro.com/t?ctl=2E77B:4FB69 Next, let's look at antispam-solution revenue figures: Also in February 2005, IDC predicted that "...worldwide revenue for antispam solutions will exceed $1.7 billion in 2008, far surpassing the $300 million generated in 2003.... [The] development of spam from a mere nuisance to an increasingly serious problem [is] the driver for explosive revenue growth, innovation, and investment in the antispam market. The worldwide revenue for antispam solutions will experience a compound annual growth rate (CAGR) of 42% through 2008." http://list.windowsitpro.com/t?ctl=2E77A:4FB69 Now let's look at email usage and spam volume growth: In January 2006, the Radicati Group estimated that there were more than 1.2 billion active email accounts. Worldwide email traffic per day was about 135 billion messages, of which 67 percent were spam. Then in May 2006, Radicati estimated that there were nearly 1.4 billion active email accounts and worldwide email traffic per day of about 171 billion messages, of which 71 percent were spam. http://list.windowsitpro.com/t?ctl=2E771:4FB69 http://list.windowsitpro.com/t?ctl=2E775:4FB69 Summarizing Radicati's data, the number of mailboxes increased by 200 million, the volume of email traffic increased by 36 million messages, and the volume of spam increased by 31 million messages--all in less than half a year! The increases represent a tremendous gain in potential customers for antispam vendors, which of course can readily equate to huge increases in revenue. The spam problem has given birth to a billion-dollar market for antispam-solution providers. If we keep in mind that most companies exist for the primary purpose of generating income for their owners and investors, then we can easily see that no current antispam vendor has the impetus to stamp out spam because doing so would run counter to its fiduciary responsibility. Therefore, the Okopipi project will probably not be seen in a good light by any antispam-solution provider, except of course one that finds a way to profit from the ultimate antispam solution of stamping out spam completely. ==================== ==== Sponsor: PatchLink ==== Does your patch management solution automatically track and re-deploy to ensure network security? 20% of patches unknowingly become un-patched. Learn more about automating the analysis, distribution and tracking of security patches using PatchLink's security patch & vulnerability management solution -- the world's largest repository of tested patches. Request a free trial disk. http://list.windowsitpro.com/t?ctl=2E786:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2E773:4FB69 Microsoft Releases Rebranded Antigen Products Microsoft announced the first release of its rebranded Antigen antivirus and antispam products for email systems. Microsoft acquired the Antigen product line with the 2005 purchase of Sybari Software. Read more about the Microsoft versions at http://list.windowsitpro.com/t?ctl=2E77E:4FB69 180solutions Merges with Hotbar, Renames Company Zango The often scrutinized adware company 180solutions announced that effective immediately it will merge with Hotbar and rename the newly combined entity Zango. http://list.windowsitpro.com/t?ctl=2E77F:4FB69 Two-Factor Authentication Tokens Two-factor authentication offers stronger security and easier access than having to remember numerous passwords. Our buyer's guide helps you find the right two-factor solution to fit your needs. http://list.windowsitpro.com/t?ctl=2E77C:4FB69 ==================== ==== Resources and Events ==== Win a new iPod (for Mac or PC) Download a Windows IT Pro podcast on Windows IT Pro Radio by your favorite author, editor, or industry figure. You'll automatically be entered to win! http://list.windowsitpro.com/t?ctl=2E787:4FB69 Maximize your VoIP environment by integrating FoIP technology to increase ROI and streamline processes. http://list.windowsitpro.com/t?ctl=2E772:4FB69 Attend Black Hat 2006 in Las Vegas July 29 - August 3; 2,500+ international security experts, 10 tracks, no vendor sales pitches. http://list.windowsitpro.com/t?ctl=2E78A:4FB69 Pop Quiz! Can you pass the Windows Server High Availability Challenge? Find out, and you could win a Video iPod. http://list.windowsitpro.com/t?ctl=2E784:4FB69 How will compliance regulations affect your IT infrastructure? Help design your retention and retrieval, privacy, and security policies to make sure that your organization is compliant. Download the full ebook today! http://list.windowsitpro.com/t?ctl=2E770:4FB69 Attend TechDays 2006--two days of technical training for IT Professionals on Microsoft and Cisco Technologies, Fri. 6/23 and Sat. 6/24 from 9am-4pm (both days). Located at Diablo Valley College, Pleasant Hill, CA. Price is $1299. Your cost is $299 and includes lunch, drink, snacks and all the information your mind can hold! Enter code PENTON when you register at http://list.windowsitpro.com/t?ctl=2E783:4FB69 ==================== ==== Featured White Paper ==== Extend Windows Rights Management Services (RMS) to support enterprise requirements for protecting information, including proprietary business data. http://list.windowsitpro.com/t?ctl=2E76F:4FB69 Bonus: When you download any white paper from Windows IT Pro before June 30, you'll be entered to win Bose Triport Headphones. See the full selection today at http://list.windowsitpro.com/t?ctl=2E785:4FB69 ==================== ==== Hot Spot ==== Spending too much time monitoring security alerts? New Activeworx Security Center v3 collects event logs from all of your various security devices (Firewalls, AV, IDS, etc) to provide a single dashboard view. ASC includes real-time correlation and analysis, alerts, built-in compliance reports and deep forensics. Free white paper, webinar and evals available. http://list.windowsitpro.com/t?ctl=2E76E:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Windows Genuine Advantage, Phone Home by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2E782:4FB69 We should have known: Microsoft's Windows Genuine Advantage tool phones home daily, and that fact isn't disclosed in the End User License Agreement (EULA). Find out more in this blog article on our Web site. http://list.windowsitpro.com/t?ctl=2E780:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=2E781:4FB69 Q: How do I enable logging of file screen violations? Find the answer at http://list.windowsitpro.com/t?ctl=2E77D:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Summer Special--Save 58% off Windows IT Pro Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=2E777:4FB69 June Special--Save $80 off the Windows IT Security newsletter Get endless solutions for building and maintaining a secure enterprise. Subscribe to the Windows IT Security newsletter today and save $80: http://list.windowsitpro.com/t?ctl=2E778:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Host-Based IPS Monitors Application Behavior S.N. Safe & Software recently released the Safe'n'Sec host-based intrusion prevention system (IPS). Safe'n'Sec intercepts application calls at the OS level, granting or denying system access to an app based on a variety of criteria, such as the app's hard disk location, the existence of a digital signature for the app, and whether the app is on a list of core "safe" applications. Safe'n'Sec vets periodic updates to core apps, and Safe'n'Sec users can define policies to govern the behavior of apps. The version for small to midsized businesses (SMBs), Safe'n'Sec Business, offers antivirus and antispyware protection and centralized remote and corporate network administration. For more information, go to http://list.windowsitpro.com/t?ctl=2E789:4FB69 Tell Us About a Hot Product and Get a Best Buy Gift Card! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Best Buy Gift Card if we write about the product in a Windows IT Pro What's Hot column. Send your product suggestion with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2E788:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2E779:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jun 15 02:25:42 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:25:42 -0500 (CDT) Subject: [ISN] Hacker disrupts state disaster site Message-ID: http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060614/NEWS01/606140312 By Stephen D. Price CAPITOL BUREAU June 14, 2006 As Tropical Storm Alberto barreled toward Florida, a computer hacker disrupted public access to the state's emergency Web site for about 20 minutes Tuesday morning, but the glitch did not affect emergency workers, officials said. The Web site, www.floridadisaster.org, is set up by the Division of Emergency Management and allows Floridians to access information about emergency situations. The problem delayed a briefing by emergency workers. "Someone intentionally did this," said Carla Boyce, plans chief for the Division of Services Management. "Loopholes get discovered and hackers take advantage of them." The Florida Department of Law Enforcement is investigating the incident. At 7:30 Tuesday morning, emergency workers noticed the site showed error messages, said David Halstead, State Emergency Response Team chief. He said a similar problem happened a week ago. "It takes someone with good computer skills to do this," Halstead said. Boyce said workers are reviewing logs and network tools for clues to learn who did the hacking and from where. The problem was fixed, and extra precautions are being taken so it doesn't happen again, she said. From isn at c4i.org Thu Jun 15 02:26:09 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:26:09 -0500 (CDT) Subject: [ISN] VA IT security gaps extend to contractors Message-ID: http://www.gcn.com/online/vol1_no1/41035-1.html By Mary Mosquera GCN Staff 06/14/06 The Veterans Affairs Department said today that it has been investigating allegations that an offshore medical transcription subcontractor last year threatened to expose 30,000 veterans' electronic health records on the Internet in a payment dispute with a VA contractor. The VA assistant inspector general referred to the investigation during questioning in a congressional hearing on VA's data security environment in the wake of the theft of sensitive data of 26.5 million veterans, active duty military and reserves officers. The medical transcription incident highlights how gaps in information security also extend to contractors, said Michael Staley, VA's assistant inspector general for auditing. Some VA medical transcription contractors have used offshore subcontractors in India and Pakistan without VA's approval and without adequate controls to ensure veterans' health information was secure under the Health Insurance Portability and Accountability Act, according to an audit released today. "Contracts do not specify criteria for how to protect information," Staley told the House Veterans Affairs Committee. Staley enumerated audits of information management security under the Federal Information Security Management Act, the Consolidated Financial Statement and Combined Assessment Program that revealed significant vulnerabilities. These include VA not controlling and monitoring employee access, not restricting users to only the data they need and not terminating accounts of departing employees in a timely manner. In last year's FISMA review, the IG provided 16 recommendations, including addressing security vulnerabilities of unauthorized access and misuse of sensitive information and data throughout VA demonstrated during its field testing. All 16 recommendations remain open, he said. Audits also found instances where out-based employees send veterans' medical information to the VA regional office through unencrypted e-mail; monitoring remote network access and usage does not routinely occur; and off-duty users' access to VA computer systems and sensitive information is not restricted. "VA has implemented some recommendations for specific locations identified but has not made corrections VA-wide," he said. From fiscal years 2000 to 2005, the IG identified IT and security deficiencies in 141, or 78 percent, of 181 Veterans Health Administration facilities reviewed, and 37, or 67 percent, of the 55 Veterans Benefits Administration facilities reviewed. "We recommended that VA pursue a more centralized approach, apply appropriate resources and establish a clear chain of command and accountability structure to implement and enforce IT internal controls," Staley said. The underlying situation is the VA's department CIO does not have authority to enforce compliance with data security and information management and recommendations from GAO, said Veterans Affairs Committee chairman Steve Buyer (R-Ind.). Buyer traced problems in security enforcement to a memo dated April 2004 from the general counsel that said the department CIO did not have enforcement authority. The CIO, undersecretaries who lead VA's benefits, health and burial administrations, and the VA secretary share responsibility for enforcement, said Gregory Wilshusen, director of information security issues for the Government Accountability Office. "Information security is a governmentwide problem, and we have talked with OMB about that," said Linda Koontz, director of GAO's information management issues. Buyer expressed frustration that there are no consequences for "recalcitrant" agencies that do not correct problems that GAO has repeatedly highlighted. He cited the Privacy Act, which has been strengthened with consequences. "If you have a bureaucracy so strong in the department that the secretary or political bodies are unable to act, don't you think the president or vice president or OMB needs to know that because there are monetary consequences behind that inaction? I'm bothered that GAO doesn't have the higher authority to which they can turn," Buyer said after the hearing. After several more hearings this month, Buyer and his committee will make recommendations or craft legislation. He suggested that Congress consider looking at strengthening FISMA. "We can even come up with that in our language, but we're not going to have jurisdiction over that. We'll have to work with Mr. Davis [House Government Reform Committee chairman Tom Davis (R-Va.)] and his committee. I'd be more than happy to do that," he said. From isn at c4i.org Thu Jun 15 02:26:36 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:26:36 -0500 (CDT) Subject: [ISN] FBI loses 400 pieces of equipment Message-ID: http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060614-024108-3918r 6/14/2006 WASHINGTON, June 14 (UPI) -- The U.S. FBI may have lost 400 pieces of equipment, National Journal's Technology Daily reported Monday. The Federal Bureau of Investigation still has not told the Government Accountability Office what has happened to hundreds of pieces of equipment that were supposed to be part of a failed department-wide case-management system. "The FBI also has not provided any additional explanation for the remaining roughly 400 missing assets," Linda Calbom, the GAO's director of financial management and assurance wrote in a letter. The letter, dated Friday, was addressed to Senate Judiciary Committee Chairman Arlen Specter, R-Pa., and addressed many of the follow-up questions that the committee had for GAO. The GAO released a report in May detailing the flaws in the FBI's Trilogy system, Technology Daily said. It reported that the FBI could not locate more than 1,200 pieces of equipment, valued at about $7.6 million. The FBI responded by saying that it had accounted for 800 of those items, but GAO could not verify that claim, Calbom wrote, the report said. ? Copyright 2006 United Press International, Inc. All Rights Reserved From isn at c4i.org Thu Jun 15 02:27:08 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:27:08 -0500 (CDT) Subject: [ISN] Money lost to cybercrime down--again Message-ID: http://news.com.com/2100-7349_3-6083860.html By Joris Evers Staff Writer, CNET News.com June 14, 2006 SCOTTSDALE, Ariz.--While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cybercrime continue to drop, according to a new survey. For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey's findings in a presentation at the CSI NetSec conference here Wednesday. Respondents in the 2005 survey reported an average of $204,000 in cybercrime losses, Richardson said. This year, that's down to $168,000, about an 18 percent drop, he added. Compared with 2004, the average loss is down 68 percent. "How do you go about reconciling the sense of things getting worse with the respondents who are saying they are losing less money?" Richardson asked. The 2006 survey, a final version of which is slated to be released next month, could provide some answers. Most important, perhaps, the 615 U.S. CSI members who responded to this year's survey reported fewer security incidents. Viruses, laptop theft and insider abuse of Net access are still the most reported threats, but all have decreased compared with last year. "The danger of insiders may be somewhat overstated, according to the survey group," Richardson said. About a third of respondents said they had no losses at all due to insider threats, another 29 percent said less than one-fifth of overall losses came from insider threats. Consistent use of security technology may also contribute to the improvements, with essentially all of the respondents stating that they use firewall and antivirus software, not much of a change from last year. This year, eight out of 10 said they also use spyware protection, a category not listed a year ago. "Overall, you have a picture that is pretty good in many ways," Richardson said. "We're seeing fewer of some of the attacks that have been such a plague for us in many years, and respondents are using less and less money." That "less money" may be good for companies, but not for security vendors. It refers to the percentage of IT budgets spent on security. In the 2006 survey, nearly half of the respondents said less than 2 percent of the budget is spent on security. Last year that percentage was 35 percent. When it comes to cybercrime losses, consumers might be bearing the brunt of them, and they are not covered by the survey, Richardson suggested. "Consumers are the low-hanging fruit," he said. Costs related to identity theft, for example, fall largely back onto the consumer, he added, even if it did start with a data breach at an enterprise. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Thu Jun 15 02:27:36 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 15 Jun 2006 01:27:36 -0500 (CDT) Subject: [ISN] Exploits for Microsoft flaws circulating Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001182 By Jaikumar Vijayan Computerworld June 14, 2006 Security firms are warning about the availability of attack code targeting some of the flaws for which Microsoft Corp. released patches yesterday (see "Microsoft releases fixes for 21 vulnerabilities" [1]). Most of the exploits target flaws that were previously known but for which patches became available only as part of Microsoft's June monthly security update. But at least two publicly available exploits are directed at newly disclosed flaws in the company's products. "Exploit code had already existed for three of the vulnerabilities prior to yesterday, as they were already public issues," said Michael Sutton, director of VeriSign Inc.'s iDefense Labs. "Beyond that, we're seeing public exploit code emerge for some of the new vulnerabilities and are hearing rumors of private code existing for others." The availability of such exploits heightens the risk for companies that have not yet been able to patch their systems and are important factors to consider when deciding which systems to patch first, he said. "We believe that it is far more beneficial to withhold proof-of-concept code for an amount of time so that customers can get the vulnerabilities patched," said Stephen Toulouse, security program manager at Microsoft's security response center. "The public broadcasting of code so quickly after a bulletin release, we believe, tends to help attackers." Microsoft is telling its cusomers to pay special attention to three key updates -- MS06-021, MS06-022 and MS06-023 -- because they could be particularly easy to exploit using Internet Explorer. "There are methods by which if you just browse to a Web site, there could be code execution," Toulouse said. According to iDefense, some form of exploit code is publicly available against the cross-domain information disclosure vulnerability described in bulletins MS06-021, the address bar spoofing flaw in MS06-021 and the Word malformed object pointer vulnerability described in MS06-027. All three were previously known flaws and were given a severity rating of "critical" by Microsoft. In addition, exploits have also become publicly available for both of the newly disclosed server message block vulnerabilities in MS06-030, according to iDefense. The SANS Internet Storm Center this morning posted a note also listing exploits released by penetration-testing vendors to customers. One of the exploits was directed against the Windows Media Player flaw in MS06-024, while the other was targeted at the routing and remote-access vulnerability in MS06-025. Denial-of-service attack codes are also privately available for a TCP/IP flaw in MS06-032, according to SANS. Outside of the Word malware, which began circulating last month, Microsoft has not yet seen any of these exploits used by attackers, Toulouse said. The availability of exploit code once again shows that there is no longer any "patching window" for companies, said Johannes Ullrich, chief research officer at the Internet Storm Center. "Companies don't have the luxury of sitting back and waiting," Ullrich said. "They have to expect that public exploits will become available the day after vulnerabilities are disclosed, and they have to expedite the patching process," despite the challenges involved, he said. Robert McMillan of the IDG News service contributed to this report. [1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001163 From isn at c4i.org Fri Jun 16 04:28:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 16 Jun 2006 03:28:56 -0500 (CDT) Subject: [ISN] NBA investigates security breach Message-ID: http://www.palmbeachpost.com/heat/content/sports/epaper/2006/06/15/a8c_mavsnotes_0615.html By Tom D'Angelo Palm Beach Post Staff Writer June 15, 2006 MIAMI - NBA security continues to investigate a breach that allowed two women who were unauthorized to enter the Dallas Mavericks' locker room following Miami's Game 3 victory and wander into the showers. Dallas forward Josh Howard chased the women out of the showers. They then were escorted out of the building. No arrests were made. "We're continuing to review the situation but we will certainly have enhanced security for the remaining games of the series," NBA spokesperson Tim Frank said. Some Mavericks players believe the women took pictures with camera phones before the phones were confiscated. The NBA would not comment on the possibility that pictures were taken. "There have been situations in the NBA where things happen, but that might be the wildest situation that I have ever seen," Mavericks guard Darrell Armstrong said. "I have never seen that before." [...] From isn at c4i.org Fri Jun 16 04:29:12 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 16 Jun 2006 03:29:12 -0500 (CDT) Subject: [ISN] ...and now a word from one of our sponsors II Message-ID: http://attrition.org/news/content/06-06-15.001.html After a frustrating day at the coke web site (mycokerewards.com which leads to another server/domain), I finally got all the FAQs and rules to load. Frustrating because the site is poorly written, the pages randomly 404, inputing codez or entering the daily contests error out frequently. Add to that the codes are not always 100% legible on the bottles and boxes. Anyway, after a little math, I see that this loyalty reward program is a complete scam! Here are a few key rules: http://mcr.us.icoke.com/rules.do 1. The Program begins at 12:00 p.m. Eastern Time (ET) on February 27, 2006 and is scheduled to end at 12:00 p.m. ET on January 15, 2007 The Website will indicate whether there is an active Double Points period in effect. 3. Codes can only be used 1 time. Limit: 10 valid codes per Account, per day (12:00 p.m. ET through 11:59 a.m. ET). However, if an Enrollee enters 20 invalid codes before entering 10 valid codes, Enrollee will be unable to enter any more codes for that day. Enrollees may not combine codes obtained by others for deposit into a single Enrollees account, nor transfer, sell, or otherwise dispose of codes in any manner in violation or attempted subversion of these Terms and Conditions. Any attempt to combine or transfer codes or points will result in disqualification from the Program and forfeiture of all points in any Enrollees Account. 9. Enrollees must save the bottle cap, product packaging, and/or promotional item with official code for at least 90 days after the date Enrollee redeems an item online, as it may be necessary to submit it later for verification. 3. The Program is provided to individuals only. Corporations, associations or other groups may not participate in the Program. Cliff notes: You alone, not a group/company/assocation must enter the contest. You have 322 days to input codes, but only 10 codes a day. That is 100 points a day max, for 32,220 points total. So the 20,000 point TV and the rewards for 24,000+ seem feasible. Until you see that you can't combine codes from other people, and must keep the physical cap/box with the code for 90 days after prize redemption. In short, they think that a single person can purchase and presumably consume *2,000* cases of coke in 322 days? If you can drink 74.5 cans of coke per day, every day, for the entire duration of the contest, then you have a chance of getting that prize. Does Coca-cola realize it has implemented a loyalty program that baits people into participating, but won't actually give out the rewards because it isn't possible as outlined in the rules? Is this a cheap gimmick or corporate oversight? I'd like to find out. I'm still aiming to get codes from the masses.. but now, instead of a nice TV as a generous reward for eight years of indentured servitude, it is likely going to be a chance to write a scathing article about corporate lies and the reality of such loyalty reward programs. If I get 20,000 points (which is only now possible if they carry through with the 'double point' days), will they actually part with said TV? Let's find out. From isn at c4i.org Fri Jun 16 04:29:32 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 16 Jun 2006 03:29:32 -0500 (CDT) Subject: [ISN] Microsoft Has a Big Date Set with 'Black Hat ' Hackers Message-ID: http://www.eweek.com/article2/0,1759,1976171,00.asp By Ryan Naraine June 13, 2006 Microsoft's Windows Vista has a date with some of the world's smartest hackers. The software maker will use the spotlight of the Black Hat security conference in August to show off some of the key security features and functionality being fitted into Vista. Microsoft's appearance on the Black Hat stage is a first on many fronts. Microsoft will be the first software vendor to present an entire Black Hat Briefing track on a pre-release product. It is also the first time a representative from Redmond Wash., will make an official presentation at the controversial hacker confab. According to Microsoft program manager Stephen Toulouse, the idea is to provide "deeply technical presentations" on Vista security to the hacking community. "We submitted several presentations to the Black Hat event organizers and, based on the technical merit and interest to the audience, they were accepted," Toulouse said. In total, the day-long track will include five presentations from Microsoft security engineers and Toulouse said researchers and architects from Redmond will also be actively participating in the event. "We want to make sure we're gathering as much feedback as we can, so that Windows Vista succeeds as the most secure version of Windows ever released," he added. The sessions will include a talk by John Lambert, group manager in Microsoft's Security Engineering and Communications Group on the security engineering process behind Windows Vista. Lambert is expected to hold up Vista as the first end-to-end major operating system release in the Trustworthy Computing era from Microsoft. His talk will cover how the Vista engineering process is different from Windows XP and details from what is described as the "largest-commercial-pentest-in-the-world." Lambert plans to give Black Hat researchers a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. Wi-Fi in Vista will also come under the microscope when Noel Anderson, group manager in Microsoft's wireless networking group, talks about the way the operating system will handle support for 802.11 wireless technologies. Anderson is expected to outline the new UI experience and updated Wi-Fi default behaviors in Vista and information on a new software stack that is designed to be more secure, more open and extensible. He is expected to describe the various components of the stack and show developers how to create code to modify and extend the client. Anderson will also outline the different ways Microsoft tests Wi-Fi in the new operating system. Also on the Black Hat agenda is a talk by Abolade Gbadegesin, an architect in Microsoft's Windows Networking and Device Technologies Division, on the way Microsoft rearchitected and rewrote the TCP/IP stack in Vista. Adrian Marinescu, a lead developer in the Windows Kernel group will outline the enhancements made in Vista's heap manager to show how the OS has been hardened to thwart certain types of heap usage attacks. Microsoft previously fitted technology into Windows Server 2003 and Windows XP SP2 to reduce the reliability of heap usage attacks, but Marinescu plans to talk about how the heap manager in Vista pushes the innovation much further in that area. His talk will describe the challenges the company faced and the technical details of the changes coming in Vista. Microsoft's oft-criticized Internet Explorer browser will also get Black Hat billing this year when IE program manager Tony Chor discusses the security engineering methodology that is being applied to the new IE 7. Chor is expected to detail key vulnerabilities and attacks this methodology revealed, as well as how the new version of IE will mitigate those threats. Also on tap is a talk by Andrew Cushman, director of Microsoft's Security Response, Engineering and Outreach Team, on the way the company has changed its internal processes to deal with the changing security landscape. Microsoft won't be alone shining the spotlight on Vista's security. Joanna Rutkowska, a renowned researcher specializing in rootkits, plans to talk about the stealthy malware threats can still be inserted into the latest Vista Beta 2 kernel (x64 edition). Rutkowska is expected to show how to bypass the Vista policy for allowing only digitally signed code to be loaded into the kernel. From isn at c4i.org Fri Jun 16 04:29:53 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 16 Jun 2006 03:29:53 -0500 (CDT) Subject: [ISN] Online threats outpacing law crackdowns Message-ID: http://news.com.com/Online+threats+outpacing+law+crackdowns/2100-7349_3-6084317.html By Joris Evers Staff Writer, CNET News.com June 15, 2006 SCOTTSDALE, Ariz.--Authorities are cracking down on phishing and botnets, but the threats are advancing instead of diminishing, two law enforcement officials said. Cybercrooks are organizing better and moving to more sophisticated tactics to get their hands on confidential data and turn PCs of unwitting users into bots, representatives from the U.S. Department of Justice and the U.S. Air Force Office of Special Investigations said in separate presentations here at the Computer Security Institute's NetSec event this week. Law enforcement has had increased successes in catching, prosecuting and convicting phishers and bot herders over the past couple of years. However, catching the bad guys is getting tougher as the criminals become more professional, the representatives said. "We're seeing increasingly sophisticated groups online that are more indicative of crime groups," Jonathan Rusch, special counsel for fraud prevention at the Justice Department, said in a presentation. The criminals who have been caught range from teenagers to retirees, he said. Rusch spoke about phishing, a prevalent type of online attack that combines e-mail spam and fraudulent Web sites made to look like trusted sites, which are aimed at tricking a user into giving up sensitive information such as a credit card or Social Security number. Almost 17,500 phishing Web sites were reported to the Anti-Phishing Working Group in April. A top phishing concern is the increased use of malicious software, Rusch said. Increasingly, phishers use Trojan horses that pack backdoors, screen grabbers or keystroke loggers to capture log-in names, passwords and other information, he said. In April, there were 180 unique examples of such malicious code, he said. Backdoor software gives attackers remote access to an infected PC, which could let them piggyback onto a user's Internet connection and conduct online transactions from the victim's PC while masquerading as the person, Rusch said. Screen grabbers and keystroke loggers can be programmed to capture very specific information and are even designed to wait until a user logs on to a certain banking Web site and send that information to the attacker. Malicious software is where phishers intersect with bot herders, those who run networks of compromised machines, called a bot net. Computers typically become compromised and turned into a bot, also popularly called a zombie, after visiting a malicious Web site or opening an infected e-mail message or attachment. The bot software often nestles itself on a PC unbeknownst to the user by exploiting an unpatched security flaw on the system. Law enforcement has been catching up to bot herders, and there have been some high-profile convictions. But here, too, the battle is getting harder, Wendi Whitmore, a special agent with the Air Force Office of Special Investigations, said in a presentation on botnets. "Botnets are one of the greatest facilitators of cybercrime these days. Really the cybercrime arena is wrapped around botnets," she said. With ubiquitous broadband connections and exploits for security flaws in software out before patches, the Internet environment is ideal for bots or zombies to proliferate, she said. That assertion is backed by a recent analysis by Microsoft. The software maker found that bots were the most common Windows threat, with more than 60 percent of compromised computers running bot code. A zombie PC can be used by miscreants to store illegal content, such as child pornography, or in a botnet to relay spam and launch cyberattacks. Additionally, hackers often steal the victim's data and install spyware and adware on PCs, to earn a kickback from the spyware or adware maker. Practice makes perfect Meanwhile, bot masters are getting smarter about hiding. Today, most botnets are controlled using Internet Relay Chat, or IRC, servers and channels. Soon that could become instant messaging, peer-to-peer technology or protocols used by Internet phone services such as Skype or Vonage, Whitmore said. "That is something that we're worried about because those protocols are proprietary," she said. "They don't publish routing protocols; it would be very difficult to catch that kind of crime." Also, Whitmore expects cybercrooks to maintain smaller botnets with the hope of staying under the radar. People being caught today operate networks of as many as 1 million PCs. "There is a greater chance that you're going to get caught, if you do that much activity and command and control that many computers," she said. Cybercriminals are often after data they can turn into cash, such as credit card numbers or even trade secrets. "If you have a smaller botnet and you combine that with targeted, really sophisticated social engineering tactics, you're going to be potentially a lot more successful," Whitmore said. The military has seen a rise in such attacks over the last couple of years, Whitmore said. The attackers know what organizations work together, which generals would be involved and what issues they would talk about, she said. It's "incredibly disturbing, because those are the kinds of things that should be kept somewhat secret," she said. Law enforcement alone cannot solve the phishing and botnet problems, Rusch and Whitmore said. The technology industry and consumers have key parts to play, they said. "Part of the problem is the way we design the online environment for users," Rusch said. It should be easier for people to see whether a site can be trusted or not, he said. Some of that is happening today with increased security coming in new Web browsers, for example. A stronger effort to take down phishing Web sites is also welcome, he said. The average phishing Web site was up for five days in April, and that's too long, Rusch said. In fighting bots, Whitmore sees benefits in Internet service providers delivering security software to their users. "The long-term benefit of ISPs becoming more involved would be an overall reduction of malicious code on the Internet, and most of us believe that's a good thing," she said. From isn at c4i.org Fri Jun 16 04:30:15 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 16 Jun 2006 03:30:15 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-24 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-06-08 - 2006-06-15 This week: 149 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Tuesday Microsoft issued a total of 12 bulletins. One of the bulletins addressed the Extremely Critical Word vulnerability which already has been exploited by malicious malware. Another addressed the Internet Explorer vulnerability which was discovered by Secunia Security Researcher Andreas Sandblad while researching the crash bug reported by Michal Zalewski. References: http://secunia.com/SA20153 http://secunia.com/SA19762 -- VIRUS ALERTS: During the past week Secunia collected 297 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 2. [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities 3. [SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow 4. [SA19762] Internet Explorer Exception Handling Memory Corruption Vulnerability 5. [SA20442] Firefox File Upload Form Keystroke Event Cancel Vulnerability 6. [SA19521] Internet Explorer Window Loading Race Condition Vulnerability 7. [SA20543] FilZip Multiple Archive Directory Traversal Vulnerability 8. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 9. [SA20626] Windows Media Player PNG Processing Buffer Overflow 10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20631] Microsoft Windows Graphics Rendering Engine Vulnerability [SA20626] Windows Media Player PNG Processing Buffer Overflow [SA20620] Microsoft JScript Memory Corruption Vulnerability [SA20605] Microsoft Windows ART Image Handling Buffer Overflow [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities [SA20575] WinSCP Protocol Handler Command Line Switch Injection [SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow [SA20634] Microsoft Exchange Server Outlook Web Access Script Insertion [SA20609] ePhotos Multiple SQL Injection Vulnerabilities [SA20574] CesarFTP MKD Command Buffer Overflow Vulnerability [SA20556] MailEnable Enterprise Multiple WebMail Vulnerabilities [SA20554] My Photo Scrapbook SQL Injection and Cross-Site Scripting [SA20545] OfficeFlow Cross-Site Scripting and SQL Injection Vulnerabilities [SA20517] ASP ListPics Cross-Site Scripting and Script Insertion [SA20637] Microsoft Windows RPC Mutual Authentication Vulnerability [SA20630] Microsoft Windows Routing and Remote Access Vulnerabilities [SA20617] fipsCMS "index.asp" Cross-Site Scripting Vulnerabilities [SA20614] ClickGallery Cross-Site Scripting Vulnerabilities [SA20610] i-Gallery Cross-Site Scripting Vulnerabilities [SA20606] Uphotogallery thumbnails.asp Cross-Site Scripting [SA20604] Xtreme ASP Photo Gallery Cross-Site Scripting Vulnerabilities [SA20603] DwZone Shopping Cart "ProductDetailsForm.asp" Cross-Site Scripting [SA20583] Cabacos Web CMS "suchtext" Parameter Cross-Site Scripting [SA20582] CFXe CMS "voltext_suche" Parameter Cross-Site Scripting [SA20578] LogiSphere Cross-Site Scripting Vulnerability [SA20559] fipsGallery "path" Parameter Cross-Site Scripting Vulnerability [SA20553] EZGallery Multiple Cross-Site Scripting Vulnerabilities [SA20544] VanillaSoft Helpdesk "username" Cross-Site Scripting [SA20543] FilZip Multiple Archive Directory Traversal Vulnerability [SA20537] WS-Album "FullPhoto.asp" Cross-Site Scripting Vulnerabilities [SA20527] ClickCart "cat" Parameter Cross-Site Scripting Vulnerability [SA20635] Windows SMB Denial of Service and Privilege Escalation [SA20629] Kaspersky Anti-Virus "klif.sys" Denial of Service Vulnerability UNIX/Linux: [SA20669] Gentoo update for DokuWiki [SA20592] Zeroboard ".htaccess" File Upload Vulnerability [SA20569] free QBoard "qb_path" Parameter File Inclusion Vulnerability [SA20561] Gentoo update for firefox [SA20689] Ubuntu update for wv2 [SA20683] Slackware update for sendmail [SA20675] IBM AIX update for Sendmail [SA20673] SGI IRIX update for sendmail [SA20671] Debian update for kernel-source-2.4.27 [SA20667] Avaya Products LibTIFF Multiple Vulnerabilities [SA20665] wvWare wv2 Library Integer Overflow Vulnerability [SA20654] SUSE update for sendmail [SA20653] Avaya Products PostgreSQL Multiple Vulnerabilities [SA20651] FreeBSD update for sendmail [SA20650] Solaris update for sendmail [SA20641] Red Hat update for sendmail [SA20638] Mandriva update for freetype2 [SA20625] Red Hat update for mysql [SA20624] Red Hat update for mailman [SA20608] Gentoo update for wordpress [SA20591] Debian update for freetype [SA20564] Gentoo update for cscope [SA20562] Gentoo update for mysql [SA20555] SUSE update for postgresql [SA20551] 0verkill Denial of Service Vulnerability [SA20550] Ubuntu update for binutils [SA20548] Ubuntu update for courier-mta [SA20542] Debian update for webcalendar [SA20541] Debian update for mysql-dfsg-4.1 [SA20531] Trustix updates for binutils / mysql / spamassassin [SA20525] Ubuntu update for libfreetype6 [SA20520] Debian update for tiff [SA20519] Courier Mail Server Username Encoding Denial of Service [SA20658] Gentoo update for asterisk [SA20566] Gentoo update for Spamassassin [SA20676] SUSE update for php4 / php5 [SA20672] Debian update for horde3 [SA20627] SUSE Updates for Multiple Packages [SA20622] Debian update for gforge [SA20601] P.A.I.D "read" Parameter Cross-Site Scripting Vulnerability [SA20571] Ubuntu update for libgd2 [SA20563] Gentoo update for jpeg [SA20677] aRts "artswrapper" Helper Application setuid Security Issue [SA20674] Ubuntu update for kdm [SA20660] Red Hat update for kdebase [SA20636] Gentoo update for gdm [SA20616] Gentoo update for vixie-cron [SA20602] KDE KDM Arbitrary File Reading Vulnerability [SA20587] Mandriva update for gdm [SA20552] Ubuntu update for gdm [SA20532] GNOME Display Manager Configuration GUI Access Vulnerability [SA20549] Ubuntu update for xine-lib [SA20666] Avaya Products vixie-cron Exposure of Arbitrary Cron Files Other: [SA20618] FAST360 Appliance DNS Analysis Denial of Service [SA20570] FAST360 Appliance HTTP Analysis Bypass Vulnerability [SA20644] Cisco WebVPN Cross-Site Scripting Vulnerability [SA20647] Symantec Security Information Manager Authentication Bypass Cross Platform: [SA20656] PictureDis Products "lang" Parameter File Inclusion Vulnerability [SA20633] Microsoft PowerPoint Malformed Record Vulnerability [SA20632] Flipper Poll "root_path" File Inclusion Vulnerability [SA20588] aePartner "dir[data]" File Inclusion Vulnerability [SA20573] phpCMS "PHPCMS_INCLUDEPATH" File Inclusion Vulnerabilities [SA20568] webprojectdb "INCDIR" Parameter File Inclusion Vulnerabilities [SA20558] AWF CMS "spaw_root" Parameter File Inclusion Vulnerability [SA20557] Content*Builder File Inclusion Vulnerabilities [SA20536] Minerva "phpbb_root_path" File Inclusion Vulnerability [SA20522] Enterprise Payroll Systems "absolutepath" File Inclusion [SA20687] phpBannerExchange "email" Parameter SQL Injection [SA20648] TikiWiki Unspecified Cross-Site Scripting and SQL Injection [SA20646] blur6ex "ID" Parameter SQL Injection Vulnerability [SA20642] PhpMyFactures Multiple Vulnerabilities [SA20613] Five Star Review Script Multiple Vulnerabilities [SA20611] Mobile Space Community Multiple Vulnerabilities [SA20607] tinyMuw "comment" Script Insertion Vulnerability [SA20599] MyScrapbook Script Insertion Vulnerabilities [SA20598] ST AdManager Lite Article Submission Script Insertion Vulnerability [SA20597] Coppermine Photo Gallery "add_hit()" SQL Injection [SA20581] Fast Menu Restaurant Ordering Multiple Vulnerabilities [SA20576] Adobe Reader Unspecified Vulnerabilities [SA20547] i.List Cross-Site Scripting and Script Insertion Vulnerabilities [SA20535] E-Dating System Multiple Vulnerabilities [SA20534] CS-Forum Multiple Vulnerabilities [SA20529] Mafia Moblog "img" Parameter SQL Injection Vulnerability [SA20526] PBL Guestbook Script Insertion Vulnerabilities [SA20523] NPDS Local File Inclusion and Cross-Site Scripting Vulnerabilities [SA20521] KAPhotoservice Cross-Site Scripting and Script Insertion [SA20623] iaxComm iaxclient Buffer Overflow Vulnerability [SA20567] Kiax iaxclient Buffer Overflow Vulnerability [SA20560] IDE FISK iaxclient Buffer Overflow Vulnerability [SA20661] Horde Cross-Site Scripting Vulnerabilities [SA20652] 35mm Slide Gallery Multiple Cross-Site Scripting Vulnerabilities [SA20640] Event Registration Multiple Cross-Site Scripting Vulnerabilities [SA20621] OkMall "search.php" Cross-Site Scripting Vulnerabilities [SA20619] iFoto "file" Cross-Site Scripting Vulnerability [SA20612] Mole Group Ticket Booking Script Cross-Site Scripting [SA20594] QuickLinks "q" Cross-Site Scripting Vulnerability [SA20593] OkArticles "q" Cross-Site Scripting Vulnerability [SA20590] Ringlink "ringid" Cross-Site Scripting Vulnerabilities [SA20586] Realty Room Rent "sel_menu" Cross-Site Scripting Vulnerability [SA20585] ZMS "raw" Parameter Cross-Site Scripting Vulnerability [SA20584] Realty Home Rent "sel_menu" Cross-Site Scripting Vulnerability [SA20580] SubText MultiBlog Admin Logon Security Issue [SA20577] Sylpheed URI Check Bypass Security Issue [SA20572] myPHP Guestbook "lang" Cross-Site Scripting [SA20565] Car Classifieds "make_id" Cross-Site Scripting Vulnerability [SA20546] EvGenius Counter "page" Parameter Cross-Site Scripting [SA20540] Chemical Directory Search Functionality Cross-Site Scripting [SA20539] Easy Ad-Manager "mbid" Parameter Cross-Site Scripting [SA20538] ViArt Shop Free Cross-Site Scripting Vulnerabilities [SA20533] vSCAL / vsREAL Cross-Site Scripting Vulnerabilities [SA20530] Ez Ringtone Manager Cross-Site Scripting Vulnerabilities [SA20528] IntegraMOD "STYLE_URL" Parameter Cross-Site Scripting [SA20524] SHOUTcast Server DJ Script Insertion Vulnerabilities [SA20579] DB2 Universal Database Multiple Denial of Service Vulnerabilities [SA20518] Sun Grid Engine CSP Mode Authentication Security Issue ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20631] Microsoft Windows Graphics Rendering Engine Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 Symantec has reported a vulnerability in certain old versions of Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20631/ -- [SA20626] Windows Media Player PNG Processing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 iDefense Labs has reported a vulnerability in Windows Media Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20626/ -- [SA20620] Microsoft JScript Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20620/ -- [SA20605] Microsoft Windows ART Image Handling Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20605/ -- [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Spoofing, System access Released: 2006-06-13 Some vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/20595/ -- [SA20575] WinSCP Protocol Handler Command Line Switch Injection Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2006-06-12 Jelmer Kuperus has discovered a vulnerability in WinSCP, which can be exploited by malicious people to manipulate certain files on a user's system and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20575/ -- [SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-13 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20639/ -- [SA20634] Microsoft Exchange Server Outlook Web Access Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 SEC Consult has reported a vulnerability in Microsoft Exchange Server, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20634/ -- [SA20609] ePhotos Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-13 r0t has reported some vulnerabilities in ePhotos, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20609/ -- [SA20574] CesarFTP MKD Command Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-12 h07 has discovered a vulnerability in CesarFTP, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20574/ -- [SA20556] MailEnable Enterprise Multiple WebMail Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2006-06-12 Soroush Dalili has discovered some vulnerabilities in MailEnable Enterprise, which potentially can be exploited by malicious users to gain escalated privileges, and by malicious people and users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20556/ -- [SA20554] My Photo Scrapbook SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-09 r0t has reported some vulnerabilities in My Photo Scrapbook, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20554/ -- [SA20545] OfficeFlow Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-09 r0t has reported two vulnerabilities in OfficeFlow, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20545/ -- [SA20517] ASP ListPics Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 Two vulnerabilities have been reported in ASP ListPics, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20517/ -- [SA20637] Microsoft Windows RPC Mutual Authentication Vulnerability Critical: Moderately critical Where: From local network Impact: Spoofing Released: 2006-06-13 A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to spoof a valid RPC server. Full Advisory: http://secunia.com/advisories/20637/ -- [SA20630] Microsoft Windows Routing and Remote Access Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-13 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people or users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20630/ -- [SA20617] fipsCMS "index.asp" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 r0t has reported some vulnerabilities in fipsCMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20617/ -- [SA20614] ClickGallery Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 r0t has reported two vulnerabilities in ClickGallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20614/ -- [SA20610] i-Gallery Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 r0t has reported some vulnerabilities in i-Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20610/ -- [SA20606] Uphotogallery thumbnails.asp Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 r0t has reported a vulnerability in Uphotogallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20606/ -- [SA20604] Xtreme ASP Photo Gallery Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 r0t has discovered some vulnerabilities in Xtreme ASP Photo Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20604/ -- [SA20603] DwZone Shopping Cart "ProductDetailsForm.asp" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 r0t has reported two vulnerabilities in DwZone Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20603/ -- [SA20583] Cabacos Web CMS "suchtext" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 David "Aesthetico" Vieira-Kurz has reported a vulnerability in Cabacos Web CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20583/ -- [SA20582] CFXe CMS "voltext_suche" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 David "Aesthetico" Vieira-Kurz has reported a vulnerability in CFXe CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20582/ -- [SA20578] LogiSphere Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 Ziv Kamir has discovered a vulnerability in LogiSphere, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20578/ -- [SA20559] fipsGallery "path" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 r0t has reported a vulnerability in fipsGallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20559/ -- [SA20553] EZGallery Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 r0t has reported some vulnerabilities in EZGallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20553/ -- [SA20544] VanillaSoft Helpdesk "username" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 r0t has reported a vulnerability in VanillaSoft Helpdesk, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20544/ -- [SA20543] FilZip Multiple Archive Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-06-09 Claus Berghamer has discovered a vulnerability in FilZip, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20543/ -- [SA20537] WS-Album "FullPhoto.asp" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 r0t has discovered some vulnerabilities in WS-Album, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20537/ -- [SA20527] ClickCart "cat" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 r0t has reported a vulnerability in ClickCart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20527/ -- [SA20635] Windows SMB Denial of Service and Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-06-13 Ruben Santamarta has reported two vulnerabilities in Microsoft Windows, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges. Full Advisory: http://secunia.com/advisories/20635/ -- [SA20629] Kaspersky Anti-Virus "klif.sys" Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-06-14 Skywing has discovered a vulnerability in Kaspersky Anti-Virus, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20629/ UNIX/Linux:-- [SA20669] Gentoo update for DokuWiki Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, System access Released: 2006-06-15 Gentoo has issued an update for DokuWiki. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20669/ -- [SA20592] Zeroboard ".htaccess" File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 Richard Son has discovered a vulnerability in Zeroboard, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20592/ -- [SA20569] free QBoard "qb_path" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-12 Kacper has reported a vulnerability in free QBoard, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20569/ -- [SA20561] Gentoo update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, System access Released: 2006-06-12 Gentoo has issued an update for firefox. This fixes multiple vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20561/ -- [SA20689] Ubuntu update for wv2 Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-15 Ubuntu has issued an update for wv2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/20689/ -- [SA20683] Slackware update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-15 Slackware has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20683/ -- [SA20675] IBM AIX update for Sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-15 IBM has acknowledged a vulnerability in sendmail, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20675/ -- [SA20673] SGI IRIX update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-15 SGI has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20673/ -- [SA20671] Debian update for kernel-source-2.4.27 Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2006-06-15 Debian has issued an update for kernel-source-2.4.27. This fixes some vulnerabilities and weaknesses, which can be exploited by malicious, local users to bypass certain security restrictions, disclose potentially sensitive information and cause a DoS (Denial of Service), and by malicious people to bypass certain security restrictions, gain knowledge of certain system information, and cause a DoS. Full Advisory: http://secunia.com/advisories/20671/ -- [SA20667] Avaya Products LibTIFF Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-14 Avaya has acknowledged some vulnerabilities in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20667/ -- [SA20665] wvWare wv2 Library Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-15 A vulnerability has been reported in wvWare wv2 Library, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/20665/ -- [SA20654] SUSE update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-15 SUSE has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20654/ -- [SA20653] Avaya Products PostgreSQL Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-06-14 Avaya has acknowledged two vulnerabilities and a weakness in various Avaya products, which potentially can be exploited by malicious, local users to bypass certain security restrictions, and by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20653/ -- [SA20651] FreeBSD update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-15 FreeBSD has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20651/ -- [SA20650] Solaris update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-15 Sun has acknowledged an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20650/ -- [SA20641] Red Hat update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-15 Red Hat has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20641/ -- [SA20638] Mandriva update for freetype2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-13 Mandriva has issued an update for freetype2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20638/ -- [SA20625] Red Hat update for mysql Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2006-06-12 Red Hat has issued an update for mysql. This fixes a security issue and some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and to disclose potentially sensitive information, and potentially by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20625/ -- [SA20624] Red Hat update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-12 Red Hat has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20624/ -- [SA20608] Gentoo update for wordpress Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-12 Gentoo has issued an update for wordpress. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20608/ -- [SA20591] Debian update for freetype Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-12 Debian has issued an update for freetype. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20591/ -- [SA20564] Gentoo update for cscope Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-12 Gentoo has issued an update for cscope. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20564/ -- [SA20562] Gentoo update for mysql Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-12 Gentoo has issued an update for MySQL. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20562/ -- [SA20555] SUSE update for postgresql Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-12 SUSE has issued an update for postgresql. This fixes two vulnerabilities, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20555/ -- [SA20551] 0verkill Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-09 Federico Fazzi has discovered a vulnerability in 0verkill, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20551/ -- [SA20550] Ubuntu update for binutils Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-09 Ubuntu has issued an update for binutils. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20550/ -- [SA20548] Ubuntu update for courier-mta Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-09 Ubuntu has issued an update for courier-mta. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20548/ -- [SA20542] Debian update for webcalendar Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-06-13 Debian has issued an update for webcalendar. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/20542/ -- [SA20541] Debian update for mysql-dfsg-4.1 Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-09 Debian has issued an update for mysql-dfsg-4.1. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20541/ -- [SA20531] Trustix updates for binutils / mysql / spamassassin Critical: Moderately critical Where: From remote Impact: Manipulation of data, DoS, System access Released: 2006-06-09 Trustix has issued updates for binutils, mysql, and spamassassin. These fix some vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20531/ -- [SA20525] Ubuntu update for libfreetype6 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-09 Ubuntu has issued an update for libfreetype6. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20525/ -- [SA20520] Debian update for tiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-08 Debian has issued an update for tiff. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20520/ -- [SA20519] Courier Mail Server Username Encoding Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-08 A vulnerability has been reported in Courier Mail Server, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20519/ -- [SA20658] Gentoo update for asterisk Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-15 Gentoo has issued an update for asterisk. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20658/ -- [SA20566] Gentoo update for Spamassassin Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-12 Gentoo has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20566/ -- [SA20676] SUSE update for php4 / php5 Critical: Less critical Where: From remote Impact: DoS, System access Released: 2006-06-15 SUSE has issued an update for php. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20676/ -- [SA20672] Debian update for horde3 Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-15 Debian has issued an update for horde3. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20672/ -- [SA20627] SUSE Updates for Multiple Packages Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-06-12 SUSE has issued updates for multiple packages. These fix vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20627/ -- [SA20622] Debian update for gforge Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 Debian has issued an update for gforge. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20622/ -- [SA20601] P.A.I.D "read" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 luny has reported a vulnerability in P.A.I.D, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20601/ -- [SA20571] Ubuntu update for libgd2 Critical: Less critical Where: From remote Impact: DoS Released: 2006-06-14 Ubuntu has issued an update for libgd2. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) against applications and services using libgd2. Full Advisory: http://secunia.com/advisories/20571/ -- [SA20563] Gentoo update for jpeg Critical: Less critical Where: From remote Impact: DoS Released: 2006-06-12 Gentoo has issued an update for jpeg. This fixes a security issue, which potentially can be malicious people to cause a DoS (Denial of Service) against applications and services using the jpeg library. Full Advisory: http://secunia.com/advisories/20563/ -- [SA20677] aRts "artswrapper" Helper Application setuid Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-15 A security issue has been reported in aRts, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20677/ -- [SA20674] Ubuntu update for kdm Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-06-15 Ubuntu has issued an update for kdm. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20674/ -- [SA20660] Red Hat update for kdebase Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-06-15 Red Hat has issued an update for kdm. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20660/ -- [SA20636] Gentoo update for gdm Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-06-13 Gentoo has issued an update for gdm. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20636/ -- [SA20616] Gentoo update for vixie-cron Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-12 Gentoo has issued an update for vixie-cron. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20616/ -- [SA20602] KDE KDM Arbitrary File Reading Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-06-15 A vulnerability has been reported in KDE, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20602/ -- [SA20587] Mandriva update for gdm Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-06-14 Mandriva has issued an update for gdm. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20587/ -- [SA20552] Ubuntu update for gdm Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-06-09 Ubuntu has issued an update for gdm. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20552/ -- [SA20532] GNOME Display Manager Configuration GUI Access Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-06-09 Victor Daniel has reported a vulnerability in GNOME Display Manager (GDM), which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20532/ -- [SA20549] Ubuntu update for xine-lib Critical: Not critical Where: From remote Impact: DoS Released: 2006-06-09 Ubuntu has issued an update for xine-lib. This fixes a weakness, which can be exploited by malicious people to crash certain applications on a user's system. Full Advisory: http://secunia.com/advisories/20549/ -- [SA20666] Avaya Products vixie-cron Exposure of Arbitrary Cron Files Critical: Not critical Where: Local system Impact: Exposure of system information Released: 2006-06-14 Avaya has acknowledged a vulnerability in various products, which can be exploited by malicious, local users to read arbitrary cron files. Full Advisory: http://secunia.com/advisories/20666/ Other:-- [SA20618] FAST360 Appliance DNS Analysis Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-12 A vulnerability has been reported in FAST360 Appliance, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20618/ -- [SA20570] FAST360 Appliance HTTP Analysis Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-06-12 A vulnerability has been reported in FAST360 Appliance, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20570/ -- [SA20644] Cisco WebVPN Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-14 A vulnerability has been reported in Cisco WebVPN, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20644/ -- [SA20647] Symantec Security Information Manager Authentication Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-06-14 A vulnerability has been reported in Symantec Security Information Manager, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20647/ Cross Platform:-- [SA20656] PictureDis Products "lang" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-15 spykids has discovered some vulnerabilities in PictureDis products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20656/ -- [SA20633] Microsoft PowerPoint Malformed Record Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 A vulnerability has been reported in Microsoft PowerPoint, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20633/ -- [SA20632] Flipper Poll "root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-15 SpC-x has reported a vulnerability in Flipper Poll, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20632/ -- [SA20588] aePartner "dir[data]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-12 Kacper has discovered a vulnerability in aePartner, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20588/ -- [SA20573] phpCMS "PHPCMS_INCLUDEPATH" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 Federico Fazzi has discovered some vulnerabilities in phpCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20573/ -- [SA20568] webprojectdb "INCDIR" Parameter File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-12 Kacper has discovered two vulnerabilities in webprojectdb, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20568/ -- [SA20558] AWF CMS "spaw_root" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-12 Federico Fazzi has discovered a vulnerability in AWF CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20558/ -- [SA20557] Content*Builder File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-12 Some vulnerabilities have been reported in Content*Builder, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20557/ -- [SA20536] Minerva "phpbb_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-13 Kacper has discovered a vulnerability in Minerva, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20536/ -- [SA20522] Enterprise Payroll Systems "absolutepath" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-09 Kacper has discovered two vulnerabilities in Enterprise Payroll Systems, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20522/ -- [SA20687] phpBannerExchange "email" Parameter SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-15 RedTeam has reported a vulnerability in phpBannerExchange, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20687/ -- [SA20648] TikiWiki Unspecified Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-14 securitynews has reported some vulnerabilities in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20648/ -- [SA20646] blur6ex "ID" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-14 rgod has reported a vulnerability in blue6ex, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20646/ -- [SA20642] PhpMyFactures Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-06-14 DarkFig has discovered some vulnerabilities in PhpMyFactures, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20642/ -- [SA20613] Five Star Review Script Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-14 luny has reported some vulnerabilities in Five Star Review Script, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20613/ -- [SA20611] Mobile Space Community Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2006-06-13 luny has reported some vulnerabilities in Mobile Space Community, which can be exploited by malicious people to conduct script insertion and SQL injection attacks, and potentially disclose sensitive information. Full Advisory: http://secunia.com/advisories/20611/ -- [SA20607] tinyMuw "comment" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 luny has reported a vulnerability in tinyMuw, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20607/ -- [SA20599] MyScrapbook Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 luny has reported two vulnerabilities in MyScrapbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20599/ -- [SA20598] ST AdManager Lite Article Submission Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 luny has reported a vulnerability in ST AdManager Lite, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20598/ -- [SA20597] Coppermine Photo Gallery "add_hit()" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-13 imei addmimistrator has discovered two vulnerabilities in Coppermine Photo Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20597/ -- [SA20581] Fast Menu Restaurant Ordering Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-14 luny has reported some vulnerabilities in Fast Menu Restaurant Ordering, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20581/ -- [SA20576] Adobe Reader Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-06-15 Some vulnerabilities with unknown impacts have been reported in Adobe Reader. Full Advisory: http://secunia.com/advisories/20576/ -- [SA20547] i.List Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 David 'Aesthetico' Vieira-Kurz has discovered some vulnerabilities in i.List, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20547/ -- [SA20535] E-Dating System Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2006-06-09 luny has reported some vulnerabilities and a security issue in E-Dating System, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks, and disclose sensitive information. Full Advisory: http://secunia.com/advisories/20535/ -- [SA20534] CS-Forum Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information, Security Bypass Released: 2006-06-13 DarkFig has reported some vulnerabilities in CS-Forum, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and use it as an open mail relay. Full Advisory: http://secunia.com/advisories/20534/ -- [SA20529] Mafia Moblog "img" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-09 Simo64 has discovered a vulnerability in Mafia Moblog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20529/ -- [SA20526] PBL Guestbook Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 luny has discovered some vulnerabilities in PBL Guestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20526/ -- [SA20523] NPDS Local File Inclusion and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2006-06-09 DarkFig has discovered some vulnerabilities in NPDS, which can be exploited by malicious people to conduct cross-site scripting attacks and to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20523/ -- [SA20521] KAPhotoservice Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 r0t has reported some vulnerabilities in KAPhotoservice, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20521/ -- [SA20623] iaxComm iaxclient Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-06-12 Two vulnerabilities have been reported in iaxComm, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20623/ -- [SA20567] Kiax iaxclient Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access, DoS Released: 2006-06-12 Two vulnerabilities have been reported in Kiax, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20567/ -- [SA20560] IDE FISK iaxclient Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-06-12 Two vulnerabilities have been reported in IDE FISK (IDEFISK), which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20560/ -- [SA20661] Horde Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-15 Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20661/ -- [SA20652] 35mm Slide Gallery Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-15 black-code has reported some vulnerabilities in 35mm Slide Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20652/ -- [SA20640] Event Registration Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-14 luny has reported some vulnerabilities in Event Registration, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20640/ -- [SA20621] OkMall "search.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 luny has reported some vulnerabilities in OkMall, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20621/ -- [SA20619] iFoto "file" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 luny has discovered a vulnerability in iFoto, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20619/ -- [SA20612] Mole Group Ticket Booking Script Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 luny has reported a vulnerability Mole Group Ticket Booking Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20612/ -- [SA20594] QuickLinks "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 luny has reported a vulnerability in QuickLinks, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20594/ -- [SA20593] OkArticles "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 luny has reported a vulnerability in OkArticles, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20593/ -- [SA20590] Ringlink "ringid" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 luny has reported some vulnerabilities in Ringlink, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20590/ -- [SA20586] Realty Room Rent "sel_menu" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-14 luny has reported a vulnerability in Realty Room Rent, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20586/ -- [SA20585] ZMS "raw" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-12 David "Aesthetico" Vieira-Kurz has discovered a vulnerability in ZMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20585/ -- [SA20584] Realty Home Rent "sel_menu" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-14 luny has reported a vulnerability in Realty Home Rent, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20584/ -- [SA20580] SubText MultiBlog Admin Logon Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-06-12 A security issue has been reported in SubText, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20580/ -- [SA20577] Sylpheed URI Check Bypass Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-06-12 A security issue has been reported in Sylpheed, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20577/ -- [SA20572] myPHP Guestbook "lang" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 x0r_1 has discovered a vulnerability in myPHP Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20572/ -- [SA20565] Car Classifieds "make_id" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-14 luny has reported a vulnerability in Car Classifieds, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20565/ -- [SA20546] EvGenius Counter "page" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-13 r0t has reported two vulnerabilities in EvGenius Counter, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20546/ -- [SA20540] Chemical Directory Search Functionality Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 luny has reported a vulnerability in Chemical Directory, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20540/ -- [SA20539] Easy Ad-Manager "mbid" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 luny has reported a vulnerability in Easy Ad-Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20539/ -- [SA20538] ViArt Shop Free Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 John Cobb has discovered two vulnerabilities in ViArt Shop Free, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20538/ -- [SA20533] vSCAL / vsREAL Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 luny has reported two vulnerabilities in vSCAL and vsREAL, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20533/ -- [SA20530] Ez Ringtone Manager Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 luny has reported two vulnerabilities in Ez Ringtone Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20530/ -- [SA20528] IntegraMOD "STYLE_URL" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 ahwaz has discovered a vulnerability in IntegraMOD, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20528/ -- [SA20524] SHOUTcast Server DJ Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-09 UZUZZ has discovered some vulnerabilities in SHOUTcast, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20524/ -- [SA20579] DB2 Universal Database Multiple Denial of Service Vulnerabilities Critical: Less critical Where: From local network Impact: DoS Released: 2006-06-14 Some vulnerabilities has been reported in DB2, which can be exploited by malicious people and users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20579/ -- [SA20518] Sun Grid Engine CSP Mode Authentication Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-06-08 A security issue has been reported in Sun Grid Engine, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20518/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jun 16 04:30:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 16 Jun 2006 03:30:56 -0500 (CDT) Subject: [ISN] Study: Sarbanes-Oxley forcing some companies to consider going private Message-ID: http://www.networkworld.com/news/2006/061506-sarbanes-oxley.html By Ann Bednarz NetworkWorld.com 06/15/06 Faced with the costs to comply with the Sarbanes-Oxley Act, some public companies are looking at going private, even though the costs fell slightly in 2005. Fed up with the Sarbanes-Oxley burden, 21% of companies that responded to law firm Foley & Lardner's latest study said they are considering going private. Other options respondents are considering include selling the company (10%) and merging with another company (8%). Meanwhile, costs associated with corporate governance reform dropped 16% for companies with less than $1 billion in annual revenue and 6% for companies with greater than $1 billion in annual revenue, reports Foley & Lardner in its fourth annual Sarbanes-Oxley study, released Thursday. The savings stem from decreased productivity losses, legal fees and initial setup costs. However, audit fees increased, as did the cost of board compensation and liability insurance for directors and officers. Many industry watchers expected audit fees would drop during public companies' second year of complying with Sarbanes-Oxley Section 404, which requires companies to attest to the effectiveness of controls put in place to protect financial reporting systems and processes. Instead, they increased: Audit fees rose 22% for small companies, 6% for midsize companies and 4% for large companies (as defined by Standard & Poor's indices). Smaller public companies, in particular, felt the burden of increased audit costs, said Tom Hartman, corporate governance study director and business law partner at Foley & Lardner, in a teleconference. "The increase is disproportionately impacting smaller companies," he said. The fees companies pay their directors also have climbed considerably as a result of corporate governance and public disclosure reforms implemented since the enactment of Sarbanes-Oxley. Overall annual director fees have increased an average of 71% for small companies, 64% for midsize companies, and 58% for large companies between 2001 and 2005. When all the expenses are tallied, companies with under $1 billion in revenue spent an average of $2.9 million to comply with Sarbanes-Oxley in 2005, and companies with greater than $1 billion in revenue spent $11.5 million. For companies of all sizes, audit fees represent the biggest portion of those expenses, followed by the cost of lost productivity. While down from 2004 levels, lost productivity nonetheless cost each small company $563,000 and each large company $2.5 million in 2005, on average, Hartman said. Many companies polled think the Sarbanes-Oxley legislation is overkill. A clear majority (82%) said corporate governance and public disclosure reforms are too strict. For the first time in four years, not a single respondent said the reforms are not strict enough, Hartman said. Foley & Lardner's study includes data from 114 survey respondents and 850 proxy statements of public companies. Full study results are available on Foley & Lardner's Web site [1]. [1] http://www.foley.com/2006publicstudy All contents copyright 1995-2006 Network World, Inc. From isn at c4i.org Mon Jun 19 03:40:54 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:40:54 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - June 16th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 16th, 2006 Volume 7, Number 25n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for freetype, webcalendar, kernel, horde3, horde2, wv2, subversion, ruby, squid, dovecot, gdm, autofs, shadow-utils, rsync, mysql, python, scim, freetype2, squirrelmail, libtiff, spamassassin, sendmail, mailman, kdebase, postgresql, and php. The distributors include Debian, Fedora, Mandriva, Red Hat, and SuSE. --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- How To Break Web Software By: Eric Lubow With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. >From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand. Although this book may be geared more towards the developer, it is really a book for everyone. As I mentioned before, security is everyone's responsibility. The ideas, concepts, and procedures outlined in this book are things that even just the average user should be able to pick up on and alert the webmaster of in order to prevent potential disaster. It is necessary to keep in mind that this book, although seemingly full of information on how to attack web sites and bring down servers is for informational and educational purposes. It is to inform the developers of common programming and design mistakes. It is also to ensure that common users with no malicious intent can spot problems in design and nip them in the bud before the problems become catastrophic. The book begins by very basically showing the reader in no uncertain terms the basic concepts that are going to be outlined through the book. The first idea to geteveryone on the same page with client-server relationships and general information about the world wide web. One of the most important aspects of an attack is knowing your victim. The first informational chapter in this book discusses gathering information on a potential target. Just as with all forthcoming chapters, this one begins with the obvious information and progresses into the more obscure, less thought about topics. Once the information has been gathered, either via source code, URLs, or any other method that potentially puts information out in the open, the attacks can begin. There are many way in which these attacks can happen. The authors begin by discussing attacks on the user (client) input and how validation needs to occur or the input needs to be sanitized. They then move on to talk about state based attacks, either through CGI parameters or hidden fields within forms. These ideas were also extended to discuss cookie poisoning, URL jumping, and session hijacking (can also include man in the middle attacks). Without all this information consistently being checked and verified, it is possible to for those with malintent to inject information into a session. http://www.linuxsecurity.com/content/view/122713/49/ ---------------------- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New freetype packages fix several vulnerabilities 10th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123074 * Debian: New webcalendar packages fix arbitrary code execution 13th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123114 * Debian: New Kernel 2.4.27 packages fix several vulnerabilities 14th, June, 2006 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/123139 * Debian: New horde3 packages fix cross-site scripting 14th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123152 * Debian: New horde2 packages fix cross-site scripting 14th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123153 * Debian: New wv2 packages fix integer overflow 15th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123160 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 5 Update: subversion-1.3.2-2.1 9th, June, 2006 This update includes the latest upstream release of Subversion, which fixes a number of minor bugs. http://www.linuxsecurity.com/content/view/123068 * Fedora Core 4 Update: ruby-1.8.4-2.fc4 9th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123069 * Fedora Core 5 Update: squid-2.5.STABLE14-2.FC5 9th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123070 * Fedora Core 5 Update: ruby-1.8.4-5.fc5 9th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123071 * Fedora Core 5 Update: dovecot-1.0-0.beta8.2.fc5 9th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123072 * Fedora Core 5 Update: gdm-2.14.8-1 9th, June, 2006 This update also upgrades GDM to version 2.14.8. http://www.linuxsecurity.com/content/view/123073 * Fedora Core 5 Update: autofs-4.1.4-25 11th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123075 * Fedora Core 4 Update: autofs-4.1.4-24 11th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123076 * Fedora Core 4 Update: kernel-2.6.16-1.2115_FC4 11th, June, 2006 An update to the upstream 2.6.16.20 release, fixing up a few more security related problems. http://www.linuxsecurity.com/content/view/123077 * Fedora Core 5 Update: kernel-2.6.16-1.2133_FC5 11th, June, 2006 An update to the upstream 2.6.16.20 release, fixing up a few more security related problems. http://www.linuxsecurity.com/content/view/123078 * Fedora Core 5 Update: shadow-utils-4.0.14-9.FC5 12th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123107 * Fedora Core 5 Update: rsync-2.6.8-1.FC5.1 12th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123112 * Fedora Core 4 Update: rsync-2.6.8-1.FC4.1 12th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123113 * Fedora Core 5 Update: mysql-5.0.22-1.FC5.1 13th, June, 2006 Repairs vulnerability in multibyte string escaping. http://www.linuxsecurity.com/content/view/123123 * Fedora Core 4 Update: mysql-4.1.20-1.FC4.1 13th, June, 2006 Repairs multibyte string escaping vulnerability. http://www.linuxsecurity.com/content/view/123124 * Fedora Core 5 Update: python-2.4.3-4.FC5 13th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123125 * Fedora Core 5 Update: scim-1.4.4-9.4.fc5 13th, June, 2006 This update fixes broken libtool linking of libs to be against libstdc++so7. http://www.linuxsecurity.com/content/view/123126 * Fedora Core 5 Update: python-docs-2.4.3-0.9.FC5 14th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123158 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated freetype2 packages fixes multiple vulnerabilities. 12th, June, 2006 Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. http://www.linuxsecurity.com/content/view/123110 * Mandriva: Updated freetype2 packages fixes multiple vulnerabilities. 14th, June, 2006 The previous update introduced some issues with other applications and libraries linked to libfreetype, that were missed in testing for the vulnerabilty issues. The new packages correct these issues. http://www.linuxsecurity.com/content/view/123127 * Mandriva: Updated gdm packages fix vulnerability 14th, June, 2006 A vulnerability in gdm could allow a user to activate the gdm setup program if the administrator configured a gdm theme that provided a user list. The user could do so by choosing the setup option from the menu, clicking the user list, then entering his own password instead of root's. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/123128 * Mandriva: Updated squirrelmail packages fix vulnerabilities 14th, June, 2006 A PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and agic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. http://www.linuxsecurity.com/content/view/123155 * Mandriva: Updated libtiff packages fixes tiff2pdf vulnerability 14th, June, 2006 A buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in a sprintf call. http://www.linuxsecurity.com/content/view/123156 * Mandriva: Updated spamassassin packages fix vulnerability 14th, June, 2006 A flaw was discovered in the way that spamd processes the virtual POP usernames passed to it. If running with the --vpopmail and --paranoid flags, it is possible for a remote user with the ability to connect to the spamd daemon to execute arbitrary commands as the user running spamd. http://www.linuxsecurity.com/content/view/123157 * Mandriva: Updated sendmail packages fix remotely exploitable vulnerability 15th, June, 2006 A vulnerability in the way Sendmail handles multi-part MIME messages was discovered that could allow a remote attacker to create a carefully crafted message that could crash the sendmail process during delivery. The updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/123159 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: mailman security update 9th, June, 2006 An updated mailman package that fixes a denial of service flaw is now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123064 * RedHat: Important: mysql security update 9th, June, 2006 Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123065 * RedHat: Important: sendmail security update 14th, June, 2006 Updated sendmail packages are now available to fix a denial of service security issue. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123150 * RedHat: Important: kdebase security update 14th, June, 2006 Updated kdebase packages that correct a security flaw in kdm are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/123151 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: PostgreSQL SQL injection attacks 9th, June, 2006 Two character set encoding related security problems were fixed in the PostgreSQL database server: CVE-2006-2313 and CVE-2006-2314. http://www.linuxsecurity.com/content/view/123061 * SuSE: php4,php5 problems (SUSE-SA:2006:031) 14th, June, 2006 This update fixes the following security issues in the PHP scripting language, both version 4 and 5: Invalid characters in session names were not blocked, CVE-2006-2657. http://www.linuxsecurity.com/content/view/123136 * SuSE: sendmail remote denial of service 14th, June, 2006 Updated package. http://www.linuxsecurity.com/content/view/123149 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Jun 19 03:41:16 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:41:16 -0500 (CDT) Subject: [ISN] Laptop with City Employees' Info Stolen Message-ID: http://www.wjla.com/news/stories/0606/337194.html June 18, 2006 Washington (AP) - Information on 13,000 D.C. government workers and retirees has been stolen, along with the laptop computer where it was stored. Officials with ING Financial Services say the Social Security numbers and other information on the employees were stored on computer that was stolen from an ING employee's Southeast Washington home. ING administers the District's retirement plan. Company officials say the laptop was stolen on Monday but they didn't notify the city about the theft until late Friday because they had to figure out what information was stored on the computer. The laptop was not protected by a password or encryption. ING alerting all affected account holders to the risk of identity theft. The company will set up and pay for a year of credit monitoring and identity fraud protection. City officials say they're concerned that the information was not protected, and that the company waited so long to report it. Copyright 2006 by The Associated Press. From isn at c4i.org Mon Jun 19 03:41:35 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:41:35 -0500 (CDT) Subject: [ISN] Computer breach exposes WIU students' data Message-ID: http://www.pjstar.com/stories/061606/REG_BA4963CQ.033.shtml BY JODI POSPESCHIL OF THE JOURNAL STAR June 16, 2006 MACOMB - A computer system breach at Western Illinois University earlier this month has led to the possible compromise of student information, including Social Security numbers, the school said Thursday. WIU officials said the school has "closed a breach in computer security and adopted additional security measures" in response to a June 5 incident. The school said the incident involved "data security." WIU spokesman John Maguire said Thursday the school has multiple computer systems and one of them, which contains student information, was breached. The system houses not only Social Security numbers but also credit card information for people who have made purchases online from the school's bookstore or who have stayed at the University Union hotel. "Checks (on the system) are made on a regular basis," Maguire said. "During one of those checks the (problem) was noticed and immediately fixed." Maguire also said the school's academic records were not part of those accessed. "The grades and transcripts are secure," he said. In a release issued Thursday, school officials said an investigation doesn't show evidence that any records were copied from the school's files. Even so, the school is still notifying anyone who has records in the system that their files could have been viewed or copied. WIU officials said they are reviewing all operations of the school's computer systems. Review by a campuswide technical group is being coordinated by Mitch Davidson, executive director of the University Computer Support Services. "We are working diligently to ensure that the university computer systems are as secure as possible, with the goal that this type of breach doesn't occur again," Davidson said. A letter to the campus community was put on the school's Web site. The letter was written by W. Garry Johnson, WIU's vice president for student services. The letter reminds those with records in the system to protect against identity theft. Maguire said letters are being sent to anyone who had records in the system. Because of the criminal implications of the breach, school officials said the WIU Office of Public Safety has been notified. WIU also has set up a Web site to disseminate information about the issue at www.wiu.edu/securityalert. ? 2006 PEORIA JOURNAL STAR, INC. From isn at c4i.org Mon Jun 19 03:41:59 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:41:59 -0500 (CDT) Subject: [ISN] Encryption can save data in laptop lapses Message-ID: http://seattlepi.nwsource.com/business/1700AP_Laptops_Security.html By STEPHEN MANNING ASSOCIATED PRESS WRITER June 17, 2006 ROCKVILLE, Md. -- Reports of data theft often conjure up images of malicious hackers breaking into remote databases to filch Social Security numbers, credit card records and other personal information. But a lot of the time, the scenario is much simpler: A careless worker at company or agency with weak security policies falls prey to a low-tech street thug who runs off with a laptop loaded with private data. In the biggest case, the Department of Veterans Affairs recently lost data on 26.5 million veterans and military personnel stored on a laptop and external drive stolen from the suburban Washington home of a VA employee. Security experts and some privacy groups say simple measures could protect data if a laptop falls into nefarious hands. They include encrypting the information so it's nearly impossible to access without the correct credentials. "It is shocking how many of these are stolen laptops and that fact that the users of the laptops did not use encryption to secure the data," Beth Givens, director of the Privacy Rights Clearinghouse, said of recent data losses. "If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware." Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts. So far, there is no evidence the stolen data were used for identity theft or other nefarious purposes. In most cases, the laptop itself, not the personal information on it, was the likely target of the theft. Sometimes, there's no good reason for why so much information is being kept on individual machines that are designed to be carried out of the office. In other cases, workers were allowed to have the data on the laptops but didn't follow proper procedures for keeping it safe. In others, they broke the rules by taking personal data out of the office or not protecting it with digital tools. Laptops have been stolen from cars, gone missing when checked for airline flights, and been taken from offices and employee homes. Hospitals, universities, consulting firms, banks, health insurers and even a YMCA have lost personal data. The portable computers are usually protected by passwords needed to boot them up, but the data on their drives are still accessible. Encryption, on the other hand, scrambles the information and would render it useless to a thief without a digital key that decrypts the data. A variety of encryption tools are available, including software as well as specialized chips. But many people are reluctant to use them because losing the key can make it hard to access the data and the programs can slow down data access, said Alan Paller, director of research at the SANS Institute, a computer-security organization in Bethesda. That could change as computer manufacturers start selling laptops with encryption built in. Microsoft's Windows Vista operating system, due late this year for businesses and early next year for consumers, is expected to make it easier for users to encrypt all their data. Many states now require companies and organizations that store personal information to inform the public when the data leaks. But those laws generally don't make reporting obligatory if the lost data were encrypted. Some companies that have lost laptops are responding with better security measures. Ernst & Young, which has 30,000 laptops used by its highly mobile staff of consultants, is encrypting all contents on the computers, according to company spokesman Charlie Perkins. But in February, as the policy was being implemented, a laptop that hadn't been encrypted was stolen from an employee's car. With it went the names, addresses, and credit card information of about 243,000 customers of Ernst & Young client Hotels.com. Perkins said there is no evidence any of the data was misused. "We evaluated our polices in this area across the board," he said. "Encryption is the most significant step." Of course, security measures can only work if they are actually used. In several cases, laptops were lost or stolen when employees violated company rules by leaving them in parked cars or in their homes. And data that are supposed to be encrypted by an employee sometimes aren't. On June 2, grocery retailer Royal Ahold NV said contractor Electronic Data Systems Corp. lost a laptop with personal information on an undisclosed number of retirees and former workers of Ahold companies, including grocery chains Stop & Shop and Giant Food. The EDS worker was asked to check the laptop on a flight because the plane's storage bins were full, according to EDS spokesman Kevin Lightfoot. When the flight arrived, the laptop never reappeared. The employee was disciplined for violating company policy by checking the computer as luggage, Lightfoot said. Since the incident, EDS has reminded its employees about rules on handling laptops. "You have to work with your employees to make sure this information is protected," Lightfoot said. In January, Ameriprise Financial, an investment advisory company, said the internal account identification numbers of 158,000 clients were lost when a laptop was stolen from an employee's car. The employee was supposed to have encrypted the data, which was on two files, but had not, according to Ameriprise spokesman Steven Connolly. The worker was fired. The VA plans to recall every laptop to make sure the security programs are up to date. The data on the laptop taken from the suburban Washington home were in a form difficult for an outsider to use, and authorities believe thieves may have erased the information before selling the hardware. But that doesn't satisfy August Woerner, an 80-year-old World War II veteran from Westerly, R.I. He received a letter from the VA saying his data may be on the laptop because of a claim he filed several years ago at a VA medical center. Woerner takes every precaution he can to shield personal information - he checks his credit rating online regularly, shreds financial documents and monitors the balance of his credit card nearly every day. Despite his diligence, he is convinced someone will steal his identity soon. "I do the best I can, but I can't very well fight this theft," said Woerner. "That data should not be readily available by someone simply walking it out of a building." ?1996-2006 Seattle Post-Intelligencer From isn at c4i.org Mon Jun 19 03:44:09 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:44:09 -0500 (CDT) Subject: [ISN] UBS Trial: Parts of Attack Code Found At Defendant's Home Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=189500138 By Sharon Gaudin InformationWeek June 16, 2006 Newark, N.J. --- Efforts by the defense in the UBS PaineWebber computer sabotage trial to foist blame elsewhere, took a hit Friday, after testimony from a U.S. Secret Service agent revealed that parts of the code used to bring down the UBS network four years ago, was found on two of the defendant's home computers, as well as in a hardcopy printout lying on top of his bedroom dresser. The Secret Service testimony ended what had been a week of contentious arguments on a strong note for the prosecution Secret Service agents executed a warrant and searched the Bogota, N.J. home of Roger Duronio, on March 21, 2002 -- 17 days after the financial giant was hit by what prosecutors are calling a logic bomb. The segment of coding found in his home was part of the 50 to 70 lines of malicious code that was used to take down about 2,000 servers, including UBS' main host server in its Weehawkin, N.J. data center, along with branch servers in about 370 offices around the country in the March 4, 2002 incident. Duronio, 63, is facing four federal criminal charges, including computer sabotage, securities fraud and mail fraud. The government contends he crippled the company's network in a vengeful plot aimed at making money by buying stock options that would pay off if the company's stock dropped " something he allegedly tried to make happen by shutting down UBS' ability to do business for anywhere between a day and several weeks, depending on the location. While cross-examining other witnesses in court this past week, Chris Adams, Duronio's defense attorney hammered away at what he's calling significant weaknesses in UBS' security. He says the network was riddled with holes that could have allowed a hacker or another system administrator to plant the malicious code. Adams has thrown a slew of possible who-done-it theories at the jury, including repeated suggestions that the damage was caused by Cisco Systems, Inc. during a planned penetration test of the UBS network that month, or that there was some impropriety by @Stake, Inc., the first forensic team called in on the case. However, in his testimony Thursday, Secret Service Special Agent Gregory O'Neil said all trails led to Duronio. He told the jury that a team of 14 agents conducted the four-hour search that led them to a folded up piece of paper with scribbles on the back of it. The paper, which sat on the dresser in Duronio's master bedroom, had the code for the logic bomb's trigger mechanism printed out on it. O'Neil said several pieces of the coding on the paper quickly jumped out at him: mon; hour >= 9; min >= 30; mrm. ''I knew UBS' computer system had gone down on a Monday at 9:30 [a.m.] and I knew 'mrm' was identified as part of the malicious code,'' he told the jury. ''It was the source code for the trigger of the logic bomb.'' There was a line at the very top of the printout: wait_tst.c.txt. Agent O'Neil also said the Secret Service seized four computers from Duronio's home that day. They subsequently found the wait_tst.c.txt file on two of the seven hard drives that were contained in the four machines. The code on the computer files was the ''identical'' chain of code that had been found printed out in the bedroom, he testified. Earlier in the week, the defense took two runs at Rafael Mendez, who was UBS' division vice president for network services at the time of the attack. Adams, who is a partner at Walder, Hayden & Brogan in Roseland, N.J., pointed out repeatedly that in 2001 and 2002, UBS' security configuration allowed more than one person to log onto the system at the exact same time using the exact same user ID and password. He also pounded on the fact that root users all had the same root password. Adams asked Mendez if a root user had the ability to edit a VPN log, and Mendez said it could be done if the user had a ''specialized tool set.'' Alan Paller, director of research at the SANS Institute, said in an interview that having root users share a password isn't a good security practice, but it's far from being uncommon. ''One company that's a household word in America has thousands and thousands of servers, and one root password,'' said Paller. ''The systems administrator lives in a world where that is common. It's common because, historically, on Unix systems there was only one root account, and if three people wanted to manage a machine, they had to be root to do it.'' As for multiple users being able to log onto the system with the same ID and password at the exact same time, Paller said it's a problem, but again not one that's unique to UBS. ''It's a characteristic of Unix,'' he said. ''It's not a characteristic of UBS. You could have a policy to stop it but it's efficient for multiple people doing a lot of work.'' During re-direct, Assistant U.S. Attorney Mauro Wolfe, the lead prosecutor on the case, pointed out that many of the security problems that the defense was bringing up had been noted in a Year 2000 audit report, two years before the attack on the company's network. Mendez said the document specified that the password and user account administration issues, for example, would be assessed a few months after the report was released. However, on re-cross examination, Adams asked Mendez if another audit report had been done to show that the problems had been fixed. Mendez said he did not know of any. Adams then noted that the Post Mortem report on the attack, found that the UBS ''security group lacks power and resources''. He also noted that the report said, ''We know that there were problems with security but the reason we did not get to them was lack of resources and lack of organization...Productivity outweighed security.'' Adams also pointed to UBS' web-based applications, asking Mendez if security was as tight around accessing them, compared to accessing the company's VPN and internal network. Mendez agreed that security wasn't as tight for web apps, but later, on redirect, he noted that the web-based applications don't offer users access to the company's main host server or branch servers, which are protected by UBS perimeter defenses. The defense also turned its attention on two companies outside of UBS PaineWebber. Over the course of cross-examining several witnesses, Adams repeatedly brought up the point that former hackers work at @Stake, Inc., the company that UBS initially brought in to do forensic work immediately after the incident. ''Are hackers good people?'' he asked. ''Are hackers reliable?'' The research labs in @Stake, which was bought by Symantec, Corp. in 2004, were headed up by Peiter C. Zatko (also known in the industry as Mudge), the former CEO and chief scientist of the L0pht, a high-profile hacker think tank. Mudge, however, worked his way into the legitimate business world, testifying before a Senate Committee on Government Affairs, and counseling President Clinton in the White House on security issues. Mendez testified that other Wall Street firms had recommended several forensic companies, including @Stake, to UBS after their servers were taken down. In 2004, Mudge reportedly became a division scientist working at government contractor, BBN Technologies. ''In my opinion, it's generally a bad idea to bring in old hackers because they have habits that are hard to break,'' said Paller in a separate interview. ''From that perspective, they would be a bad bet for analysis of a company's security. But for forensics, they are often the best idea. There's the old statement about 'it takes one to know one'. Somebody who has broken into computers is more likely to see the evidence of a break-in. For forensics, when they are tightly managed, it's a great idea.'' The defense also took several stabs at suggesting that Cisco Systems, a networking industry giant, might have been responsible for taking down the UBS network during a penetration test that was ongoing during the March 4, 2002 incident. Never actually coming out and accusing Cisco directly of the take-down, Adams repeatedly asked witnesses if they knew that Cisco had been hired to do the penetration test between February and March of 2002. ''Would it have been helpful to know Cisco was trying to test and bring down the network and operations?'' Adams asked Rajeev Khanna, manager for UBS's Unix Systems Group at the time of the attack. Khanna replied that he did not know about the test at the time. In a written statement to InformationWeek.com, a spokesman for Cisco said, ''While Cisco does not disclose details of the work we perform for our customers, we are unaware of any issues related to any service Cisco has performed for UBS.'' Copyright ? 2005 CMP Media LLC From isn at c4i.org Mon Jun 19 03:44:20 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:44:20 -0500 (CDT) Subject: [ISN] Network analysis, OmniPeek Personal released Message-ID: http://www.omnipeek.com WildPackets, Inc. has released a free personal edition of their OmniPeek product - a full-featured wired and wireless packet analyzer. In addition a number of free plug-ins have been made available (with source code) one for distributed network analysis, a Google Maps plugin, and the ability to save packet captures to SQL databases. From isn at c4i.org Mon Jun 19 03:44:43 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:44:43 -0500 (CDT) Subject: [ISN] Web used to lure terror suspects Message-ID: Forwarded from: William Knowles http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1150494610771&call_pageid=968332188492 By SANDRO CONTENTA EUROPEAN BUREAU June 17, 2006 LONDON - On a cold night last October, police stormed a West London apartment and found Younis Tsouli at his computer, allegedly building a Web page with the title "You Bomb It." Initially, the raid seemed relatively routine, one of about 1,000 arrests made under Britain's terrorism act during the last five years. The more eye-popping evidence was allegedly found in the London-area homes of two accused co-conspirators: a DVD manual on making suicide bomb vests, a note with the heading "Welcome to Jihad," material on beheadings, a recipe for rocket fuel, and a note with the formula "hospital = attack." But as investigators sifted through computer disk information the picture that emerged was dramatic. Police had apparently stumbled on the man suspected of being the most hunted cyber-extremist in the world. Tsouli, a 22-year-old Moroccan, is being widely named as a central figure in a cyber-terrorist network that has inspired suspected homegrown extremists in Europe and North America, including the 17 people recently arrested in the Toronto area. The massive, 750 gigabytes of confiscated computer and disk information - an average DVD movie is 4.7 gigabytes - found on Tsouli's computer files is an Internet trail believed to link some of the 39 terror suspects arrested in Canada, Britain, the United States, Sweden, Denmark and Bosnia over the past eight months. A source with close knowledge of the Tsouli case has told the Toronto Star of evidence that he used the Web address Irhabi007 ? the cyber-persona of the most notorious extremist hacker on the World Wide Web. "Irhabi007 was like the Godfather of cyber-terrorism for Al Qaeda," says Evan Kohlmann, an Internet terrorism consultant and determined Irhabi tracker. Since coming on the cyber-extremist scene in late 2003, Irhabi's Internet exploits have become the stuff of legend for the scores of militants reading and chatting on Al Qaeda-inspired sites. He almost single-handedly brought the hardcore network into the modern computer age, solving its most pressing propaganda challenge - how to distribute heavy multi-media files, such as videos of beheadings, to the growing ranks of jihadis. A self-starter believed to have worked mainly from his home, he hacked and linked his way to become the administrator of the password-protected forum, Muntada al-Ansar al-Islami, the main Internet mouthpiece of Abu Musab al-Zarqawi, Al Qaeda's leader in Iraq until he was killed last week by a U.S. aerial attack. But his downfall has been as dramatic as his rise. Says Aaron Weisburd, another Irhabi tracker: "While he was at large, he was a leader, an opinion-shaper, a solver of problems, and an inspiration to his friends and associates. Now that the authorities have him and his hard disk drive, he has become a major liability." The London-area raid resulted in terrorism related charges against Tsouli, Waseem Mughal, 22, and Tariq Al-Daour, 19. Their trial is expected to begin in January. Among the items allegedly found in Tsouli's computer is a video slide film on how to make a bomb and another showing sites in Washington, D.C. The images of the American capital were reportedly filmed by two Georgia men arrested by the FBI in March and accused in U.S. court documents of having travelled to Toronto to meet "like-minded Islamists." Tsouli immigrated to London four years ago. At the time of his arrest, his father said Tsouli spoke often of the West waging a war against Islam. Bachir Tsouli, then deputy head of Morocco's tourism office in London, said his son had few friends and spent most of his time at his computer. "What can you do on the computer?" Bachir, 60, told the Daily Mail newspaper. "He hasn't been to Iraq or to training camps in Afghanistan. Tomorrow they will be saying he is a friend of Osama bin Laden." No one has accused him of that, but experts who tracked Irhabi007 believe he had links to al-Zarqawi, credited with having turned the Web into a powerful tool for global jihad. During the past two years, al-Zarqawi's followers produced scores of videos on suicide bombings, attacks against U.S. forces in Iraq, beheadings of hostages, propaganda tracts and terrorist "how to" manuals. The problem was distribution - how to post and move heavy files on the Internet without sites crashing or being shut down. Irhabi007 met the challenge. In May 2004, he helped distribute the video of al-Zarqawi's beheading of American contractor Nicholas Berg. It was quickly copied on Internet sites and downloaded half a million times within 24 hours. "He got his name on the map with the Nicholas Berg beheading video," says Ned Moran, intelligence analyst with the Virginia-based, Terrorism Research Center. Irhabi007's distribution technique became clear two months later, when he hacked into a FTP computer site used to transfer big files by the Arkansas Highway and Transportation Department. He posted 70 jihadi propaganda files on the site, including videos featuring Osama bin Laden. He then posted links to the files on the Muntada site and urged jihadis to download quickly. Arkansas authorities didn't catch on until 24 hours later. By then, the material had replicated exponentially, with those who downloaded it passing it on to others in an almost endless chain. Irhabi (the word means "terrorist" in Arabic) was using skills largely unknown in the cyber-jihadi world. And he spread them around, posting his own hacking manuals for a new generation of more computer-savvy jihadis increasingly using the Internet as a tool to recruit and plot attacks. Irhabi wannabes suddenly began appearing on chat forums, tagging 007 at the end of their Web personas. On October 2004, his status in their eyes reached heroic proportions. He provided almost immediate links to a suicide bombing video posted by Abu Maysara al-Iraqi, widely considered one of al-Zarqawi's closest aides. The initiative led Maysara to break silence for the first time and post praise for Irhabi007's work, Kohlmann says. "Bless the terrorist, Irhabi007," said the message, translated by Kohlmann, founder of globalterroralert.com. "In the name of Allah, I am pleased with your presence my beloved brother. May Allah protect you." Says Kohlmann: "It's kind of like Bruce Springsteen picking someone out in a concert and saying, `I love this guy.' That's what the effect was - people went crazy." In September 2005, a Terrorist Research Center report described Irhabi007 as "heavily involved in maintaining Al Qaeda's on-line presence." It found evidence on al-Zarqawi's Al-Ansar site listing Irhabi as its "administrator." The speed with which Irhabi posted links to videos from al-Zarqawi's Iraqi cell led observers to speculate he was getting a heads up from al-Zarqawi's people. He's suspected of stealing identities to register his websites. His http://www.irhabi007.org domain name was registered to the name, telephone number and Pennsylvania home address of a first lieutenant deployed in Iraq, according to the centre's report. He also registered a Canada-based domain name, http://www.irhaby007.ca. By the end of 2005, Irhabi007 had a whole army of cyber-terrorism trackers on his tail. Few were as persistent as Aaron Weisburd, director of Internet Haganah, dedicated to making on-line life miserable for cyber-jihadis. In 2004, Weisburd turned in Irhabi to his service provider and got him cut off. An incensed Irhabi posted Weisburd's home address in Illinois on the Internet and took part in chat-room discussions on slicing Weisburd like a salami. "I get to keep a finger or an ear," Irhabi wrote, "a little souvenir." Weisburd reported the threat to the FBI and stepped up his efforts. "I take all threats seriously," he said in an email exchange with the Toronto Star. "And like any American `good ole boy' I have more than one loaded gun nearby." In July that year, Irhabi made his first mistake, leaving his IP (Internet Protocol) address ? which can be used to track a user's location - on a site he was setting up to post a threat against Italy. Weisburd examined another Irhabi Web page and found a second IP address. He then posted a message on the Haganah site warning that Irhabi's files were infected. Irhabi responded by posting a graphic to prove they were not. His IP number was blotted out, but not well enough. Weisburd's associate made it out. The three IP addresses all pointed to London's Ealing area ? the place where Tsouli would be arrested 15 months later. Weisburd passed the information on to U.S. and British police but heard nothing back. In September 2005, a month before Tsouli's arrest, a frustrated Weisburd posted this message on his site: "Irhabi007 is in Ealing. Or at least that's where the bastard was when we located him (18 months ago)." Since Tsouli's arrest, Weisburd says police have asked him to resubmit the information he passed on months before. The events that led to the arrest of the presumed Irhabi began with police forcing their way into an apartment in Sarajevo on Oct. 19, arresting 18-year-old Swedish citizen Mirsad Bektasevic and Abdul Kadir Cesur, a 20-year-old Danish-born Turk. Almost 20 kilograms of explosives were in the apartment, according to the indictment filed in a Sarajevo court. A Sony VHS tape also found gives instructions on how to make a bomb. Says a voice on the tape, believed to be that of Bektasevic: "These brothers are ready to attack and, God willing, they will attack the infidels who are killing our brothers and Muslims in Iraq, Afghanistan. This weapon will be used against Europe, against those whose forces are in Iraq and Afghanistan." Their arrests sparked back-to-back raids in London and Denmark, where a total of nine men were arrested, including Tsouli. The last number dialled on his cellular phone was Bektasevic's Bosnian number three days earlier, according to the Star's source. Since then, arrests have also been made in the U.S., Canada, Britain and Sweden. Postings on the Internet by Irhabi007 stopped with Tsouli's arrest. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Jun 19 03:44:54 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 19 Jun 2006 02:44:54 -0500 (CDT) Subject: [ISN] Suspected Chinese hacker attacks target AIT, MND Message-ID: http://www.taipeitimes.com/News/taiwan/archives/2006/06/19/2003314414 STAFF WRITER June 19, 2006 The American Institute in Taiwan (AIT) and the Ministry of National Defense (MND) were both recently targeted by computer hackers believed to be based in China, Defense News reported last week. The report cited anonymous AIT and defense ministry sources, who said the attackers were believed to have been China-based hackers looking to spread misinformation. On June 5, a hacker sent an e-mail to the media with an attachment containing a fake press release from the military spokesman's office, the report said. The release described a meeting between People First Party mem-bers and ministry officials, and was riddled with distortions and lies, Defense News reported last Tuesday. Shortly after the e-mail was sent out, officials scrambled to warn local media not to download any attachments purportedly sent from the ministry. Some outlets had already reported the story, but others sought confirmation from officials and were told that that the e-mails were part of a smear campaign targeting the ministry, the Defense News report said. "Our computer was [infected] by a virus. That virus sent a news release to the media. Some of the information [in the release] was incorrect," a ministry source reportedly told Defense News. The report also stated that the account number and password of the ministry's Web mail system, operated by Chunghwa Telecom, were stolen by hackers. So frequent and serious are cyber attacks against government agencies that the Straits Exchange Foundation, which handles cross-strait communications with China, issued a letter of complaint to China in 2003, the report said, adding that China did not respond to the complaint. Private companies also routinely come under attack by China-based hackers, making Taiwan the most hacked country in the world, according to a Central News Agency report in April. The Defense News report cited local media claims that the nation suffered 250,000 cyber attacks between 1996 and 2000. China's People's Liberation Army is widely believed to have a special unit devoted to information warfare and computer hacking. Copyright ? 1999-2006 The Taipei Times. All rights reserved. From isn at c4i.org Tue Jun 20 02:16:40 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:16:40 -0500 (CDT) Subject: [ISN] Phishing scam uses PayPal secure servers Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001247 By Peter Sayer IDG News Service June 16, 2006 A cross-site scripting flaw in the PayPal Web site allows a new phishing attack to masquerade as a genuine PayPal log-in page with a valid security certificate, according to security researchers. Fraudsters are exploiting the flaw to harvest personal details, including PayPal log-ins, Social Security numbers and credit card details, according to staff at Netcraft Ltd., an Internet services company in Bath, England. The PayPal site, owned by eBay Inc., allows users to make online payments to one another, charged to their credit cards, and log-in credentials for the service are a prized target of fraudsters. The attack works by tricking PayPal members into following a maliciously crafted link to a secure page on PayPal's site. Anyone thinking to check the site's security certificate at this point will see that it is a valid 256-bit certificate belonging to the site, Netcraft employee Paul Mutton wrote in the company's blog on Friday. However, the URL (uniform resource locator) exploits a flaw in PayPal's site that allows the fraudsters to inject some of their own code into the page that is returned, he wrote. In this case, the result is a warning that the user's account may have been compromised, and that they "will now be redirected to Resolution Center." The page to which they are redirected asks for their PayPal account details -- but thanks to the cross-site scripting flaw in the PayPal site, and the data injected into the URL by the fraudsters, the page is no longer on the PayPal site. Instead, the page steals the log-in details and sends them to the fraudsters' server, then prompts the user for other personal information, Mutton said. The Web server harvesting the personal details is hosted in Korea, Mutton said. The cross-site scripting technique makes the phishing attempt difficult to detect, said Mike Prettejohn, also of Netcraft. If the malicious link arrived by e-mail, then "there would be clues in the mail that it's not genuine," he said. "It's a technique chosen by fraudsters because it is hard to spot." Although there could be benign uses of cross-site scripting to transfer data between sites, the technique has an inherent security risk, Prettejohn said. "I don't think people would intentionally use it," he said. "If somebody knows there's a cross-site scripting opportunity on their site, the right thing to do would be to fix it," he said. Staff at PayPal could not immediately be reached for comment. From isn at c4i.org Tue Jun 20 02:16:57 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:16:57 -0500 (CDT) Subject: [ISN] Stratcom leads DOD cyberdefense efforts Message-ID: Forwarded from: William Knowles http://www.fcw.com/article94954-06-19-06-Web By Josh Rogin June 19, 2006 Information sharing and protection is a crucial front in the war on terrorism. Consequently, the Strategic Command (Stratcom) is leading Defense Department efforts to create a virtual environment, including nonstop virtual meetings and blogging so warfighters can disseminate information across locations, commands and rank securely and in real time. Lt. Gen. Robert Kehler, deputy commander of Stratcom, explained these efforts in a keynote speech at AFCEA International's TechNet International 2006 conference today in Washington, D.C. "Unfortunately for us, cyberterrorism is cheap, and it's fast," Kehler said. "Today's terrorist moves at the speed of information." Cyberterrorism is anonymous and far-reaching. Government, corporate, personal, public works and airline computers are all attractive targets that cyberterrorists could attack remotely. To that end, Stratcom's top priority is to speed the transformation of DOD into a network-centric force in which all commands are interconnected and secured. "Information sharing is a strategic advantage," Kehler said. "Achieving the full potential of net-centricity requires viewing information as an enterprise to be shared and as weapons system to be protected," the 2006 Quadrennial Defense Review states. Stratcom is also the lead operator of the Global Information Grid, which aggregates all interconnected and secure DOD information systems. The command seeks to implement 24-hour, real-time communications from generals to warfighters while protecting those communications from adversaries. The latest innovation is Strategic Knowledge Integration, known as SKI-web. Part of Stratcom's classified network, SKI-web functions as a never-ending virtual operation and intelligence meeting. "It is the key tool that the senior leadership uses to stay abreast of events unfolding throughout the command and the world, in real time," Kehler said. Blogging is one of the ways SKI-web allows users to contribute to discussions. Every command member, regardless of rank, can blog on issues that affect them, eliminating the vetting process of command bureaucracy. "We have a command chain at Stratcom, not an information chain," Kehler said. All command levels receive information at the same time, creating an "infosphere" inside which command is exercised, he said. Changing the culture of information sharing is the most difficult step toward using technology to better distribute and protect information, Kehler said. "The first step in sharing information is the realization that you must, can and will share it," he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Tue Jun 20 02:17:22 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:17:22 -0500 (CDT) Subject: [ISN] SCADA industry debates flaw disclosure Message-ID: http://www.theregister.co.uk/2006/06/19/scada_flaw_debate/ By Robert Lemos SecurityFocus 19th June 2006 The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities. The flaw, in a particular vendor's implementation of the Inter-Control Centre Communications Protocol (ICCP), could have allowed an attacker the ability to crash a server. Yet, unlike corporate servers that handle groupware applications or websites, the vulnerable server software - from process-control application maker LiveData - monitors and controls real-time devices in electric power utilities and healthcare settings. The best known types of devices are supervisory control and data acquisition (SCADA) devices and distributed control system (DCS) devices. A crash becomes a more serious event in those applications, said Dale Peterson, CEO of Digital Bond, the infrastructure security firm that found the flaw. "These are what you would consider, in the IT world, critical enterprise applications. But the companies don't act like these are critical enterprise applications." LiveData maintains that the flaw is a software bug, not a security vulnerability, pointing out that it only affects how the LiveData ICCP Server handles a non-secure implementation of the communications protocol - typically used only in environments not connected to a public network. "In general, SCADA networks are run as very private networks," LiveData CEO Jeff Robbins said. "You cannot harness an army of public zombie servers and attack them, because they are not accessible." The incident has touched off a heated debate among a small collection of vulnerability researchers, critical infrastructure security experts and the typically staid real-time process control systems industry. The controversy mirrors the long-standing dispute between independent researchers and software vendors over disclosing vulnerabilities in enterprise and consumer applications. In that industry, researchers have taken Apple, Oracle, Cisco and Microsoft to task at various times over the last year for the perception that the companies were not responding adequately to reports of flaws in their software products. Last week, at the Process Control System Forum (PCSF), a conference on infrastructure management systems funded by the US Department of Homeland Security, a similar debate played itself out. Perhaps three dozen industry representatives and security researchers met during a breakout session to hash out the issues involving disclosure. The tone became, at times, contentious, said Matt Franz, the moderator at conference panel on the topic and a SCADA security researcher with Digital Bond. "The vendors were sticking together saying that (researchers) didn't need to be involved with SCADA flaws," he said. "'It puts people and infrastructure in danger,' they said." Moreover, many vendors did not appreciate the involvement of the US Computer Emergency Readiness Team (US-CERT), the nation's response group tasked with managing the process of vulnerability remediation for critical infrastructure, Franz said. The LiveData flaw was the first flaw in SCADA systems handled by US-CERT and the CERT Coordination Centre, the group that manages the national agency. While valuable as a learning experience, the entrance of a third party into the disclosure of a flaw in an infrastructure system brought up more questions than answers. At the PCSF session, many vendors voiced concerns over involving a third party. "I did not come away with a feeling that any issues were settled," said Art Manion, internet security analyst for the CERT Coordination Centre and a participant in the discussion at the conference. The debate over how disclosure should be handled underscores both the intense focus on SCADA and DCS systems as potential targets of cyberattacks and the position of many companies in the real-time process control systems industry that vulnerabilities in such systems require special treatment. "In security circles, it is widely discredited that you can secure something though obscurity - yet SCADA systems are really obscure," LiveData's Robbins said. "That is not a statement of a principle of security and doesn't rationalise anything, but is a fact." Even SCADA security specialists agree that obscurity can raise the hurdle enough to keep most online attackers from jumping into SCADA systems. "There are some legacy systems out there running plants that are more secure than many latest and greatest systems, because they are not connected to the internet or they are using obscure standards," said Ernest Rakaczky, program director for process control systems at infrastructure firm Invensys. That's true - at least to an extent, said CERT Coordination Centre's Manion. "The information on these systems can be found by a determined attacker," he said. "Part of our outreach is to show that people can find out about these things and find vulnerabilities." Consultants who have done penetration testing and security audits of real-time process control systems tell grim stories about the lack of security in the systems. Data is transfered with no encryption using protocols, such as Telnet and FTP, that are being phased out in other industries; many firewalls have ports opened to any traffic; and, many workstations still run Windows NT, said Jonathan Pollet, vice president and founder of PlantData Technologies, a division of infrastructure security company Verano. "The guys who are setting up these systems are not security professionals," he said. "And many of the systems that are running SCADA applications were not designed to be secure - it's a hacker's playground." For between five and 10 per cent of the networks audited by PlantData, a single ping attack or a data flood aimed at a SCADA system could shut down most of the managed devices, Pollet said. Yet, security researchers acknowledge that the software that monitors, manages and runs the variety of manufacturing and infrastructure control systems is indeed different. While researchers can hold the threat of public disclosure over the heads of an uncooperative software maker in the enterprise application arena, publicly outing a flaw in a SCADA or DCS system has larger ramifications, Pollet said. "You have to be careful disclosing these issues to the public when the vendors seem uninterested in talking about the problem, because these systems cannot be patched overnight and the information could prove devastating in the wrong hands." Moreover, software vendors and infrastructure operators legitimately need more time because most of the industry's legacy systems were not created to be easily updated. And, to be fair, LiveData's response to the first SCADA vulnerability handled by a third party - about three to six months for a fix and less than nine months for notification - is in line with the response from many enterprise and commercial software makers. Not bad for an industry that has not had a history of third-party vulnerability disclosure, said Digital Bond's Franz. "The idea that someone outside their customer base would have access to their product to find vulnerabilities is strange to them," said Franz, who created an interest group within the Process Control Systems Forum to hash out the issues. Security researchers are not the only ones applying pressure to software developers in the SCADA and DCS industry. The software maker's customers - infrastructure owners and operators - are starting to demand proof of security audits, especially in the power industry where companies are required by a recent law to adhere to the Critical Infrastructure Protection (CIP) guidelines published by the North American Electric Reliability Council (NERC). "The difference that a few months has made is absolutely incredible," said Lori Dustin, vice president of marketing and services for infrastructure security company Verano. "The people I'm meeting with now have a copy of the NERC documents in their hands." While many in the real-time process control industry might not agree, Invensys's Rakaczky stresses that allowing US-CERT to bring other industries' vulnerability reporting practices to the bear on infrastructure issues should help reduce communications problems and increase trust. "People will respond faster than if some random white hat calls them up out of the blue," he said. But, while vendors work with US-CERT and focus on improving product security, infrastructure owners need to move more quickly to prevent unauthorised access to their systems from the internet and implement more strict auditing, Rakaczky said. "Right now, we need perimeter protection," he said. "We need to stop the wound from bleeding before we can heal it." This article originally appeared in Security Focus. Copyright ? 2006, SecurityFocus From isn at c4i.org Tue Jun 20 02:17:42 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:17:42 -0500 (CDT) Subject: [ISN] Hello, is this Gov. Minner's secret hot line? Have we got a deal for you Message-ID: http://www.delawareonline.com/apps/pbcs.dll/article?AID=/20060616/NEWS/606160329/1006 By JENNIFER BROOKS News Journal Washington Bureau 06/16/2006 WASHINGTON -- For a governor with a secret hot line to the Department of Homeland Security, the only thing worse than hearing that phone ring, is answering the call and hearing: "Hello! Are you satisfied with your long-distance service provider?" "Every time that phone rings, it's telemarketers," grumbled Gov. Ruth Ann Minner, whose secret homeland defense hot line sits in her office, ringing occasionally with offers of time share condominiums and great deals on long distance. "I wonder about the security of that line," said Minner, noting that other governors have reported similarly unwelcome intrusions on the hot line phones that are supposed to ring only in the event of a national catastrophe. Minner, who sits on a homeland security advisory panel of the National Governors' Association, mentioned the annoying phone calls Thursday on a visit to Washington. The problem, Minner said, seems to be the random-number generators that telemarketers use. So what's a governor to do? According to Minner's office, the Department of Homeland Security placed all the hot line numbers on the federal government's Do Not Call Registry, which is supposed to ward off telemarketers. The Department of Homeland Security did not return calls for comment. Copyright ? 2006, The News Journal. From isn at c4i.org Tue Jun 20 02:17:54 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:17:54 -0500 (CDT) Subject: [ISN] Microsoft Posts Excel 'Zero-Day' Flaw Workarounds Message-ID: http://www.eweek.com/article2/0,1895,1978835,00.asp By Ryan Naraine June 19, 2006 Microsoft's security response center is recommending that businesses consider blocking Excel spreadsheet attachments at the network perimeter to help thwart targeted attacks that exploit an unpatched software vulnerability. The Redmond, Wash., software giant published a pre-patch advisory on June 19 with a list of workarounds that include blocking Excel file-types at the e-mail gateway. File extensions associated with the widely deployed Microsoft Excel program are: xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy, oqy, xll, xlb, slk, dif, xlk, xld, xlshtml, xlthtml and xlv. The company's guidance comes just a few days after public confirmation that a new, undocumented Excel flaw was being used in an attack against an unidentified business target. The attack resembles a similar exploit that targeted Microsoft Word users, prompting suspicion among security researchers that the attacks may be linked. The Excel attack includes the use of Trojan horse program called Trojan.Mdropper.J that arrives as an Excel spreadsheet with the file name "okN.xls." When the Trojan is executed, it exploits the Excel flaw to drop and execute a second piece of malware called Downloader.Booli.A. It then silently closes Microsoft Excel. Downloader.Booli.A attempts to run Internet Explorer and inject its code into the browser to bypass firewalls. It then connects to a remote Web site hosted in Hong Kong to download another unknown file. In the latest advisory, Microsoft confirmed that the vulnerability exists in Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. Excel 2000 users are at highest risk because the program does not prompt the user to Open, Save, or Cancel before opening a document. Other versions of the software present a warning before a file is opened, Microsoft said. The company insists that a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker to be at risk. The flaw is described as "improper memory validation" in Excel that occurs only when the program goes into repair mode. Microsoft also recommends that businesses using Excel 2003 prevent Excel Repair mode by modifying the ACL (Access Control List) in the Excel Resiliency registry key. Detailed instructions can be found in the advisory. Microsoft said businesses should also consider blocking the ability to open Excel documents from Outlook as attachments, Web sites and the file system directly. This can be done by removing the registry keys that associate the Excel documents with the Excel application. As best practice, the company said Excel users should remember to be very careful opening unsolicited attachments from both known and unknown sources. From isn at c4i.org Tue Jun 20 02:18:14 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:18:14 -0500 (CDT) Subject: [ISN] UK's first computer hacking degree launched Message-ID: http://software.silicon.com/security/0,39024655,39159714,00.htm By Andy McCue 19 June 2006 A degree course in computer hacking has been launched by a Scottish university in response to industry demand for IT security experts. The University of Abertay in Dundee will run the BSc (Hons) undergraduate course in Ethical Hacking and Countermeasures from the start of the next academic year in October. Around 30 places are available on the course, which the university says will provide a graduate with knowledge of how illegal computer attacks can be performed and how they can be stopped. The university prospectus said: "In the same way that police detectives need to know how thieves can steal, computer systems administrators need to know what hackers can do." The university said it has launched the degree course in response to demand from industry for people with the skills to test the security of corporate IT networks. A university spokesman said: "There are an increasing number of compliance regulations and insurance policies that insist businesses carry out security checks on their networks." The university also stressed it will be vetting students "very carefully" in accordance with Home Office guidelines and that they will be monitored closely throughout the course. The spokesman said: "We are not going to give them the full set of tools on day one." Although many existing undergraduate computing degrees cover elements of this new course, Abertay claims to be the first UK university to offer a dedicated degree course in hacking. There are also ethical hacking courses and qualifications offered by private sector IT training organisations such as the Training Camp, which launched a course two years ago. From isn at c4i.org Tue Jun 20 02:16:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:16:28 -0500 (CDT) Subject: [ISN] Microsoft France site cracked Message-ID: http://www.theinquirer.net/?article=32509 By INQUIRER newsdesk 19 June 2006 TURKISH CRACKERS wheedled their way onto a Microsoft site in France over the weekend, leaving a cheeky message for vexed voles. The crackers, who operate under the name of TiTHacK, taunted Microsoft: "Your System 0wned By Turkish Hackers!" The naughty fellows threatened that Microsoft.com would be next. The site was out of action for some time and the affected page now directs vistors away from it and back to their own country pages. Zone-h.org posted a mirror of the site and has more details here [1]. ? [1] http://www.zone-h.org/content/view/4767/31/ From isn at c4i.org Tue Jun 20 02:18:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 20 Jun 2006 01:18:30 -0500 (CDT) Subject: [ISN] Spoofing Defense Dissed By Security Experts Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=189500626 By Sharon Gaudin InformationWeek June 19, 2006 A defense lawyer in an ongoing federal computer sabotage trial is pushing the idea that four years ago, a hacker masqueraded as his client to surreptitiously plant the logic bomb that took down thousands of servers at UBS PaineWebber, thus framing an innocent man. Roger Duronio, a former systems administrator at UBS, is currently on trial in a District Court in Newark, N.J., for allegedly building and distributing the logic bomb that crippled the company's ability to do business for a day in some locations, and for as long as two to three weeks in others, costing UBS a reported $3.1 million in cleanup costs alone. If convicted, Duronio faces a maximum sentence of 30 years, fines of up to $1 million and restitution for the money UBS spent on recovery. Chris Adams, Duronio's attorney and a partner at Walder Hayden & Brogan in Roseland, N.J., has been throwing a slew of who-done-it theories at the jury, including an outside hacker, another systems administrator or even a slip-up by Cisco Systems, Inc., which was doing a penetration test of the UBS network during the March 4, 2002 incident. But one major theme that Adams keeps returning to is the idea of someone " whether inside UBS or outside " using IP spoofing to pretend to log into the company's Unix-based network from Duronio's home, using the defendant's own corporate VPN connection. That's Adam's explanation for why forensics examiners and federal investigators traced remote connections to the network directly back to Duronio's own IP address, during the times when pieces of the malicious code were being planted on the system. The problem with this theory, according to several security professionals and even one long-time hacker, is that, technically, it simply can't be done. ''Spoofing the IP address is not difficult,'' says Johannes Ullrich, chief research officer at the SANS Institute, a Bethesda, Md.-based cyber security training and certification organization. ''The problem is transferring data with a spoofed IP addressIt's close to impossible to do.'' Ullrich also is the chief technology officer for the Internet Storm Center, a cooperative cyber threat monitoring and alert system. IP spoofing (short for Internet Protocol address spoofing) is a way to fool a computer into thinking that a packet is coming from machine A when it is really coming from machine B. The header of every IP packet contains its source address " normally the address that the packet was sent from. By putting a different address into the header, a hacker can give the appearance that the packet was sent from a different machine. IP spoofing often is used for denial-of-service attacks because the attacker simply has to overwhelm a network with a flood of pings or useless traffic. explains Ken van Wyk, a 20-year IT security veteran and principal consultant with KRvW Associates, LLC of Alexandria, Va. A session doesn't have to be established. The attacker, simply put, has to pound on the door " he doesn't actually need to be let inside. But Duronio's defense attorney has been asking various UBS witnesses who have taken the stand so far to talk about IP spoofing and sniffing, which is the act of capturing information " generally packets " as they go over the network. ''You can read the packets and use them to pretend you're coming from another IP address, can't you?'' Adams last week asked Rafael Mendez, who was UBS' division vice president for network services at the time of the attack. Mendez responded that spoofing becomes much more difficult to do if the packets are encrypted. He also said most ISPs set up sniffing roadblocks, blocking that kind of security problem. The idea of hackers using IP spoofing is generally traced back to Kevin Mitnick, one of the world's most famous hackers and a cause celebre at one time in the hacker community. Mitnick was arrested in 1995 and was convicted of wire fraud and breaking into computer systems at major companies like Sun Microsystems, Inc. and Motorola. He used IP spoofing to try to hide his identity during at least one attack. The difference between what Mitnick did, and what the defense in the Duronio trial is suggesting happened in this case, is that in this latest scenario, IP spoofing would have had to have been used to load actual lines of code onto the UBS servers. Mitnick just needed to get a few packets through to the receiving server " a real session wouldn't have had to have been established. That's a whole different story from starting and maintain a session long enough to load on, or modify code, says George Bakos, a self-proclaimed hacker with 20 years of experience, and a senior security expert with the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H. ''When you connect to a machine, there are dozens of packets that are exchanged just to authenticate and get ready to do things,'' says Bakos, who said he broke into his first mainframe back in 1979. ''If you're modifying code, or changing 70 lines of code, it would like taking hundreds, if not thousands, of TCP segments.'' Bakos explained that when using TCP (Transmission Control Protocol), every data segment that's sent must be acknowledged by the recipient. That acknowledgement contains a number that must be used when the sending computer ships more data to the server. They are called TCP sequence numbers, and the exchange of these numbers must remain synchronized. The problem, according to both Bakos and Ullrich, is that with IP spoofing, the acknowledgement goes back to the true owner of the IP address " not to the machine that is pretending to be at that address. Since the server would not get a response from the spoofed address, the connection would be broken. Van Wyk said it would be like sending a postcard with someone else's address on it. If the person who receives the card, responds, she'll reply to the address written on the card and it will never get to the phony sender. ''You can do it for a few packets, but the synchronization challenge is very, very difficult,'' says Bakos. ''Once you lose synchronization, then everything else you've done is thrown away. Unfortunately, when doing TCP spoofing, you're flying blind. You never see the responses come back to you. And what you're doing is out of synch with what the server is doing Then everything that you got into the server will be tossed out if you don't maintain that synchronization.'' Ullrich says the TCP sequence numbers are chosen randomly out of 4 billion options. He says guessing it would be ''close to impossible'' or at least a one-in-4-billion chance. Back in the mid-1990s, these numbers were not picked randomly, so Mitnick had a much easier job figuring out which ones to use. And Ullrich also notes that an IP spoofing attack would be fairly easy to spot on an enterprise system. ''If something is trying to do that on your network, it's pretty obvious. It generates a lot of traffic because these hosts are sending acknowledgements that they don't understand.'' He also said there would be a record of the attempts. As for a hacker using a sniffing technique to get the IP address while it's in transmission, Ullrich explained that a VPN has its own encryption, along with ways to validate the IP address and the user. ''That's what you have a VPN for,'' he said. ''All the traffic is encrypted and authenticated. Unless you're NSA or somebody like that, you're not going to break that encryption.'' Copyright ? 2005 CMP Media LLC From isn at c4i.org Wed Jun 21 02:12:59 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 21 Jun 2006 01:12:59 -0500 (CDT) Subject: [ISN] Attend the Black Hat Briefings & Training USA event! Message-ID: Attend the Black Hat Briefings & Training USA event! July 29 - August 2, 2006 at Caesars Palace in Las Vegas, the world's premier technical event for IT security experts. Black Hat profiles next generation threats, delivers practical security techniques, and an understanding of legal and policy issues. The Briefings are designed to foster peer-to-peer communication and networking opportunities with over 2,500 security professionals from 40+ nations. Includes 36 hands-on training courses July 29 - August 1, and 60 presentations at the Briefings August 2-3, featuring security experts and "underground" security specialists. Register before June 30 for early-bird savings! http://www.blackhat.com From isn at c4i.org Wed Jun 21 02:13:18 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 21 Jun 2006 01:13:18 -0500 (CDT) Subject: [ISN] UAB Computer Theft Puts Thousands At Risk Of Identity Theft Message-ID: http://www.nbc13.com/news/9398562/detail.html June 20, 2006 BIRMINGHAM, Ala. -- A computer possibly containing the names, Social Security numbers and medical information for almost 10,000 people has been stolen from the University of Alabama at Birmingham. The computer had lists of donors, recipients and potential recipients of the university's kidney transplant program. UAB officials said there is no indication that the information has been used. This could mean that personal information of 9,800 UAB kidney patients is out on the street and subject to possible identity theft. The computer was stolen from the UAB School of Medicine Research Department in February. The people affected were not notified until June 8. UAB said that was because it took months for the school to reconstruct the missing database. The university said it has apologized to those affected and offered assistance. UAB said a letter was sent to each person alerting them of the crime and giving them the option of subscribing to a credit monitoring company that will alert them of any suspicious activity that might indicate identity theft. Copyright 2006 by NBC13.com From isn at c4i.org Wed Jun 21 02:12:40 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 21 Jun 2006 01:12:40 -0500 (CDT) Subject: [ISN] Ohio U. Suspends Two Over Hackers' Theft Message-ID: http://www.phillyburbs.com/pb-dyn/news/95-06202006-673296.html The Associated Press June 20, 2006 ATHENS, Ohio - Ohio University said Tuesday it has suspended two information technology supervisors over recent breaches by hackers who may have stolen 173,000 Social Security numbers from school computers. The school did not identify the director of communications network services - identified on the school's Web site as Thomas Reid - and manager of Internet and systems. Both were suspended pending the school's investigation of the breaches, five of which have happened since March 2005. A message was left late Tuesday at a home phone listing for Reid. Citing results from an independent audit, the school also said University President Roderick McDavis will ask trustees for up to $2 million to improve computer security. McDavis said he deeply regretted the inconvenience and stress the breaches caused university employees. Click here "We hold ourselves fully accountable," McDavis wrote Monday in an e-mail to faculty and staff. The school said in April it had discovered a computer breach at its training center for fledgling businesses. Since then, electronic break-ins also were reported at the school's alumni office, health center and the department that handles records for businesses the university hires. Students, alumni and employees have been told to run credit checks and place fraud watches on their credit card and bank accounts. About two dozen people have told the school they were victimized by identity theft in the past year. -=- On the Net: Ohio University data theft: http://www.ohio.edu/datatheft From isn at c4i.org Wed Jun 21 02:13:32 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 21 Jun 2006 01:13:32 -0500 (CDT) Subject: [ISN] Worm burrows into Google's Orkut Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=6251 By John E. Dunn Techworld 19 June 2006 An automated information theft worm has been discovered spreading through Google's social networking website, Orkut. Using a URL as the lure, MW.Orc installs itself in an Orkut scrapbook, a public guestbook where visitors can leave comments or links. Infection follows for anyone clicking on this, after which it attempts to steal banking user names and passwords in trusted phishing style, should such services be accessed. The worm also gives criminals the potential to use the infected PC as a bot for the distribution of pirated movie files. Written in Portuguese, the link is believed to be designed to hook Brazilians, the main users of the system. Google is said to have come up with a temporary patch to stop its activities, although a posting by FaceTime Security Labs' researchers on blog.spywareguide states that the worm has been causing problems for some time. "The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?," the blog entry continues. "Sometimes there is a false sense of security and trust that an end user has in a "gated" community such as Orkut. This is similar to what we see happening in instant messaging," was the official comment from FaceTime's Chris Boyd. A relatively obscure part of the Google empire, the invitation-only Orkut is said to have been named after its creator, Google employee Orkut Buyukkokten. From isn at c4i.org Wed Jun 21 02:13:54 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 21 Jun 2006 01:13:54 -0500 (CDT) Subject: [ISN] Lord battles government over cybercrime laws Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39276193,00.htm Tom Espiner ZDNet UK June 20, 2006 Lord Northesk wants to protect IT pros and the police from criminalisation, and nail down the law covering denial of service attacks Sweeping changes to UK computer crime laws have been proposed by a Conservative peer. Lord Northesk is seeking to amend the Computer Misuse Act (CMA) 1990 to give the police and judiciary greater "legal clarity" when dealing with computer crime. The proposed changes would alter the law regarding launching denial of service attacks, the creation of tools that could be used for hacking, and bot attacks. The UK government is currently trying to update the CMA through amendments in the Police and Justice Bill 2006, which will be debated in the House of Lords this week. Northesk has proposed amendments to the government's own amendments. As it stands, paragraph 1b of Clause 41 of the Police and Justice Bill would make it an offence to release a computer tool that is "likely to be used" in a computer offense. As reported last month, experts are concerned that the government's proposals would have criminalised IT and security professionals who make network monitoring tools publicly available or who disclose details of unpatched vulnerabilities. Northesk's amendments, if passed, would see this paragraph deleted. He believes that it could even criminalise the police, if they create and distribute tools for forensic investigation. Northesk is pushing for the concept of recklessness to be introduced into the updated CMA. He is seeking to amend Clause 40 of the Police and Justice Bill so that malicious denial of service (DoS) attacks are criminalised by the CMA but legitimate political protests that slow down servers would not be. "The key point in Clause 40 is the inclusion of recklessness and intention [in launching attacks]. With effective civil disobedience, a whole series of people petition online [which may cause servers to crash]. Under the current draft this form of legitimate protest may be denied," said Northesk. "The purpose of the Clause 40 amendment is to address the fundamental issue that a lot of Internet activity - such as electronic civil disobedience - currently comes under CMA." By introducing the issue of recklessness, Lord Northesk also hopes to protect the police themselves from prosecution. "With [establishing] recklessness there is no bar on forensic hacking," he said. Northesk has also proposed modifying Clause 39 of the Police and Justice Bill so that Trojan horse software that inserts itself onto a system, allowing remote access by hackers, will be specifically covered by the law. "The current text of the CMA doesn't deal with bot attacks ? inserting software onto a machine that allows remote attacks," said Northesk. The peer said he hopes the legislation will enable the police and judiciary to better tackle cybercrime, and provide the government with guidance in understanding it. "I'm a great believer in legal clarity. Too often within government it's not properly understood that which is trying to be achieved. In the desire to future-proof legislation, they tend not to address problems that are sitting there because they are seen as difficult to understand," Northesk told ZDNet UK. From isn at c4i.org Thu Jun 22 03:28:46 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:28:46 -0500 (CDT) Subject: [ISN] Study: Most Technology Companies Have Data Losses Message-ID: http://www.eweek.com/article2/0,1895,1979924,00.asp By Matt Hines June 21, 2006 Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows. According to the report, published by Deloitte Touche Tohmatsu, not only have many technology providers been hit with the same sorts of data losses that have recently plagued other industries, but a large number of the firms have also failed to make sufficient investments in security technologies aimed at preventing future incidents. Deloitte researchers said that security has long been "neglected" by technology, media and telecommunications companies despite their dependence on digital information to run their businesses. The consulting company surveyed executives at 150 such companies and found that even in the face of public embarrassment, financial losses and potential litigation linked to data breaches, many of the businesses have yet to make necessary investments to more adequately protect their information. According to the report, more than 50 percent of the companies surveyed admitted to having a data loss within the last 12 months, with roughly one-third of those incidents directly resulting in financial losses. Half of the companies reporting data breaches said the incidents involved internal attacks or policy violations. Of the firms surveyed, only 4 percent said their employers are doing enough to address the issue, and just 20 percent of respondents said that they feel confident that their companies' intellectual property is being sufficiently safeguarded. Some 24 percent of interviewees said that the security tools they have installed are being used effectively. While phishing schemes continue to pose a major threat to companies' customer information and brand reputations, only 18 percent of those executives surveyed said that their firms have employed technologies aimed at preventing the attacks. Deloitte said that 37 percent of the companies it interviewed have provided additional security training to their employees within the last 12 months. At the heart of the issue, the report said, is companies' reluctance to increase their spending on new security measures. While 74 percent of survey respondents said that they expect to spend more time and money on improving security in 2006, the average budget increase among those companies was only 9 percent. Fewer than 15 percent of those increasing their security budgets planned to do so by over 20 percent, Deloitte said. Despite the sobering statistics, Deloitte researchers said that technology, media and telecommunications companies are beginning to make changes to improve their IT defenses and security policies. Regulations such as the U.S. government's Sarbanes-Oxley Act have help pave the way for those improvements, said Brian Geffert, principal of security and privacy services at Deloitte. "Sarbanes got people to understand security a bit more, and now more people are catching up; more CEOs are communicating directly with chief information security officers, and I think we will see a lot more investment from these particular companies," said Geffert. "To a degree people are in the stage where they are still making plans, and not yet fully engaged in moving forward, but there's progress." Only 63 percent of respondents to the survey said they have a senior-level executive in their company dedicated to managing security issues, with 53 percent of information technology companies employing those types of leaders. Deloitte noted that those numbers were lower than the proportion of companies in other industries with C-level security executives already in place. Further, the survey found that 52 percent of technology, media and telecommunications companies consider security a problem for IT departments, rather than viewing the issue as a central business concern. The top five information security concerns identified by the executives polled were those related to instant messaging systems, phishing schemes, viruses that attack mobile devices, hacks into online brokerage accounts and other Web-based crimes. So-called insider attacks, or threats emanating from employees or other people with legitimate access to IT systems, are another major concern. However, only 59 percent of the companies interviewed said that they have any form of employee behavior monitoring technology in place. While 25 percent of respondents listed cited insider fraud as their primary internal security concern, 22 percent pointed to data losses such as the incidents that have recently victimized the U.S. Department of Veterans Affairs and insurance giant American International Group as their greatest fear. "These data leaks are starting to make people think differently about the manner in which they handle data, and you also have the emergence of small storage devices capable of carrying off a boatload of data, those things have opened people's eyes," Geffert said. "At the end of the day, it's all about getting people to look at their work habits differently and letting workers know what their responsibilities are for protecting the data; technology companies are a bit behind other industries today, but there's no reason that they cannot catch up." From isn at c4i.org Thu Jun 22 03:29:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:29:18 -0500 (CDT) Subject: [ISN] A Dozen Security Patches and Several Related Exploits Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. CrossTec http://list.windowsitpro.com/t?ctl=2F22B:4FB69 Faxback http://list.windowsitpro.com/t?ctl=2F235:4FB69 Scalable Software http://list.windowsitpro.com/t?ctl=2F230:4FB69 ==================== 1. In Focus: A Dozen Security Patches and Several Related Exploits 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Takes Security to the Forefront - Will Ethereal Be Devoured by Wireshark? - SmartLine DeviceLock Minireview 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Instant Poll - Share Your Security Tips 4. New and Improved - Virtual Security Gateway ==================== ==== Sponsor: CrossTec ==== Just Released - New NetOp Remote Control v9.0 Work at blazing speeds with new NetOp Remote Control v9.0. NetOp, already one of the fastest remote control tools on the market, has gotten even faster. You won't even realize you are working remotely! With more than 40 new features, NetOp 9.0 lets you work smarter and offers a higher ROI. Complete central administration with the NetOp Security Server means that v9.0 is the most secure remote control product on the market and new Smart Card support keeps your remote technology cutting edge. Click to download the latest version of NetOp today. http://list.windowsitpro.com/t?ctl=2F22B:4FB69 ==================== ==== 1. In Focus: A Dozen Security Patches and Several Related Exploits ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net As you hopefully know by now, Microsoft released a dozen security patches last week. Microsoft rated eight of the patches as critical, meaning that the related problems could be exploited without user interaction to possibly spread a worm. The remaining four patches are rated important, meaning that the related problem could be exploited to compromise sensitive information, hinder access to data, or affect availability and integrity of processing resources. After Microsoft releases security patches, intruders often quickly release exploits that take advantage of the vulnerabilities or researchers sometimes discover that previously known security problems still exist and that the latest batch of patches left problems unfixed. This past week was no different. Reading the Handler's Diary blog at SANS Internet Storm Center (at the URL below) last week, I learned that the day after Microsoft released its security patches, there were at least six new exploits. Fortunately, two of those exploits, which affect Microsoft Windows Media Player and RRAS, were released by a security vendor to its customers, so those weren't floating around in the wild. Another exploit, which affects TCP/IP networking, was released privately, so it wasn't in the wild either. Yet another exploit, which affects Microsoft Word, was already in the wild before the related patch was released. That leaves at least two new exploits that are in the wild, both of which affect Server Message Block (SMB) and could be used to elevate privileges or hide a running process. http://list.windowsitpro.com/t?ctl=2F246:4FB69 These last two exploits caught my attention because installing the patch in the related Microsoft Security Bulletin MS06-030: Vulnerability in Server Message Block Could Allow Elevation of Privilege doesn't completely fix the security problems. Even with the patch installed, vulnerability remains, although to an arguably lesser extent. Ruben Santamarta, who runs the reversemode.com Web site, posted a message to SecurityFocus's BugTraq mailing list (at the URL below) in which he stated in reference to MS06-030, "Microsoft has not fixed the NtClose/ZwClose DeadLock vulnerability.... I think that the Driver Developer community should be informed that using NtClose/ZwClose, the driver will be exposed to a security issue by default." http://list.windowsitpro.com/t?ctl=2F23B:4FB69 Santamarta published a document on his Web site that discusses the problem in considerable technical detail (at the URL below). If I understand correctly, Santamarta has found that a malware writer could use the still existing vulnerability to essentially hide a process. As demonstrated in one of his published exploits, even if you try to terminate the process, it will disappear but not actually stop running. This of course gives the malware writer a great way to avoid malware removal. Santamarta's proof of concept points out that Microsoft needs to fix this problem sooner rather than later. http://list.windowsitpro.com/t?ctl=2F231:4FB69 Finally, another exploit you need to be aware of, which isn't related to Microsoft's June release of patches, is a zero-day exploit released last week that affects Microsoft Excel. At the time of this writing, no patch was available from Microsoft to correct the problem. The problem is serious in that it allows the execution of arbitrary code when someone opens an affected Excel document. Security vendors are working to provide detection of this exploit, so hopefully you'll have the protection you need by the time you read this newsletter. ==================== ==== Sponsor: Faxback ==== Maximize your VoIP environment by integrating FoIP technology to increase ROI, and streamline processes. http://list.windowsitpro.com/t?ctl=2F235:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2F234:4FB69 Microsoft's Takes Security to the Forefront At TechEd 2006 last week in Boston, Microsoft announced its Forefront brand and the launch of ISA Server 2006. Forefront will include solutions for clients, servers, and the network boundary. Find out what products will be included and when you can expect to see them. http://list.windowsitpro.com/t?ctl=2F23F:4FB69 Will Ethereal Be Devoured by Wireshark? Ethereal has long been the tool of choice among countless network administrators for robust packet capturing and protocol analysis. Now the hugely popular open source tool has a new name, Wireshark, and a new sponsor to go along with it. http://list.windowsitpro.com/t?ctl=2F23E:4FB69 SmartLine DeviceLock Minireview SmartLine's DeviceLock lets you manage device security for portable devices by assigning users access levels to network devices and interfaces, such as USB and infrared ports, wireless network adapters, and removable storage devices. Read Trisha Pendley's minireview on our Web site. http://list.windowsitpro.com/t?ctl=2F23C:4FB69 ==================== ==== Resources and Events ==== Special Offer: Download any white paper from Windows IT Pro before June 30, and you could win a pair of Bose Triport Headphones. View the full selection of papers today at http://list.windowsitpro.com/t?ctl=2F243:4FB69 Learn to differentiate between alternative solutions to disaster recovery for your Windows-based applications and how to ensure seamless recovery of your key systems whether a disaster strikes just one server or the whole site. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=2F22E:4FB69 Any unscheduled downtime--especially of your Exchange systems--can quickly affect a company's bottom line. Learn essential skills for reducing downtime to minutes instead of hours. http://list.windowsitpro.com/t?ctl=2F232:4FB69 Get all you need to know about today's most popular security protocols, including SSL-TLS, for Web-based communications. http://list.windowsitpro.com/t?ctl=2F22F:4FB69 Learn the key requirements of an effective internal network security solution and whether your approach protects you against worms, BotNets, Trojan horses, and hackers. On-demand Web seminar http://list.windowsitpro.com/t?ctl=2F22D:4FB69 ==================== ==== Featured White Paper ==== Test-drive the Starter PKI program and learn how companies that need to secure multiple domains and host names can benefit. http://list.windowsitpro.com/t?ctl=2F233:4FB69 Bonus: Whenever you download a white paper from Windows IT Pro before June 30, you'll be entered to win Bose Triport Headphones. See the full selection of papers today at http://list.windowsitpro.com/t?ctl=2F243:4FB69 ==================== ==== Hot Spot ==== How much are you spending on IT compliance? Streamline and automate the compliance life cycle with this FREE white paper, and reduce your costs today! http://list.windowsitpro.com/t?ctl=2F230:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: 100GB in My Pocket! by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2F242:4FB69 I found a super-affordable portable disk that gives me 100GB to store whatever I need, like bunches of security tools and even an alternative OS. Plus I can carry it around in my pocket. http://list.windowsitpro.com/t?ctl=2F23D:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=2F241:4FB69 Q: Why does the Windows Server 2003 R2 File Server Resource Manager (FSRM) file screen audit report contain three entries for file screen violations? Find the answer at http://list.windowsitpro.com/t?ctl=2F236:4FB69 Security Forum Featured Thread: Using Administrator Account Is a Security Offense A forum participant wonders why it's a serious security offense in some organizations for a network administrator to use the Administrator account for routine work. Join the discussion at http://list.windowsitpro.com/t?ctl=2F22C:4FB69 New Instant Poll Is your company using Microsoft's antispyware tool, Windows Defender Beta 2, on its systems? - Yes, it's the only antispyware tool we use - Yes, we use it along with other antisypware programs - No, we use another antispyware program Go to the Security Hot Topic and submit your vote http://list.windowsitpro.com/t?ctl=2F240:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Monthly Online Pass--only $14.95! Includes instant online access to every article ever written in the Windows IT Security newsletter. Order now: http://list.windowsitpro.com/t?ctl=2F237:4FB69 June Special--Save $80 off the Windows Scripting Solutions newsletter Get endless scripting techniques and expert-reviewed code. Subscribe to Windows Scripting Solutions today and save $80: http://list.windowsitpro.com/t?ctl=2F239:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Virtual Security Gateway Astaro announced the general availability of Astaro Security Gateway for VMware, which lets customers run Astaro Security Gateway software on a VMware infrastructure. A new Astaro Command Center will allow for one integrated view and unified control of any number of Astaro Security Gateways for VMware and/or Astaro Security Gateway physical appliances. Suggested pricing for a sample configuration of 250 active users, 512,000 connections, and one year of maintenance is $11, 885. For more information or to download a trial copy of the software, go to http://list.windowsitpro.com/t?ctl=2F245:4FB69 Tell Us About a Hot Product and Get a Best Buy Gift Card! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Best Buy Gift Card if we write about the product in a Windows IT Pro What's Hot column. Send your product suggestion with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2F244:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2F23A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jun 22 03:29:35 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:29:35 -0500 (CDT) Subject: [ISN] Voylent beta released for public download Message-ID: Voylent beta released for public download Voylent is a client for cellphones that encrypts voice conversations (IP support not available in this version). We have just released our first public beta and are looking for testers, feature requests and feedback. The client has been tested only a few models, mainly Nokia S60 with Symbian OS. The full list of devices it runs on is included in the release notes & FAQ. We also decided to publish the information regarding the secure channel and key negotiation protocol. The PDF is available for download without registration on our website. We understand that installing (and running successfully) a new application on a cellphone is not as straightforward as it should be, but we offer support via email and phone and we are keen to squash as many bug / UI improvements as possible. More information at http://www.voylent.com/ From isn at c4i.org Thu Jun 22 03:29:54 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:29:54 -0500 (CDT) Subject: [ISN] USDA covers its bases with a detailed plan Message-ID: http://www.gcn.com/print/25_16/41041-1.html By Brad Grimes and Jason Miller GCN Staff 06/19/06 issue The Agriculture Department's wireless policy, updated in April through a series of departmental notices, comprises everything from architectural requirements to acquisition guidance. Unlike the Defense Department's most recent wireless memorandum, USDA's policy covers technologies such as Bluetooth and infrared communications, which the department tightly restricts, requiring that Bluetooth and infrared be used only between government-owned devices or within secure government facilities. These technologies also can only be used with strict security measures turned on, including Encryption Mode 3, use of temporary personal identification numbers and more. It's a very detailed policy. "We have 3,000 county offices where they use wireless devices, and we have to make sure we have a policy that takes care of all our concerns from a security perspective," said Robert Suda, USDA's associate CIO. For instance, if an employee teleworks and uses a wireless LAN at home, a department representative must inspect the employee's home to ensure the use of Secure Sockets Layer protocol, virtual private networking or the IEEE 802.11i wireless security standard with AES encryption. Within USDA, the policy requires the use of 802.11i. Approved two years ago, the standard can be a hurdle for agencies that deployed pre-802.11i networks, because the accompanying encryption algorithms often require hardware upgrades. USDA offices must also deploy 802.11i wireless equipment certified by the National Institute of Standards and Technology to conform to Federal Information Processing Standards 140-2. As in the recent DOD wireless policy, FIPS-140-1 cryptographic modules are not acceptable. Offices that deployed wireless networks before 802.11i came out have a year from April to upgrade, and they're not allowed to connect their noncompliant networks to any other USDA network without a waiver. Aside from 802.11i requirements, USDA has taken many of the same steps as DOD, requiring wireless intrusion detection devices and firewalls along the wireless network. But unlike DOD, USDA is particularly concerned with access point configuration. The department requires X.509 certificates in all devices to authenticate actual access points. USDA also requires that all APs be registered with the department and maintain logs of unauthorized access attempts for 30 days. In addition, the policy said, "APs will be located on interior walls of buildings." Agriculture is one of only a handful of agencies with a mature wireless policy. ? 1996-2006 Post-Newsweek Media, Inc. From isn at c4i.org Thu Jun 22 03:30:10 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:30:10 -0500 (CDT) Subject: [ISN] Hacker enters Agriculture dept. computers Message-ID: http://seattlepi.nwsource.com/business/1700AP_Agriculture_Hacker.html By Libby Quaid AP FOOD AND FARM WRITER June 21, 2006 WASHINGTON -- A hacker broke into the Agriculture Department's computer system and may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors, the department said Wednesday. Agriculture Secretary Mike Johanns said the department will provide free credit monitoring for one year to anyone who might have been affected. The break-in happened during the first weekend in June, the department said. Technology staff learned of the breach on June 5 and told Johanns the following day but believed personal information was protected by security software, the department said. However, on further analysis, staff concluded that data on current or former employees might have been accessed and informed Johanns on Wednesday, according to the department. The department said it notified law enforcement agencies. Its inspector general is investigating the break-in. The information was used for staff or contractor badges in Washington and the surrounding area, spokeswoman Terri Teuber said. Those who might have been affected were notified by e-mail and were being sent letters. People who believe they may be affected by the data breach can go to http://www.firstgov.gov for more information. The Agriculture Department has a toll-free number to call for information about the incident or about consumer-identity protections. The number, 1-800-FED-INFO (1-800-333-4636), is a call center that operates from 8 a.m. to 9 p.m. EDT Monday through Saturday. Other federal departments have acknowledged recently that private information had been compromised. As many as 26.5 million people may have been affected by the theft of a laptop computer containing Veterans Affairs information including Social Security numbers and birth dates. The computer was taken from the home of a VA employee, and officials waited nearly three weeks before notifying veterans on May 22 of the theft. Earlier this month, the Health and Human Services Department discovered that personal information for nearly 17,000 Medicare beneficiaries may have been compromised when an insurance company employee called up the data through a hotel computer and then failed to delete the file. Social Security numbers and other information for nearly 1,500 people working for the National Nuclear Security Administration may have been compromised when a hacker gained entry to an Energy Department computer system last fall. Officials said June 12 they had learned only recently of the breach. -=- On the Net: Agriculture Department: http://www.usda.gov From isn at c4i.org Thu Jun 22 03:30:26 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:30:26 -0500 (CDT) Subject: [ISN] Wi-Fi drivers open laptops to hackers Message-ID: http://www.techworld.com/mobility/news/index.cfm?newsID=6272 By Robert McMillan IDG News Service 22 June 2006 Hackers can take control of laptops by Wi-Fi, even when the user is not connected to a wireless LAN, according to security researchers. The hack, which exploits bugs in wireless device drivers, will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems, and Jon Ellch, a student at the US Naval postgraduate school in Monterey, California. Device driver hacking is technically challenging, but the field has become more appealing in recent years, thanks in part to new software tools that make it easier for less technically savvy hackers, known as script kiddies, to attack wireless cards, Maynor said in an interview. The two researchers used an open-source 802.11 hacking tool called Lorcon (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorised software when they are bombarded with unexpected data. Using tools like Lorcon, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access). The two researchers declined to disclose the specific details of their attack before the August 2 presentation, but they described it in dramatic terms. "This would be the digital equivalent of a drive-by shooting," said Maynor. An attacker could exploit this flaw by simply sitting in a public space and waiting for the right type of machine to come into range. The victim would not even need to connect to a network for the attack to work. "You don't have to necessarily be connected for these device driver flaws to come into play," Ellch said. "Just because your wireless card is on and looking for a network could be enough." More than half of the flaws that the two researchers found could be exploited even before the wireless device connected to a network. Wireless devices are often configured to be constantly sniffing for new networks, and that can lead to security problems, especially if their driver software is badly written. Researchers in Italy recently created a hacking lab on wheels, called project BlueBag, to underscore this point by showing just how many vulnerable Bluetooth wireless devices they could connect with by wandering around public spaces like airports and shopping malls. After spending about 23 hours wandering about Milan, they had found more than 1,400 devices that were open to connection. "Wireless device drivers are like the Wild, Wild West right now," Maynor said. "Lorcon has really brought mass Wi-Fi packet injection to script kiddies. Now it's pretty much to the point where anyone can do it." Part of the problem is that the engineers who write device drivers often do not have security in mind, he said. A second problem is that vendors also make devices that go beyond the requirements of a particular wireless standard. That piling on of features can open security holes as well, he said. All contents ? IDG 2006 From isn at c4i.org Thu Jun 22 03:31:15 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:31:15 -0500 (CDT) Subject: [ISN] 'UFO Hacker' Tells What He Found Message-ID: http://www.wired.com/news/technology/internet/0,71182-0.html By Nigel Watson June 21, 2006 The search for proof of the existence of UFOs landed Gary McKinnon in a world of trouble. After allegedly hacking into NASA websites -- where he says he found images of what looked like extraterrestrial spaceships -- the 40-year-old Briton faces extradition to the United States from his North London home. If convicted, McKinnon could receive a 70-year prison term and up to $2 million in fines. Final paperwork in the case is due this week, after which the British home secretary will rule on the extradition request. McKinnon, whose extensive search through U.S. computer networks was allegedly conducted between February 2001 and March 2002, picked a particularly poor time to expose U.S. national security failings in light of the terror attacks of Sept. 11, 2001. McKinnon tells what he found and discusses the motivation behind his online adventures in this exclusive phone interview with Wired News. Wired News: What was your motive or inspiration for carrying out your computer hacking? Was it the War Games movie? Gary McKinnon: This is a bit of a red herring. I have seen it but I wasn't inspired by it. My main inspiration was The Hacker's Handbook by Hugo Cornwall. The first edition that I read was too full of information.... It had to be banned, and it was reissued without the sensitive stuff in it. WN: Without this book would you have been able to do it? McKinnon: I would have done it anyway because I used the internet to get useful information. The book just kick-started me. Hacking for me was just a means to an end. WN: In what way? McKinnon: I knew that governments suppressed antigravity, UFO-related technologies, free energy or what they call zero-point energy. This should not be kept hidden from the public when pensioners can't pay their fuel bills. WN: Did you find anything in your search for evidence of UFOs? McKinnon: Certainly did. There is The Disclosure Project. This is a book with 400 testimonials from everyone from air traffic controllers to those responsible for launching nuclear missiles. Very credible witnesses. They talk about reverse-(engineered) technology taken from captured or destroyed alien craft. WN: Like the Roswell incident of 1947? McKinnon: I assume that was the first and assume there have been others. These relied-upon people have given solid evidence. WN: What sort of evidence? McKinnon: A NASA photographic expert said that there was a Building 8 at Johnson Space Center where they regularly airbrushed out images of UFOs from the high-resolution satellite imaging. I logged on to NASA and was able to access this department. They had huge, high-resolution images stored in their picture files. They had filtered and unfiltered, or processed and unprocessed, files. My dialup 56K connection was very slow trying to download one of these picture files. As this was happening, I had remote control of their desktop, and by adjusting it to 4-bit color and low screen resolution, I was able to briefly see one of these pictures. It was a silvery, cigar-shaped object with geodesic spheres on either side. There were no visible seams or riveting. There was no reference to the size of the object and the picture was taken presumably by a satellite looking down on it. The object didn't look manmade or anything like what we have created. Because I was using a Java application, I could only get a screenshot of the picture -- it did not go into my temporary internet files. At my crowning moment, someone at NASA discovered what I was doing and I was disconnected. I also got access to Excel spreadsheets. One was titled "Non-Terrestrial Officers." It contained names and ranks of U.S. Air Force personnel who are not registered anywhere else. It also contained information about ship-to-ship transfers, but I've never seen the names of these ships noted anywhere else. WN: Could this have been some sort of military strategy game or outline of hypothetical situations? McKinnon: The military want to have military dominance of space. What I found could be a game -- it's hard to know for certain. WN: Some say that you have given the UFO motivation for your hacking as a distraction from more nefarious activities. McKinnon: I was looking before and after 9/11. If I had wanted to distract anyone, I would not have chosen ufology, as this opens me up to ridicule. WN: Tell me about your experiences with law enforcement and the procedures you have gone through. McKinnon: I was arrested by the British National Hi Tech Crime Unit in March 2002. They held me in custody for about six or seven hours. My own computer and ones I was fixing for other people were taken away. The other machines were eventually returned, but they kept my hard drive that was sent to the U.S. It was November 2002 when the U.S. Department of Justice started their efforts to extradite me. WN: The British Crown Prosecution Service dropped charges against you because your activities did not involve British computers. McKinnon: I was to be officially charged in 2003 but a warrant wasn't given until 2004.... In June or July 2005, I was scooped from the street by Scotland Yard. I was kept at Belgravia Police Station overnight. I just wore what I had on when I was out; I didn't get a chance to wear a suit in court. I was given police bail. WN: When will they make a decision about extradition? McKinnon: It's down to the Home Secretary, John Reid. The deadline for representations is 21 June 2006. Even after that date, it could be as much as 11 months for him to decide on my fate. WN: How have you been coping? McKinnon: God, it's very worrying and stressful. It's been worse because I'm unemployed. I worked on and off in IT, contracting and stuff, before this, but no one will touch me with a large barge pole now. ? Copyright 2006, Lycos, Inc. From isn at c4i.org Thu Jun 22 03:30:48 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:30:48 -0500 (CDT) Subject: [ISN] UBS Trial: Defense Attacks 'Sloppy' Investigation Message-ID: http://www.informationweek.com/management/showArticle.jhtml?articleID=189600069 By Sharon Gaudin InformationWeek Jun 21, 2006 Newark, N.J. -- After taking it on the chin last Friday, the defense in a computer sabotage trial here pounded away at the Secret Service agent on the stand, riding him on missteps in the investigation, and once again attacking the fact that hackers worked at one of the computer forensics companies involved in the case. Special Agent Gregory O'Neil of the U.S. Secret Service was repeated questioned by defense attorney Chris Adams about an initial forensic report with a missing page, an unidentified latent fingerprint on a key piece of evidence, and some incorrect dates on a Secret Service report. O'Neil, who was a lead investigator in the matter, took the stand as a witness for the prosecution in the federal computer sabotage case. Adams, a partner at Walder Hayden & Brogan in Roseland, N.J., is the lead defense lawyer for Roger Duronio, the 63-year-old former systems administrator accused of planting a logic bomb that crippled the network at UBS PaineWebber four years ago. Duronio is facing four charges in connection with allegedly writing and planting malicious code on the Unix-based network at UBS PaineWebber, where he had been working for three years. The attack effectively took down about 2,000 of the company's servers, some of which were brought back up in a day, but others remained down for two to three weeks. In his cross examination of O'Neil, Adams also focused his sights on one specific forensic investigator who had been a hacker before working at @Stake, Inc., the security company that UBS first called in to check out the March 4, 2002 incident. Karl Kasper, known in the industry as John Tan, identified himself to the federal agent as John Tan, and signed documents with that name. The defense asked O'Neal why he would trust the word, or the work, of someone who gave a false name to the Secret Service. O'Neal replied that he didn't regard it as a false name, simply a name Kasper uses in the trade. And last Friday, O'Neil said that all roads in the investigation led back to Duronio. First off, he had pointed out that a digital trail led from Duronio's home IP address through the corporate VPN and into the company's servers, on exactly the same dates and times that the malicious code was planted or modified. O'Neil also told the jury that during the execution of a search warrant on the Duronio home, Secret Service agents found parts of the malicious code on two of his home computers, as well as printed out in a hardcopy that was found on his bedroom dresser. Following the Money When the trial resumed Tuesday morning, Agent O'Neil took the stand for the second day, and laid out a summary of Duronio's trading activity that he had put together based on the defendant's banking, trading and mortgage information. He testified that Duronio bought a total of 330 put options in the month before the security attack at UBS. He had bought stocks before, but never puts, which basically are a way to place bets that the company's stock will go down. The investor only gets a payoff if the company stock drops. Duronio, according to Agent O'Neil, spent $23,025,12 on puts between Feb. 5, 2002 and March 1, 2002. While he bought a handful of puts on other companies, like Merrill Lynch and Citigroup, 96% of them were against UBS. The agent also pointed out to the jury that Duronio, who allegedly became disgruntled with the company when his annual bonus came in $15,000 under expectations, had recently made two payments of approximately $18,000 each to New York University for his oldest son's tuition. Hackers and Pseudonyms During the cross, Adams lost no time in taking another swing at @Stake, the first company on scene to do a forensics investigation. Last week, Adams repeatedly asked witnesses from UBS' IT department if they trusted hackers or would hire a security company that employs hackers. The research labs in @Stake, which was bought by Symantec, Corp. in 2004, were headed up by Peiter C. Zatko (also known in the industry as Mudge), the former CEO and chief scientist of the L0pht, a high-profile hacker think tank. Zatko, however, worked his way into the legitimate business world, testifying before a Senate Committee on Government Affairs, and counseling President Clinton in the White House on security issues. Mendez testified that other Wall Street firms had recommended several forensic companies, including @Stake, to UBS after their servers were taken down. In Tuesday's testimony, Agent O'Neil said he had received 10 items of evidence from Kasper (John Tan), who worked at @Stake and was involved in the UBS investigation. Adams projected a Documentation of Evidence sheet onto a screen in front of the jurors that showed that Kasper had signed his name as 'John Tan' on the official list that was handed over to the government. He also had signed another Certified Inventory of Evidence document with that name. O'Neil said he had not been aware until late in 2004 or early in 2005 that John Tan actually is the screen name for Karl Kasper. ''He lied to you about the most basic information,'' Adams said. But during repeated questioning about it, O'Neil replied, ''He used John Tan to identify himself in his work at @Stake A fictitious name doesn't affect what's in the evidence itself.'' But in a separate interview, Johannes Ullrich, chief research officer at the SANS Institute, said he was surprised that Kasper would use a nickname or pseudonym when working with federal agents. ''I've never heard of that before,'' said Ullrich. ''A lot of people go by hack names but to use it during an investigation, I wouldn't do it. If you talk to the Secret Service, or to any client, it's not professional.'' However, Alan Paller, director of research at the SANS Institute, was much less surprised by it. In an interview, he said it's very common for people to use their 'handles' whenever they're in a work-related situation. ''It's like a woman using her maiden name even after she's married, because everyone in the office knows her as Brenda Jones,'' said Paller. ''It's the mindset of the black hat community. It was common to have a second life. You build up your reputation as a security expert with that second name. It's quite natural that he used his second name because that's the name with the security credibility associated with it.'' Kasper, going by the name John Tan, has spoken at SANS and Black Hat conferences. In 2005, he took a job with JP Morgan Chase doing application security assessment/penetration testing. On the Attack The defense attorney didn't narrow his field of attack to Kasper. Adams pointed out that the initial report that @Stake produced was missing Page 17, but it was included in a later release of the report. Both O'Neil and the prosecutors took exception to Adams characterizing the page as having been 'withheld.' O'Neil said the information on that page was ''forward looking'' and not pertinent to the criminal investigation. Page 17, in part, refers to two other UBS employees who had been investigated. O'Neil said he and other agents interviewed both men for one to two hours each but there was no evidence of criminal activity. Then Adams asked if O'Neil knew that both men had been put on administrative leave after their interviews with law enforcement and then were let go from the company. O'Neil said he had not been aware of that till much later. Adams also asked him if he knew of any severance agreement that precluded the two men from speaking about the investigation with anyone outside of UBS or the government. O'Neil replied that he did not know of any such agreement. Duronio's defense attorney used the agent's time on the stand, as a chance to point out that the government does not have reports from Verizon, which was Duronio's ISP at the time of the attack, for several dates when forensics showed that the malicious code was being planted or modified on the company network. Under subpoena, Verizon had produced records about the dates and times of some connections, along with the IP addresses where the connections originated. And Adams pounced on the fact that a latent fingerprint was found on the hardcopy printout of the malicious code that was found on Duronio's dresser. The print, O'Neil testified, did not belong to the defendant or to two agents who handled the paper. He said he doesn't know whose fingerprint it is. Copyright ? 2005 CMP Media LLC From isn at c4i.org Thu Jun 22 03:31:00 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 22 Jun 2006 02:31:00 -0500 (CDT) Subject: [ISN] Audit finds state computer security needs improvement Message-ID: http://www.billingsgazette.net/articles/2006/06/20/news/state/24-computer-audit.txt By The Associated Press June 20, 2006 HELENA -- The state computer system building, and the taxpayer information and other sensitive data it holds, are vulnerable to security breaches, legislative auditors told lawmakers Tuesday. The audit came one day after the state computer system's second failure in less than a month. The computer system for much of state government, including servers and key network systems, is housed in the basement of a 60-year-old building that is not completely secure, legislative auditors said. The computer systems are behind a door that requires an access keycard, but the wall does not extend to the ceiling, the audit said. Legislative Audit Division staff said the computer center relies on "security through obscurity." State Chief Information Officer Dick Clark said his staff has developed a series of quick deadlines to meet improvements suggested by the auditors. The governor's office also has talked about constructing a new building for the computer system. Lawmakers said the lack of security is a big problem because state computers warehouse a lot of sensitive data, including complete records on taxpayers and others. "I think this is some pretty serious stuff," said Rep. Dee Brown, R-Hungry Horse. Clark said his agency also is reviewing the credentials given to people who have access to the computer system's location. Auditors made a number of suggestions, including the need for a better inventory of all the systems and data in the computer center, more intense security precautions, and strengthened safeguards to mitigate risks associated with earthquakes or flooding in the building's basement. The shutdown of the computer system on Monday had nothing to do with security. The system shut itself down after a fire alarm went off in the building and fire extinguishers released a chemical to suck oxygen from the air. The equipment was brought back on line late in the afternoon. In late May, most of the state computer system went down for a day when a major piece of network equipment failed. Copyright ? The Billings Gazette From isn at c4i.org Fri Jun 23 15:38:23 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 23 Jun 2006 14:38:23 -0500 (CDT) Subject: [ISN] REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCISOHB.RVW 20060520 "The CISO Handbook", Mike Gentile/Ron Collette/Tom August, 2006, 0-8493-1952-8, U$69.95/C$89.95 %A Mike Gentile %A Ron Collette %A Tom August %C 920 Mercer Street, Windsor, ON N9A 7C2 %D 2006 %G 0-8493-1952-8 %I Auerbach Publications %O U$69.95/C$89.95 800-950-1216 auerbach at wgl.com orders at crcpress.com %O http://www.amazon.com/exec/obidos/ASIN/0849319528/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0849319528/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0849319528/robsladesin03-20 %O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation) %P 322 p. %T "The CISO Handbook: A Practical Guide to Securing Your Company" The introduction states that there are generally two kinds of books on the security shelf--the "hack to secure" tomes and the exam preparation guides. (It may sometimes seem like the literature is restricted to those kinds of texts, although I would add a third that seems to be all too prevalent: poorly executed security management works. However, I fully sympathize with the authors' disdain for the "hacking" books, as well as their reasoning of the limited value of such manuals.) The authors also describe a standard structure for each chapter, as well as an overall design of the publication, following a fairly standard project management framework. Chapter one covers assessment. While this may not be a big surprise to those with the slightest familiarity with project management fundamentals, the authors provide a very complete description of the information that will be useful in appraising any situation in which you may find yourself. (The writing is generally clear and easy enough to read, but the point of the examples and illustrations is not always obvious or even intelligible. In some cases it seems the desire to entertain has overwhelmed exegetical utility.) A very complete checklist is given at the end of the chapter. Planning, in chapter two, does not fare as well. Much of the material reiterates the importance of obtaining information, or outlines organizational structures, personnel, and skills. (Rather ironically, the recommendations assume a fairly large corporation, budget, and staff, which was one of the complaints the authors made, in the introduction, about other security books.) Design is a difficult project to nail down, but chapter three doesn't really even try. Various aspects of security management, such as policy components, promotion to the rest of the company, and security reviews, are the major substance dealt with (some of the topics multiple times). Project management is covered in chapter four. Very detailed and complete project management, directed at creating a specific design and implementation, but applicable to any kind of project. (It is somewhat telling that the end-of-chapter checklists, which have been getting shorter, vanish entirely here.) Since the overall thread of the book has been to move through the phases of a large project, one could expect that the title of chapter five, "Reporting," refers to a report back to management on progress or completion. Not so: marketing of security to the enterprise, which has been a thread all the way through the book, now gets a chapter all its own. Chapter six repeats the outline of the book we received in the introduction. A work addressed to the CISO (Chief Information Security Officer) can be expected to be primarily concerned with management issues. However, with the exception of chapter one, very little in the book could not be equally applicable to any C-level executive. (It is interesting to note that, of the references, only two deal with security, twenty-seven are business books.) Indeed, even though Charles Sennewald wrote "Effective Security Management" (cf. BKEFSCMN.RVW) for those dealing with physical security, there is more practical advice for senior information security management in it than in "The CISO Handbook." While the authors have outlined definite structures for the chapters, these patterns are not always easy to determine or follow. I frequently found myself lost in the chapters, and while I could eventually realize where I was in the formation, the inconsistency and multiplicity of header formats certainly did not help matters any. Still, the work does have significant value. Those who rise through the ranks of computer security frequently lack management experience and knowledge, and this addresses, in some detail, the necessary skills. Not as directly, perhaps, as Fred Cohen in the "Governance Guidebook" (cf. BKCISOGG.RVW), but usefully nonetheless. copyright Robert M. Slade, 2006 BKCISOHB.RVW 20060520 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org The brain is a mass of cranial nerve tissue, most of it in mint condition. - Robert Half Dictionary Information Security www.syngress.com/catalog/?pid=4150 http://victoria.tc.ca/techrev/rms.htm From isn at c4i.org Fri Jun 23 15:38:37 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 23 Jun 2006 14:38:37 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-25 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-06-15 - 2006-06-22 This week: 69 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Two vulnerabilities have been discovered in Microsoft Windows and Microsoft Excel, which can be exploited to compromise a vulnerable system. The first SA20686 has, according to Microsoft, already been used in targeted "Zero-day" attacks against a few companies. Currently, no patches are available from Microsoft. Please refer to the referenced Secunia advisories below for additional details. References: http://secunia.com/SA20686 http://secunia.com/SA20748 -- A vulnerability has been discovered in WinAmp, which potentially can be exploited by malicious people to compromise a user's system. An updated version has been released by the vendor that fixes this vulnerability. Reference: http://secunia.com/SA20722 -- VIRUS ALERTS: During the past week Secunia collected 224 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability 2. [SA20748] Microsoft Office Long Link Buffer Overflow Vulnerability 3. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 4. [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities 5. [SA20576] Adobe Reader Unspecified Vulnerabilities 6. [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability 7. [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability 8. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 9. [SA15779] Sendmail Multi-Part MIME Message Handling Denial of Service 10. [SA20661] Horde Cross-Site Scripting Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability [SA20721] ASP Stats Generator SQL Injection and Code Injection [SA20719] Hitachi Products MDAC RDS.Dataspace ActiveX Vulnerability [SA20756] MAILsweeper for SMTP/Exchange Multiple Vulnerabilities [SA20752] Maximus SchoolMAX "error_msg" Parameter Cross-Site Scripting [SA20743] Hosting Controller Privilege Escalation Vulnerability [SA20698] SSPwiz Plus "message" Cross-Site Scripting Vulnerability UNIX/Linux: [SA20710] SUSE update for awstats [SA20709] Gentoo update for mozilla-thunderbird [SA20708] Gentoo update for typespeed [SA20766] SUSE Updates for Multiple Packages [SA20716] Ubuntu update for kernel [SA20715] Trustix update for libtiff [SA20712] Ubuntu update for mysql-dfsg [SA20703] Linux Kernel "xt_sctp" Denial of Service Vulnerability [SA20694] Mandriva update for sendmail [SA20693] Mandriva update for libtiff [SA20690] Gentoo update for pam_mysql [SA20692] Mandriva update for spamassassin [SA20750] Debian update for horde2 [SA20734] CHM Lib "extract_chmLib" Directory Traversal Vulnerability [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability [SA20754] dhcdbd DHCP Message Handling Denial of Service [SA20702] Mandriva update for kdebase [SA20729] NetPBM pamtofits Off-By-One Buffer Overflow Vulnerability [SA20711] HP-UX Support Tools Manager Denial of Service Vulnerability Other: [SA20726] FortiMail Sendmail Multi-Part MIME Message Handling Vulnerability [SA20720] FortiGate FTP Anti-Virus Scanning Bypass Vulnerability Cross Platform: [SA20771] Ralf Image Gallery File Inclusion Vulnerabilities [SA20769] SmartSiteCMS "root" File Inclusion Vulnerability [SA20768] BandSite CMS "root_path" File Inclusion Vulnerabilities [SA20758] Micro CMS "microcms_path" Parameter File Inclusion Vulnerability [SA20744] Ad Manager Pro "ipath" Parameter File Inclusion Vulnerability [SA20733] easy-CMS Multiple File Extensions Vulnerability [SA20731] Eduha Meeting PHP File Upload Vulnerability [SA20713] CMS Faethon "mainpath" File Inclusion and Cross-Site Scripting Vulnerabilities [SA20695] Bitweaver Multiple Vulnerabilities and Weakness [SA20772] Invision Power Board Hexadecimal HTML Entities Script Insertion [SA20763] IMGallery "galerie.php" SQL Injection Vulnerabilities [SA20761] Ultimate Estate Cross-Site Scripting and SQL Injection [SA20753] BtitTracker "torrents.php" SQL Injection Vulnerabilities [SA20747] thinkWMS Multiple SQL Injection Vulnerabilities [SA20746] Joomla! "Name" SQL Injection Vulnerability [SA20745] Mambo "Name" SQL Injection Vulnerability [SA20740] phpTRADER SQL Injection Vulnerabilities [SA20739] xarancms "id" Parameter SQL Injection Vulnerability [SA20738] tplShop "first_row" Parameter SQL Injection Vulnerability [SA20732] IBM WebSphere Application Server Multiple Vulnerabilities [SA20730] VUBB SQL Injection and Cross-Site Scripting Vulnerabilities [SA20727] e107 Cross-Site Scripting and Script Insertion [SA20724] singapore "template" Parameter Local File Inclusion Vulnerability [SA20706] Clubpage Cross-Site Scripting and SQL Injection Vulnerabilities [SA20705] Free Realty "sort" SQL Injection Vulnerability [SA20704] Open-Realty "sorttype" SQL Injection Vulnerability [SA20701] VBZooM "QuranID" SQL Injection Vulnerability [SA20700] Groupmax Address/Mail Server Denial of Service Vulnerability [SA20696] Virtual War "war.php" SQL Injection Vulnerabilities [SA20767] Atlassian JIRA Enterprise Edition Cross-Site Scripting Vulnerability [SA20764] myPHP Guestbook Cross-Site Scripting Vulnerabilities [SA20742] UltimateGoogle "REQ" Cross-Site Scripting Vulnerability [SA20737] Ultimate eShop "subid" Cross-Site Scripting Vulnerability [SA20736] Tradingeye Shop "image" Cross-Site Scripting Vulnerability [SA20735] Cisco CallManager Web Interface Cross-Site Scripting Vulnerabilities [SA20728] Confixx Pro Cross-Site Scripting Vulnerabilities [SA20725] AssoCIateD "menu" Cross-Site Scripting Vulnerability [SA20718] phpMyDirectory Cross-Site Scripting Vulnerabilities [SA20697] iPostMX 2005 "RETURNURL" Cross-Site Scripting Vulnerabilities [SA20691] NC LinkList "index.php" Cross-Site Scripting Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 kcope has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20748/ -- [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-06-21 BassReFLeX has discovered a vulnerability in WinAmp, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20722/ -- [SA20721] ASP Stats Generator SQL Injection and Code Injection Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2006-06-19 Hamid Ebadi has reported two vulnerabilities in ASP Stats Generator, which can be exploited by malicious people to conduct SQL injection attacks and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20721/ -- [SA20719] Hitachi Products MDAC RDS.Dataspace ActiveX Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 Hitachi has acknowledged a vulnerability in various products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20719/ -- [SA20756] MAILsweeper for SMTP/Exchange Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2006-06-21 Some vulnerabilities have been reported in MAILsweeper for SMTP/Exchange, which can be exploited by malicious people to bypass certain security restrictions and potentially cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20756/ -- [SA20752] Maximus SchoolMAX "error_msg" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 Charles H. has reported a vulnerability in Maximus SchoolMAX, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20752/ -- [SA20743] Hosting Controller Privilege Escalation Vulnerability Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2006-06-20 A vulnerability has been reported in Hosting Controller, which can be exploited by malicious users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20743/ -- [SA20698] SSPwiz Plus "message" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-16 r0t has reported a vulnerability in SSPwiz Plus, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20698/ UNIX/Linux:-- [SA20710] SUSE update for awstats Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2006-06-20 SUSE has issued an update for awstats. This fixes a vulnerability and a security issue, which can be exploited by malicious people to bypass certain security restrictions or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20710/ -- [SA20709] Gentoo update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, System access Released: 2006-06-20 Gentoo has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20709/ -- [SA20708] Gentoo update for typespeed Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 Gentoo has issued an update for typespeed. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20708/ -- [SA20766] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2006-06-21 SUSE has issued updates for multiple packages. These fix some vulnerabilities and a weakness, which can be exploited by malicious people to bypass certain security restrictions, to cause a DoS (Denial of Service) or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20766/ -- [SA20716] Ubuntu update for kernel Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-06-19 Ubuntu has released an update for the kernel. This fixes some vulnerabilities and weaknesses, which can be exploited by malicious, local users to cause a DoS (Denial of Service), gain knowledge of potentially sensitive information and bypass certain security restrictions, and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20716/ -- [SA20715] Trustix update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-19 Trustix has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20715/ -- [SA20712] Ubuntu update for mysql-dfsg Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 Ubuntu has issued an update for mysql-dfsg. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20712/ -- [SA20703] Linux Kernel "xt_sctp" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-20 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20703/ -- [SA20694] Mandriva update for sendmail Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-16 Mandriva has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20694/ -- [SA20693] Mandriva update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-16 Mandriva has issued an update for libtiff. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20693/ -- [SA20690] Gentoo update for pam_mysql Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-16 Gentoo has issued an update for pam_mysql. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20690/ -- [SA20692] Mandriva update for spamassassin Critical: Moderately critical Where: From local network Impact: System access Released: 2006-06-16 Mandriva has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20692/ -- [SA20750] Debian update for horde2 Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-19 Debian has issued an update for horde2. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20750/ -- [SA20734] CHM Lib "extract_chmLib" Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-06-19 A vulnerability has been reported in CHM Lib (chmlib), which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20734/ -- [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-16 A vulnerability has been reported in Cisco Secure ACS for Unix, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20699/ -- [SA20754] dhcdbd DHCP Message Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-06-21 Florian Hackenberger has reported a vulnerability in dhcdbd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20754/ -- [SA20702] Mandriva update for kdebase Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-06-16 Mandriva has issued an update for kdebase. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20702/ -- [SA20729] NetPBM pamtofits Off-By-One Buffer Overflow Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-06-20 A vulnerability has been reported in NetPBM, which can be exploited by malicious people to cause a DoS (Denial of Service) . Full Advisory: http://secunia.com/advisories/20729/ -- [SA20711] HP-UX Support Tools Manager Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-06-19 A vulnerability has been reported in HP-UX, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20711/ Other:-- [SA20726] FortiMail Sendmail Multi-Part MIME Message Handling Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-06-21 A vulnerability has been reported in FortiMail, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20726/ -- [SA20720] FortiGate FTP Anti-Virus Scanning Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-06-21 A vulnerability has been reported in FortiGate, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20720/ Cross Platform:-- [SA20771] Ralf Image Gallery File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-21 David "Aesthetico" Vieira-Kurz has discovered a vulnerability in Ralf Image Gallery (RIG), which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20771/ -- [SA20769] SmartSiteCMS "root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-21 Archit3ct and IR4DEX GROUP have discovered a vulnerability in SmartSiteCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20769/ -- [SA20768] BandSite CMS "root_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-21 Kw3[R]Ln has reported some vulnerabilities in BandSite CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20768/ -- [SA20758] Micro CMS "microcms_path" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 CeNGiZ-HaN has discovered a vulnerability in Micro CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20758/ -- [SA20744] Ad Manager Pro "ipath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-20 Basti has reported a vulnerability in Ad Manager Pro, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20744/ -- [SA20733] easy-CMS Multiple File Extensions Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-19 Liz0ziM has discovered a vulnerability in easy-CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20733/ -- [SA20731] Eduha Meeting PHP File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-19 Liz0ziM has reported a vulnerability in Eduha Meeting, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20731/ -- [SA20713] CMS Faethon "mainpath" File Inclusion and Cross-Site Scripting Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-06-19 Some vulnerabilities have been discovered in CMS Faethon, which can be exploited by malicious people to conduct cross-site scripting attacks or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20713/ -- [SA20695] Bitweaver Multiple Vulnerabilities and Weakness Critical: Highly critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, System access Released: 2006-06-17 rgod has reported some vulnerabilities and a weakness in Bitweaver, which can be exploited by malicious people to disclose certain system information, conduct cross-site scripting attacks, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20695/ -- [SA20772] Invision Power Board Hexadecimal HTML Entities Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 A vulnerability has been reported in Invision Power Board, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20772/ -- [SA20763] IMGallery "galerie.php" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in IMGallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20763/ -- [SA20761] Ultimate Estate Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in Ultimate Estate, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20761/ -- [SA20753] BtitTracker "torrents.php" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-20 r0t has reported two vulnerabilities in BtitTracker, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20753/ -- [SA20747] thinkWMS Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in thinkWMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20747/ -- [SA20746] Joomla! "Name" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 rgod has discovered a vulnerability in Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20746/ -- [SA20745] Mambo "Name" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 rgod has discovered a vulnerability in Mambo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20745/ -- [SA20740] phpTRADER SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 r0t has reported some vulnerabilities in phpTRADER, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20740/ -- [SA20739] xarancms "id" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 r0t has reported a vulnerability in xarancms, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20739/ -- [SA20738] tplShop "first_row" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-19 r0t has discovered a vulnerability in tplShop, which can exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20738/ -- [SA20732] IBM WebSphere Application Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-21 Some vulnerabilities have been reported in IBM Websphere Application Server, which can be exploited by malicious, local users and malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20732/ -- [SA20730] VUBB SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of system information Released: 2006-06-20 DarkFig has discovered some vulnerabilities in VUBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20730/ -- [SA20727] e107 Cross-Site Scripting and Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 Ellipsis Security has discovered two vulnerabilities in e107, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20727/ -- [SA20724] singapore "template" Parameter Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-06-20 Moroccan Security Research Team has discovered a vulnerability in singapore, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20724/ -- [SA20706] Clubpage Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-20 r0t has reported some vulnerabilities in Clubpage, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20706/ -- [SA20705] Free Realty "sort" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-20 r0t has reported a vulnerability in Free Realty, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20705/ -- [SA20704] Open-Realty "sorttype" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-20 r0t has discovered a vulnerability in Open-Realty, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20704/ -- [SA20701] VBZooM "QuranID" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-21 CrAzY CrAcKeR has reported a vulnerability in VBZooM, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20701/ -- [SA20700] Groupmax Address/Mail Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-20 A vulnerability has been reported in Groupmax Address/Mail Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20700/ -- [SA20696] Virtual War "war.php" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-16 r0t has discovered some vulnerabilities in Virtual War, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20696/ -- [SA20767] Atlassian JIRA Enterprise Edition Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-06-21 r0t has discovered a vulnerability in Atlassian JIRA Enterprise Edition, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20767/ -- [SA20764] myPHP Guestbook Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 Some vulnerabilities have been reported in myPHP Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20764/ -- [SA20742] UltimateGoogle "REQ" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 r0t has reported a vulnerability in UltimateGoogle, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20742/ -- [SA20737] Ultimate eShop "subid" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-21 r0t has reported a vulnerability in Ultimate eShop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20737/ -- [SA20736] Tradingeye Shop "image" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-19 r0t has reported a vulnerability in Tradingeye Shop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20736/ -- [SA20735] Cisco CallManager Web Interface Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 FishNet Security has reported some vulnerabilities in Cisco CallManager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20735/ -- [SA20728] Confixx Pro Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-19 p0w3r has reported two vulnerabilities in Confixx Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20728/ -- [SA20725] AssoCIateD "menu" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 r0t has discovered a vulnerability in AssoCIateD, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20725/ -- [SA20718] phpMyDirectory Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 r0t has reported two vulnerabilities in phpMyDirectory, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20718/ -- [SA20697] iPostMX 2005 "RETURNURL" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-16 r0t has reported some vulnerabilities in iPostMX 2005, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20697/ -- [SA20691] NC LinkList "index.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-20 r0t has reported some vulnerabilities in NC LinkList, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20691/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jun 23 15:38:50 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 23 Jun 2006 14:38:50 -0500 (CDT) Subject: [ISN] Security breach report comes out, recommends suspensions Message-ID: http://thepost.baker.ohiou.edu/articles/2006/06/22/news/14120.html Sean Gaffney skatripp at gmail.com June 22, 2006 Ohio University suspended two administrators and created a new position at the recommendation of a network security report Tuesday. The university suspended - Tom Reid, director of Communication Network Services and Computer Services and - Todd Acheson, manager of Internet and Systems, until a disciplinary investigation is completed according to a university news release. Both men will still be paid while on suspension. At a later date, Reid and Acheson will have a chance to respond to the findings prior to the university's final determination, which could include termination, according to the news release. Two independent consultants have been brought in to temporarily manage the Central Information Technology Management Team, according to the release. The report follows a three-week comprehensive analysis of the network security breaches conducted by Moran Technology Consulting of Naperville, Ill. The audit analyzed the department and employees, searching for negligence or faults that contributed to the security breaches, according to the release. A new position, Chief of Staff to the Chief Information Officer has been created and national search has been launched to fill the position, according to the release. - Bill Sams is presently the chief information officer and associate provost for information technology. As a result of the report, the Information Technology departments will be restructured to establish "clear roles, responsibilities, and accountabilities," according to the release. Two departments, CNS and Computer Services, were already combined to ease unnecessary competition and friction that contributed to department malfeasance. Unnecessary competition between the departments resulted in negligence, Sams has said in previous interviews. OU President - Roderick McDavis is working with university officials and others to solve the problem. "I am angry and embarrassed by the computer security system lapses that were undetected before my time as leader of the university," McDavis said the release. McDavis decreased the IT budget by $1 million since taking office in 2004. There was a 3 percent reduction in the IT budget last year, and as a 12 percent reduction was being implemented this year, the security breaches were detected, said university spokesman - Jack Jeffery. That was "part of the standard reductions made across the university," during 2006 fiscal year, Jeffery said. "We wanted to make sure we weren't cutting from the academic programs," he added. Sams has previously said that the university has a reached a critical point in budget cuts and will need to replace funds in the IT budget. Next week, McDavis will request that the OU Board of Trustees "authorize up to $2 million to invest in securing information technology systems," according to the release. The total cost to recover from the security breaches will be millions of dollars, Sams said. Since April 21, 365,000 personal identities have been compromised in security breaches at Ohio University. The latest breach was detected on a university computer that housed IRS 1099 tax forms for 2,480 vendors and independent contractors who worked for the university between 2004 and 2005, according to the university's Web site. The university also discovered that a computer hosting a "variety of Web-based forms" that included class lists containing the social security numbers of about 4,900 current and former students had been accessed. The data is fragmentary and it is not certain if the compromised information can be traced to individuals, according to the university's Web site. Employees, students, alumni and contractors have been urged to monitor credit reports and request fraud watches be placed on their report. About 24 people have expressed to the university that they have been victims of identity theft in the past year, according to an Associated Press article. Copyright ? 2006 The Post From isn at c4i.org Fri Jun 23 15:39:04 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 23 Jun 2006 14:39:04 -0500 (CDT) Subject: [ISN] Wireless piggybacking lands man in trouble Message-ID: http://www.katu.com/stories/87037.html By Dan Tilkin and KATU.com Web Staff June 21, 2006 VANCOUVER, Wash. - Brewed Awakenings, with its pithy name, artful drinks and wireless Internet service, has found itself unexpectedly percolating on the forefront of high-tech law. "He doesn't buy anything," Manager Emily Pranger says about the man she ended up calling 911 about. "It's not right for him to come and use it." Pranger says 20-year-old Alexander Eric Smith of Battle Ground sat in the parking lot in his truck for three months, spending hours at a time piggybacking on the coffee shop's wireless Internet service for free. When deputies told Smith to knock it off, he came back and is now charged with theft of services. "It's a repetitive occurrence and it's something that is borderline creepy," says Pranger. As it turns out, Smith is a Level One Sex Offender, but whether he in fact committed a crime by not buying a single tall latte before accessing the Internet, well that remains to be seen. The sheriff's office and prosecutors are now reviewing the case. Eric Gardner is a paying customer at Brewed Awakenings and he agreed to demonstrate how easy it is to pick off wireless signals. "I can stop at a stop light and it (my laptop) may automatically log on to somebody's Internet access and check my e-mail for me," he says. On a random neighborhood street in Vancouver, a KATU News laptop detected 11 networks, five of which were unsecured, meaning anyone could log on to them for free. The way to protect yourself is to change your wireless router settings to only allow the computers in your home to access your airwaves. From isn at c4i.org Fri Jun 23 15:39:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 23 Jun 2006 14:39:14 -0500 (CDT) Subject: [ISN] FTC attorney's laptops stolen Message-ID: http://www.presstelegram.com/business/ci_3969575 By Hope Yen Associated Press 06/22/2006 WASHINGTON -- The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people. The Federal Trade Commission said it would provide free credit monitoring for 110 people targeted for investigation whose names, addresses, Social Security numbers and in some instances, financial account numbers were taken from an FTC attorney's locked car. The car theft occurred about 10 days ago. Many of the people whose data were compromised were being investigated for possible fraud and identity theft, said Joel Winston, associate director of the FTC's Division of Privacy and Identity Theft Protection. The disclosure comes amid a widening data breach that is expected to cost the government hundreds of millions of dollars. In all, five government agencies have reported data theft, including the Veterans Affairs Department, which on May 22 acknowledged losing data on up to 26.5 million veterans. Among them: At the Agriculture Department, a hacker who broke into the computer system, obtaining names, Social Security numbers and photos of 26,000 Washington-area employees and contractors. At Health and Human Services, personal information for nearly 17,000 Medicare beneficiaries may have been compromised in April when an insurance company employee called up the data through a hotel computer and failed to delete the file. At Energy, Social Security numbers and other data for nearly 1,500 people working for the National Nuclear Security Administration may have been compromised when a hacker gained entry to its computer system last fall. On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government. During the House hearing Thursday, Mike Cook, a co-founder of a company specializing in data breaches, said identity-theft victims typically don't become aware they've been hurt until six months after their data was stolen, when creditors come calling for money owed. At that point, it's likely the thieves will have moved on having made just a few purchases so they don't attract notice and started using another victim's information. As a result, a credit monitoring service would raise a red flag after it was too late, Cook said. He said data analysis technology was available to help identity theft as it occurs, particularly in the typical cases in which thieves use stolen identities to fraudulently obtain credit cards and then make purchases. Associated Press writer Libby Quaid contributed to this report. From isn at c4i.org Fri Jun 23 15:39:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 23 Jun 2006 14:39:29 -0500 (CDT) Subject: [ISN] Microsoft swims upstream on security Message-ID: http://news.com.com/Microsoft+swims+upstream+on+security/2100-7355_3-6086967.html By Joris Evers Staff Writer, CNET News.com June 22, 2006 Microsoft's security ambitions don't stop with the consumer. The company also has an eye on the multibillion-dollar enterprise security market. Now that it's launched the Windows Live OneCare security service for consumers, Microsoft is ramping up its efforts to convince businesses that it is the solution to, not the source of, their security woes. The Redmond, Wash., company last week unveiled Forefront, a single brand that encompasses updated and upcoming security products aimed at businesses. The moves are part of Microsoft's attempt to expand its business and tap new revenue sources, analysts said. Last year, security software sales hit $12 billion, according to research firm IDC. On the enterprise side, Yankee Group expects the Windows client security software market to grow to $3.6 billion this year. "They are in it for the money, of course," said Andrew Jaquith, an analyst at Yankee Group. "Microsoft initially was very mysterious about its security plans. But its steady drumbeat of announcements over the last months shows intent to be a very broad enterprise security player." Under the Forefront plan, the brand-new Microsoft Client Protection product, now in development, will be sold as Forefront Client Security for PCs and servers. In addition, updates of Antigen for Exchange and Antigen for SharePoint will also carry the Forefront tag, Microsoft said. Antigen for Instant Messaging and the ISA Server firewall and Web caching software are also in the Forefront group. "We're going to provide a comprehensive set of security technologies for businesses that is integrated with their existing infrastructure, with an emphasis on the deployment, management and ongoing usability," said Steve Brown, the director of product management in the security, access and solutions division at Microsoft. As far as motivation goes, Microsoft sees its entry into the security fray as a "very broad opportunity" for itself and for its customers, Brown said. "The primary reason we're doing this is that there is clearly a customer need for this approach," he said. Companies such as McAfee, Symantec, Trend Micro and Computer Associates have long demonstrated that there's money to be made in protecting Windows systems. For Microsoft, it's simpler to create security add-ons than to build security into its products, an approach that would also make it harder for the company to make extra money, at least one analyst said. "This is a rather safe play," said Charles Kolodgy, an analyst at IDC. "It is easier than building the security into products and not being able to directly capture revenue. And if their security product line doesn't work, they can leave the market." Microsoft has gradually built up its security muscle in recent years through numerous acquisitions. It bought antivirus specialist GeCAD, anti-spyware maker Giant Company Software and Sybari Software, maker of the Antigen products. Its lineup also includes hosted e-mail security services, picked up through the takeover of FrontBridge Technologies. Most recently, the company gobbled up Whale Communications, a specialist in secure remote access and Web application firewalls. Last October, it announced it would sell security software for business PCs and servers. The new product, now called Forefront Client Security, is due for release in the second quarter of next year. In catch-up mode While it's bound to attract some business for its new products right away, Microsoft has some work to do to become a formidable competitor in the security area. That's especially true when it comes to enterprise client security, analysts said. "They will get some market share just for being Microsoft," Burton Group analyst Dan Blum said. "To take a majority position, they need to establish a product that is functionally on par with, or pretty close to, the likes of McAfee and Symantec," he said, adding that this likely won't happen until 2008 or 2009. Symantec, which provides a range of products aimed at protecting corporate networks and systems, said Thursday that it's ready for any competition from Microsoft. "With a level playing field, all the vendors in the security space will compete for mind share, based on what enterprise customers believe to be the best product to suit their needs," a representative of the security software maker said. "Symantec has been the leading provider of effective protection against viruses and other malicious threats for more than 15 years." The main obstacle facing Microsoft is customer distrust. "There are certain customers that don't trust them because of their previous track record," Yankee Group's Jaquith said. The software maker has invested heavily in security over the past years. Despite this, most malicious software targets Microsoft products, and the company still deals with lots of security holes. Last week, for example, it issued 12 security bulletins with fixes for 21 vulnerabilities--the largest number ever for its monthly "Patch Tuesday" updates. "You're in one camp or another with them," Jaquith said. Either businesses are very loyal customers and are rooting for Microsoft, or they feel they were burned by the company and simply don't trust it, he said. And there are those who feel the software giant is trying to turn lemons into lemonade with its move into the security fray. "The idea of Microsoft coming up with antivirus software is a sham," said Frank Seichal of Old Bridge, N.J., who works in IT at a financial institution. "Why should I purchase software from Microsoft to stop the operating system vulnerabilities created by Microsoft? I can not believe Microsoft is getting away with this." Another factor to overcome are the high-quality products sold by incumbent security vendors. McAfee, for example, has earned high marks from its customers with the ePolicy Orchestrator, a central security management tool, Jaquith said. "Microsoft needs to prove reliability, stability and predictability. They need some success stories," Jaquith said. "Just saying that they're better integrated and that they make the operating system is not going to cut it." In its Forefront documentation, Microsoft promises products that work well together and with existing IT systems. Additionally, the software will be simple to install and can be centrally managed, it says. However, they will protect only Microsoft software and not Linux servers or SAP applications, for example. "That is perhaps their greatest disadvantage," Blum said. "They tend to have this somewhat myopic strategy centered around their own products and ignoring other products, even those that run on Windows." Rivals and regulators Antitrust concerns also lurk. Microsoft may promote Forefront products as better integrated, but if it has used hooks into its operating system that are kept secret from rivals, regulators might be all over the software giant, analysts said. n fact, some small Microsoft competitors are already complaining about the company's security pricing strategy. In a blog posting this week, Alex Eckelberry, president of Clearwater, Fla.-based anti-spyware toolmaker Sunbelt Software, said Microsoft is engaging in predatory pricing with its OneCare and Antigen products. By undercutting its rivals on price, Microsoft is pushing the competition out of business, after which it will increase its prices, Eckelberry wrote. Jaquith dismissed that complaint. "I think they are being creative and aggressive, but I don't think they are being predatory. There is plenty of room for pricing innovation in this space," he said. It was about time that Microsoft fleshed out its security strategy and shared it with the public, Jaquith said. "Finally we're hearing what they are doing," he said. "It is a 'damn the torpedoes, full speed ahead' strategy." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Fri Jun 23 15:39:48 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 23 Jun 2006 14:39:48 -0500 (CDT) Subject: [ISN] Forensics Expert Attempts To Link UBS Attack And Defendant Message-ID: http://www.informationweek.com/management/showArticle.jhtml?articleID=189600779 By Sharon Gaudin InformationWeek June 22, 2006 Newark, N.J. - The government's forensics expert in the ongoing UBS computer sabotage trial testified Thursday that he not only found the malicious code that took down about 2,000 of UBS PaineWebber's servers four years ago, but he also "directly linked" it back to the defendant's home computer. Keith Jones, director of computer forensics and incident response at Mandiant, an information security company, testified that he found the trigger mechanism for the logic bomb installed on machines across the company's national network, and that he connected defendant Roger Duronio's user name and home computer directly to its creation, modification, distribution and execution. Duronio, a former systems administrator for UBS, is facing four federal, criminal charges in connection with the March 4, 2002 attack that took the company's brokers offline for a day to three weeks. The attack cost the company $3.1 million in cleanup costs alone. Jones explained to the jury how he began hunting for the trigger code and how it worked. Answering questions from Assistant U.S. Attorney Mauro Wolfe, Jones said the government brought him in to work on the case a little more than a year after the incident, and he immediately started searching for files and pieces of code associated with the logic bomb. "I started with a clean slate," said Jones, who has 10 years of computer forensics experience. "A lot of times a company doesn't know what's going on. They're in a 'let's get things back up and running' mode. I came in to find out what was happening in the system." Early on in his testimony, Jones testified about conclusions that he reached after his three-year investigation into the UBS incident. As the government flashed accompanying slides on a screen for the jury, the witness said he found the 25 lines of the bomb's timer on two of Duronio's home computers, which the U.S. Secret Service had seized from his house. He also said the hardcopy printout of the code that federal agents found on Duronio's bedroom dresser was an exact match for what was in the computers. Next, Jones said the code caused the massive file deletion that took down the network. The forensic exam, he added, also revealed that the timer for the logic bomb, which Jones dubbed "the Duronio Trigger," was distributed and intentionally installed on the company's main host server, as well as on servers in approximately 370 branch offices. Finally, Jones, who has written his own open-source forensics tools, said he concluded that Duronio's user name and home computers were "directly linked" to the building of the logic bomb and to its presence on UBS's nationwide Unix-based network. Jones had to explain, to a jury of technical laymen, the basics of computer code and forensics, source code, binary code, and compilers. Jones has 10 years experience as a forensics examiner, and has worked on Unix since he was 16. He holds three college degrees, including a bachelors in computer engineering and a masters in electrical engineering. A former systems administrator himself, he also has written three books, including Real Digital Forensics and The Anti-Hacker Toolkit. The defense maintains that the government focused its investigation on the wrong man. Duronio's attorney has said UBS erred when hiring @Stake, the first forensics team on the case, because the firm employed well-known hackers. And Duronio's team also criticized the Secret Service and how agents handled evidence and other interviews. Recovery Costs Earlier in the day, the prosecution put Nancy Bagli, an assistant vice president with UBS, on the stand. Bagli, who has been with UBS since 1997, worked in the company's Contract and Sourcing department at the time of the 2002 attack. She testified that she worked with group managers to figure out what they needed for hardware and services to recover from the attack. She also kept track of what UBS spent on the cleanup. UBS spent $898,780 on hardware, including IBM and Sun Microsystems servers; $260,473 on investigative services; and $1,987,036 on technical consultants, who mainly were from IBM and went out to help bring the branch offices back up. The company bought refurbished equipment if they could get it faster than new, Bagli said That adds up to a total of $3,146,289 spent on recovery costs alone. UBS has never reported the price of down business time. The trial is nearing the end of its third week. Jones is the prosecution's last witness and will take the stand again Friday morning. The defense will present its own slate of witnesses starting next week. From isn at c4i.org Tue Jun 27 01:26:42 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Jun 2006 00:26:42 -0500 (CDT) Subject: [ISN] REVIEW: "How to Break Web Software", Mike Andrews/James A. Whittaker Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKHTBWSW.RVW 20060520 "How to Break Web Software", Mike Andrews/James A. Whittaker, 2006, 0-321-36944-0, U$34.99/C$46.99 %A Mike Andrews Mike.Andrews at foundstone.com %A James A. Whittaker jw at cs.fit.edu %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2006 %G 0-321-36944-0 %I Addison-Wesley Publishing Co. %O U$34.99/C$46.99 416-447-5101 800-822-6339 bkexpress at aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321369440/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321369440/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321369440/robsladesin03-20 %O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 219 p. + CD-ROM %T "How to Break Web Software" The preface stresses that this book is neither about how to attack a Web site, nor how to develop one, but, rather, how to test. Chapter one points out that the Web is a different environment, in terms of software security, because we have desktop machines, not centrally administered, talking to everyone (with much of the traffic being commercial in nature). The authors even point out that issues of error-handling, performance, and ease-of-use all contribute to increased levels of vulnerability. Various attacks designed to obtain information about Web applications, structure, and functions are described in chapter two. For client-side scripting, chapter three notes, any validation done on the client should be untrusted and re- validated on the host, since it may be altered on the client, or data manually entered as if it came from the client. Chapter four explains the danger of using client-side data (cookies or code) for state information. Chapter five examines user supplied data, and delves into cross-site scripting (XSS, the explanation of which is not well done), SQL (Standard Query Language) injection, and directory traversal. Language-based attacks, in chapter six, involve buffer overflows (which are not explained terribly well), canonicalization (HTML and Unicode encoding and parsing), and null string attacks. The server, with utilities and the underlying operating system, can be reached via stored procedures (excessive functionality), fingerprinted for other attempts, or subject to denial of service (in limited ways) as chapter seven notes. "Authentication," in chapter eight, is really more about encryption: the various false forms (encryption via obscurity?), brute force attacks against verification systems, and forcing a system to use weak encryption. Privacy, and related Web technologies (of which cookies are only one), is reviewed in chapter nine. Chapter ten looks at Web services, and the vulnerabilities associated with some of these systems. The CD-ROM included with the book contains a number of interesting and useful tools for trying out the various attacks and tests mentioned in the text. This book is a valuable addition to the software security literature. The attacks listed in the work are known, but often by name only. This text collects and explains a wide variety of Web application attacks and weaknesses, providing developers with a better understanding of how their programs may be assailed. Some of the items mentioned are defined or explained weakly, but these are usually items that do have good coverage in other security works. copyright Robert M. Slade, 2006 BKHTBWSW.RVW 20060520 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org If a man is called to be a streetsweeper, he should sweep streets even as Michelangelo painted, or Beethoven composed music, or Shakespeare wrote poetry. He should sweep streets so well that all the hosts of heaven and earth will pause to say, here lived a great streetsweeper who did his job well. - Martin Luther King Jr. Dictionary Information Security www.syngress.com/catalog/?pid=4150 http://victoria.tc.ca/techrev/rms.htm From isn at c4i.org Tue Jun 27 01:27:34 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Jun 2006 00:27:34 -0500 (CDT) Subject: [ISN] Crypto utopia Sealand ravaged by fire Message-ID: http://www.theregister.co.uk/2006/06/26/sealand_blaze/ By Andrew Orlowski 26th June 2006 Fire has damaged a World War II gun emplacement seven miles off the English coast. Better known as "Sealand", the fort was acquired in the 1960s by Roy Bates, who declared it an independent principality. One man was airlifted from the platform after fire broke out in the generator room on Friday. Eyewitnesses [1] reported heavy damage, and the blaze was left to burn itself out. A public statement from the Sealand government said [2]: "Due to a fire in the generation facility of the Fortress structure it has been necessary temporarily to evacuate all civilian residents to alternative accommodation as a matter of safety. This situation is expected to continue for the next 96 hours, and an update will be issued within this time." When Bates purchased the fort, UK sovereignty extended to structures only three miles from the shoreline. This has since changed, bringing Sealand within UK jurisdiction, and the principality remains unrecognised by any other state or international treaty organisation. But in recent years the ambiguity of Sealand's status prompted one of the more fascinating experiments in technological utopias. Bates' son Michael - Prince Michael of Sealand - blessed an experiment to create a crypto data haven on the fort, and became head of the operating company HavenCo [3] in June 2000 [4]. To the dismay of investors and cypherpunks, the venture wasn't a success. Ryan Lackey had moved to the fort in 1999, hoping to establish a safe location for privacy services such as anonymous remailers, and experiments such as anonymous digital cash. [July 2000 Slashdot Q&A [5]] In a presentation to the 2003 DefCon convention, a former employee described how internal politics and a lack of investment backing had thwarted the experiment. Contracts were broken, the bandwidth never materialised, and the location was vulnerable to DOS attacks. At the time [6] of his 2003 presentation, HavenCo had no new customers, and had seen several of its existing customers leave. "Sovereignty alone has little value without commercial support from banks, etc," concluded Ryan. Inviting us draw our own conclusions as to where the real sovereign power lies. Banks don't like cash they can't count or control. ? [1] http://www.eadt.co.uk/content/eadt/news/story.aspx?brand=EADOnline&category=News&tBrand=EADOnline&tCategory=zNews&itemid=IPED24%20Jun%202006%2009%3A12%3A24%3A070 [2] http://www.sealandgov.org/notices/pn02706.html [3] http://www.havenco.com/ [4] http://www.theregister.co.uk/2000/06/07/exarmy_major_offers_dotcom_sanctuary/ [5] http://interviews.slashdot.org/article.pl?sid=00/07/02/160253&mode=nested [6] http://www.metacolo.com/papers/dc11-havenco/ From isn at c4i.org Tue Jun 27 01:27:45 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Jun 2006 00:27:45 -0500 (CDT) Subject: [ISN] OMB emphasizes data security guidance Message-ID: http://www.gcn.com/online/vol1_no1/41169-1.html By Mary Mosquera GCN Staff 06/26/06 The Office of Management and Budget today provided a checklist of best practices that agencies must have in place in 45 days to compensate for the absence of physical security controls when employees remove information or access it from outside of agency premises. Most departments should already have the measures recommended by the National Institute of Standards and Technology in place, according to Clay Johnson, OMB deputy director for management. "We intend to work with the inspectors general community to review these items, as well as the checklist, to ensure we are properly safeguarding the information the American taxpayer has entrusted to us," he said in the memo dated June 23 [1]. Besides the checklist, agencies also by early August must encrypt all data on mobile devices that carry sensitive data and allow remote access only with two-factor authentication. One of those factors should be provided by a device separate from the computer gaining access. Agencies will implement a "time-out" function for remote access and mobile devices users, who will need to re-authenticate after 30 minutes of inactivity. Agencies will log all computer-readable data extracts from databases holding sensitive information. They must verify that each extract of sensitive data has been erased within 90 days or its use is still required. OMB provided sample privacy documents for system of records notices for personnel security files, identity management systems, identity card proofing and Privacy Act statement and a Privacy Act statement for users of personal identity verification cards. Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, applauded OMB's memo. "Today's action by the Office of Management and Budget to reinforce security standards for sensitive information controlled by the federal government is a sensible step, given the various data breaches we have seen in recent weeks," he said. "[G]iven the spotty record of compliance [with the Federal Information Security Management Reform Act] we have seen among the agencies, I sincerely hope this action leads to both better results and better practices-and if not, perhaps Congress will have to step in and mandate specific security requirements." [1] http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf From isn at c4i.org Tue Jun 27 01:26:19 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Jun 2006 00:26:19 -0500 (CDT) Subject: [ISN] Bookstore sales stolen by hacker Message-ID: http://www.northernadvocate.co.nz/localnews/storydisplay.cfm?storyid=3690082 By Craig Borley 26.06.2006 Internet fraud has hit a Whangarei bookshop owner, leaving his web site suspended and his business' future in the balance. Dennis Scoles, of Oceania Books, said his business earned a third of its income from on-line sales. But a computer hacker has targeted Mr Scoles' site, meaning customers trying to pay for books via his PayPal link were actually paying the hacker. Mr Scoles' PayPal page was replaced by a fake, with a link to a different bank account. All this came as a shock to Mr Scoles, who said the incident was hard to understand. "We didn't have them (computers) at school in my day, so I had nothing to do with them. I know nothing about IT, I was just a book collector. I just feel sick, like I've been involved in a crime." He has now invested in a firewall program intended to block hackers but Quentin Donald, owner of Mr Scoles' Internet service provider Acute Systems, said no blame lay with Mr Scoles. "It has nothing to do with his computer at all, as I understand." He said Mr Scoles' website used an osCommerce system for online payments - one of the world's most common forms of on-line shopping. He said it appeared someone had figured out a way to "get in the back door" of that system. Mr Donald believed there were some 30,000 websites using osCommerce, most of which were too small to be attractive to hackers. Because hackers tend to go for the big fish, he said, "the general guy in the corner shop doesn't have to worry". But Mr Scoles may have attracted the hacker's attention because of the sheer size of his site. It included information and photographs of some 1000 books. "I'd been staying up nights, loading it all on, and it was only just starting to pick up." But as investigations continue Mr Scoles' website has been suspended, causing him concern that future shoppers will be put off. He had planned moving his business to Internet-only by the time he retired but now he's not so sure. "I have to seriously think about whether I want to continue on-line. It's a lesson that should be passed on to all businesses thinking about doing this." Mr Donald said this lesson was a cruel one, due to its rarity and people's inability to protect themselves against it. ? APN News & Media Ltd 2006. From isn at c4i.org Tue Jun 27 01:27:19 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Jun 2006 00:27:19 -0500 (CDT) Subject: [ISN] Microsoft warns of exploit code for dial-up bug Message-ID: http://www.networkworld.com/news/2006/062606-microsoft-warns-of-exploit-code.html By Robert McMillan IDG News Service 06/26/06 Microsoft is warning users of malicious software that could be used to attack Windows systems that lack the company's latest security updates. The exploit code targets a vulnerability in the Remote Access Connection Manager (RASMAN) service, used by Windows to create network connections over the telephone. The bug, which was patched June 13, is rated critical by Microsoft, the most severe rating available. Hackers published the code on Web sites late last week, and it is now included in Metasploit, a hacking toolkit that is used by security researchers and criminals alike. The malicious software is not as dangerous as it could be. Most firewalls will block it and it also requires that the hacker be authenticated on the computer for it to work. Still, Windows 2000 and Windows XP Service Pack 1 users need to be wary because they could be the victims of particularly nasty attacks that do not require authentication, Microsoft said. "The current exploit code ... requires authentication, but the underlying vulnerability does not," said Stephen Toulouse, a security program manager with Microsoft's security response center. For any attack to work on the latest versions of other Windows systems, like XP or Windows Server 2003, the attacker would need to be able to log on to the victim's machine, Microsoft said. Hackers will likely use the malicious software in criminal attacks since it is now in Metasploit, said Ken Williams, director of vulnerability research with CA. Complicating matters is the fact that some dial-up users have been having problems with the patch. Computers that use Window's dial-up scripting or terminal windows to make connections may find that their dial-up connections no longer work, according to Microsoft's alert. Users who cannot install the patch immediately should disable the RASMAN service, Microsoft said. Over the past two weeks, Microsoft has also been contending with a number of unpatched vulnerabilities in its Office and Excel software. Microsoft has not yet patched the bugs, but it said Saturday that one of them is now expected to be patched in its next round of security updates, due July 11. Microsoft's advisory on the malicious code can be found here. The IDG News Service is a Network World affiliate. All contents copyright 1995-2006 Network World, Inc. From isn at c4i.org Tue Jun 27 01:27:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Jun 2006 00:27:59 -0500 (CDT) Subject: [ISN] Sitting Ducks at Sandhurst Message-ID: http://www.people.co.uk/news/tm_objectid=17289093&method=full&siteid=93463&headline=sitting-ducks-at-sandhurst--name_page.html By Daniel Jones 25 June 2006 DISGRACEFUL security lapses at Prince William's military academy are today exposed by The People. Carrying a lifelike fakebomb, one of our reporters casually strolled into Wills's accommodation block - and put his feet up in the 24-year-old prince's common room. For four shocking hours, he was allowed to roam the grounds and buildings of world-famous Sandhurst without EVER being challenged. A real terrorist would have had countless chances to plant a bomb that could have killed and maimed scores of people - including the man who will one day be King. The scandal is revealed less than two weeks before the anniversary of the 7/7 London bombings - and amid fears that Al- Qaida is planning plan a new wave of attacks in Britain. We linked up with former counterterrorism intelligence officer Charles Shoebridge to infiltrate Sandhurst - which William's brother Harry has just left - for an open day that attracted more than 3,000 visitors. In a string of appalling security blunders, our investigators: - OPENLY sat in the grounds putting together the fake bomb' STROLLED into William's New College quarters - where a cadet opened a door for them to get in' CHECKED out the VIP podium and a postbox where lethal explosives could easily have been hidden' and TOOK photos in areas which were supposed to be closed off as part of a ?2million operation designed to protect William - a prime target - from international terrorists. Mr Shoebridge said: "Sandhurst's worldwide reputation makes it an ideal terrorist target - especially with Prince William there. Yet you would not think this from the security we saw. "If they had wanted to, then terrorists could have caused havoc." The disgraceful lapses began the moment our team arrived at the Berkshire military academy's Heritage Day. Astonishingly, visitors did not have to book their places - which meant they could not be vetted in advance. And guards did not even take their names as they entered, Armed soldiers and police at the main gate searched the bags of people arriving on foot. But like scores of other people, our investigators drove to Sandhurst - and were waved through to a car park. Once there, cadets made only a cursory search of the boot. But they did NOT look inside the car. And they did NOT carry out the widely used swab check - which reveals whether a person has been handling explosives. Mr Shoebridge - himself a Sandhurst graduate - said: "Of the ten cars I watched being checked, no searches at all were made of their occupants or their bags or rucksacks, which could have been packed with explosives." Our reporter made no attempt at secrecy as he made his "bomb" based on a design used by Al-Qaida - a mobile phone acting as a timer wired to a blob of Semtex. We used lookalike Plasticine instead of the deadly high explosive. Our reporter put the device into a plastic lunch-box which he carried in a shoulder-bag - along with a dossier about Sandhurst and a map of the complex. Amazingly, a passing soldier revealed where the Prince is staying while he is at Sandhurst. Mr Shoebridge - who worked in the police and army for 20 years - pointed out a working postbox made of cast iron next to the parade square at William's college. He said: "Just a small bomb hidden in there would shower deadly shrapnel over any cadets parading here the following morning. The postbox should have been sealed for the Heritage Day." New College, like most of Sandhurst's buildings, was officially closed to the public for the event. But it was a doddle for our investigators to get inside. Two ground-floor windows at the rear were UNLOCKED. But our team did not have to climb in because a cadet showing his family round helpfully held open a door for them. They were able to wander around the building - and even sat in the common room near William's personal quarters. A terrorist could simply have planted a bomb under a chair and detonated it at his leisure. Mr Shoebridge said: "Most of the ground-floor windows were locked on a hot summer's day - which suggests staff were aware that someone might attempt unauthorised access. "Yet cadets did not seem to have been briefed about the need to identify and accompany strangers before allowing them in through the door." Our investigators then checked out a podium used by VIPs for the finale of the open day - a march-past with a Gurkha band in front of the Mayor of Sandhurst Elizabeth North. There was NO guard here in the runup to the parade. Mr Shoebridge said: "Had we used a timing device, we would have now escaped and the bomb would kill the VIPs, the bandmaster and several members of the public. "If we were to trigger the bomb remotely as the band passed close to the podium, we would have killed several Gurkhas from the band too." There were also any number of chances to secrete bombs - timed to explode later - under unattended Army trucks and Land Rovers at the complex. William joined the tough military academy in January for a 44-week officer cadet course. Harry, 21, graduated from the college in April, a ceremony attended by the Queen and the rest of the Royal Family. But Sandhurst was considered a terrorist target even before then. During Muslim cleric Abu Hamza's trial in January, it was revealed he had detailed plans of Sandhurst which he said would be "crucial to any terrorist". The 47-year-old extremist was jailed for seven years for incitement to murder. MI5 and the police warn that new Al-Qaida outrages in Britain could come within months. Experts say they have foiled at least three attacks since the 7/7 bombings. Aspokesman for the Ministry of Defence said last night: "We do not discuss security matters. We are, however, satisfied that a real bomb would have been quickly identified and appropriate steps taken." - DO YOU know of a sandal? Call our newsdesk on 020 7293 3204. - Voice of The People: Page 6 daniel.jones at people.co.uk From isn at c4i.org Tue Jun 27 01:27:06 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 27 Jun 2006 00:27:06 -0500 (CDT) Subject: [ISN] Report: One hacked OU server should have been offline Message-ID: http://www.athensnews.com/issue/article.php3?story_id=25314 By Jim Phillips Athens NEWS Senior Writer 2006-06-26 Part of the recently released consultant's audit of OU's computer security systems (see related story, page 6) is a review of two major hacking incidents and how OU responded to them. In one case, the server that was hacked into was apparently vulnerable to such a breach because many personnel at OU were not even aware it was still hooked up to the university's computer system. The two hacking incidents, which have caused OU no end of public relations grief, are what prompted the university to hire Moran Technology Consultants to conduct its audit in the first place. OU has also found three other security breaches. According to the audit report, the two breaches examined in the report involved OU servers named ALUMINFO3 and SHSSRV1. The first contained personal and contact information for 300,000 alumni, including Social Security numbers for about 137,000 people. This server was apparently left vulnerable to hacking because IT personnel thought it had been taken offline, but it hadn't. The second is used by OU's Hudson Health Center, and includes about 60,000 patient records, with Social Security numbers. Hackers apparently broke into this server, then tried to use it to attack another OU server. Moran suggests that OU discovered the Hudson security breach mainly because two other hacking incidents triggered a "heightened awareness," prompting OU to run virus scans on various other computer systems. Donor database breach: The first known problem with this database dates to March 1, 2005, the consultant found. Someone (whose identity is redacted from the audit) reported an apparent breach in April 2006 via e-mail to Bob Watkins, an operating systems programmer at CNS. Moran concludes that the system was vulnerable to hacking (by some particular method that has been redacted from the report) from March 1, 2005, to April 24, 2006, but that there is not enough information available to tell if hackers actually stole any information from the system. From Feb. 1, 2006 to April 11, 2006, the report adds, "the system was apparently used as a music file sharing server," and on April 22, 2006, "the system was used to attack another server." Numerous employees interviewed by Moran said they thought this server had been turned off and disconnected from the OU network since a prior application upgrade. Records show, however, that it was in more or less continuous service from May 5, 2004 to April 24, 2006, when the breach was discovered - though it had been taken offline for a total of about 14 days since March 25, 2005. Moran concluded that this system should have turned off and disconnected from the network after April 14, 2005, when it was decommissioned. "However, apparently due to poor communication, lack of decommissioning procedures, and poorly defined responsibilities, the system was turned off but then turned back on 10 days later." The report adds that the initial break-in to the system apparently happened before it was decommissioned, and that leaving it connected afterwards greatly increased the odds that data was stolen, and led to other abuses of the system. Hudson patient database breach: This server was apparently hacked into first on Dec. 19, 2005, according to Moran. In early January 2006, the administrator of another OU server reported that the SHSSRV1 server was trying to log on to his server. The incident was reported to OU's computer security team, but "it is not clear what action was taken beyond this," the report says. IN EACH INCIDENT, once the breach was detected, the systems were quickly taken offline, the report says, and appropriately reported to OU's CIO, Office of Legal Affairs, and PR personnel. Moran concludes that up to a certain point, the response of OU's security team to the breaches was "relatively well orchestrated and organized." After the point at which the team began trying to find out how widespread the problem was, however, "activities became poorly organized and fragmented," according to Moran. CNS Director Tom Reid took over the job of managing the response from the lead member of the security team, who, according to Moran, was better qualified to handle the job. Reid said Sunday that it wasn't his decision to take over the response team, but that of CIO Bill Sams. "I was assigned that task by the CIO," he claimed. OU also put three Computer Services employees on administrative leave at this point, an action that Moran believes "greatly contributed to the confusion and disorganization in the wake of the problems. The people who knew the compromised systems best were sent home, instead of being available to assist in the response." The report also notes that the three employees placed on leave (OU has said it is recalling them) had previously "made efforts to get help from CNS" with security problems, but probably should have taken their concerns to higher management. The report concludes that OU's initial containment procedures "were appropriate and effective," but after these initial steps, "the process faltered." UNIVERSITY CHIEF Information Officer Bill Sams told the OU Trustees at a meeting last week that OU has gotten about two dozen reports of identity theft since the breaches were discovered, though these may not all be traceable to the problems with OU computers. OU has said that it will not take financial liability for financial loss due to identity theft unless a person can show that his or her personal data was not stolen from some other source that was holding it. Sams called the number of identity theft reports two "surprisingly small," given the volume of personal information potentially exposed in the computer security breaches. He said that based on what OU investigators have discovered about the hacking incidents, they believe they were unrelated to each other. "It was not a continuous series of attacks," he told the Trustees. Based on the audit findings, Sams said, it appears that CNS was more concerned with performance than with security, and wanted to avoid slow-downs that might result from taking needed security measures. He promised that OU will take steps to change the culture within its IT departments that helped allow the breaches to occur. Trustee C. Robert Kidder noted that the security breaches "cost us greatly" in terms of both money and bad publicity. During the meeting, the Board of Trustees approved a motion to spend up to $4 million on addressing the IT problems. Asked where that money will come from, President Roderick McDavis said he is not sure, but that it definitely will not be taken come from extra money set aside for priorities laid out in OU's Vision Ohio comprehensive plan. From isn at c4i.org Wed Jun 28 01:13:35 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:13:35 -0500 (CDT) Subject: [ISN] HSBC customers hit by Bangalore breach Message-ID: http://software.silicon.com/security/0,39024655,39159940,00.htm By Andy McCue 27 June 2006 A security breach at HSBC's offshore data processing unit in Bangalore has led to ?233,000 being stolen from the accounts of a small number of UK customers. A 24-year-old worker at the HSBC operation has been suspended after being accused of accessing confidential account information and passing it on to criminal associates in the UK. Fears of the security of offshore business process outsourcing (BPO) operations will be heightened by reports in India claiming the HSBC employee also used false records to obtain the job at the bank. The HSBC worker was caught when the fraud was detected by the bank's security systems. A spokesman for HSBC told silicon.com: "Our internal security team discovered one of HSBC's staff in Bangalore caused customer data to be leaked leading to a small number of accounts from the UK being compromised." He declined to comment any further on the details of the breach but said all affected customers - reported to be around 20 in number - have been contacted and will be fully reimbursed for any losses. The HSBC spokesman added: "We are taking data protection seriously. These systems are sophisticated and in place to help track these things down." Sunil Mehta, VP of India's IT industry body Nasscom, insisted such security breaches are not unique to offshore operations and can happen in any country. He said: "India, with its strong legal system and its independent judiciary, is a country that takes this responsibility extremely seriously. Nasscom will work with the legal authorities in the UK and India to ensure that those responsible for any criminal breaches are promptly prosecuted and face the maximum penalty." Just last month Nasscom created a new regulatory body to help improve data security among India's offshore IT services and BPO companies. From isn at c4i.org Wed Jun 28 01:13:48 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:13:48 -0500 (CDT) Subject: [ISN] VA Asking for More Money After Data Theft Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700134.html By HOPE YEN The Associated Press June 27, 2006 WASHINGTON -- Veterans Affairs Secretary Jim Nicholson promised Congress on Tuesday he could turn his agency into a "model for information security" but said lawmakers will have to be patient. Nicholson also said the Bush administration was asking for at least $160.5 million in emergency funds for credit monitoring and other measures to protect veterans and military troops whose sensitive personal information was stolen from a VA employee's laptop computer. Besides covering monitoring for about half of the 17.5 million people whose Social Security numbers were compromised, the money would pay for out-of-pocket expenses ranging from $10,000 to $20,000 for those whose identities are stolen, Nicholson told a House panel. Under questioning, Nicholson acknowledged that much more money may be needed to revamp information security at the VA and other agencies. He also left the door open to providing veterans more than one year of free credit monitoring following the May 3 burglary at a VA data analyst's home. "Unfortunately, a very bad thing happened," Nicholson told a House Appropriations subcommittee that oversees VA spending. "I think we can turn VA into the model for information security," he added. "I will not try to mislead you and delude. This will not be easy and it will not be overnight." Of the $160.5 million requested for monitoring, Nicholson said, about $29 million will be taken from VA funds budgeted in 2006 to cover personnel costs at the Veterans Benefit Administration. That money would not have been used this year due to hiring plans that already had been pushed back to 2007, he added. The other $131.5 million would be reallocated from other areas of the White House budget. "It will take some belt tightening. It will not come out of veterans' benefits," Nicholson said. No reports of identity theft have been reported in connection with the May 3 theft of a computer from the data analyst's home in suburban Maryland. The laptop contained names, birth dates and Social Security numbers for up to 26.5 million people. Last week, the Senate Appropriations Committee approved $160 million in emergency funds to pay for credit monitoring. It is one of many expected payments as the government struggles with fallout from data thefts and other breaches now crossing at least six agencies. Earlier in the hearing, the House panel was urged to spend whatever necessary to avoid undue hardships for data theft victims. David McIntyre, president and CEO of TriWest Healthcare Alliance, which administers the Pentagon's health care program in 21 Western states, proposed creating a central government "nerve center" to assist agencies after any such security breach. "Unfortunately, as we have all come to realize, the question is not whether another incident of information theft will occur but when," McIntyre said. "Events such as these are happening with increased regularity _ and, surely, spending a few million to prepare is preferable to spending hundreds of millions to react." Rep. James Walsh, R-N.Y., chairman of the House subcommittee, chastised the VA for waiting three weeks to notify veterans about the theft. "This represents a significant lapse of time that could have been vital to protect identity theft," Walsh said. In his testimony, Nicholson called the burglary a "wake-up call" that should not have come at the expense of veterans, some of whom have challenged the free monitoring in court as potentially inadequate. He said about half of the affected veterans were expected to take the government's offer. Separately, the VA asked a federal judge to revise his order barring the VA from publicizing its free credit monitoring offer. The VA said it wished to continue providing information to veterans through its Web site and call center and had no intention of asking veterans to relinquish their rights to a potentially larger payout in court. U.S. District Judge William Bertelsman in Kentucky scheduled a hearing for Friday to determine whether the VA should revise its deal. The class-action lawsuits, which are pending in Covington, Ky., and Washington, seek free monitoring and other credit protection for an indefinite period as well as $1,000 in damages for each person _ or up to $26.5 billion total. Stacy Hinners, an attorney representing veterans, said veterans did not wish to shut down the call center and Web site but simply wanted the VA to be clear what rights veterans would have if they accepted the free offer. Veterans groups and lawmakers from both parties have criticized the VA for the theft and noted years of warnings by auditors that information security was lax. The data analyst _ who was in the process of being dismissed _ had taken the information home on a personal laptop for three years. -=- On the Net: For veterans suspecting identity theft: http://www.firstgov.gov or 1-800-FED-INFO From isn at c4i.org Wed Jun 28 01:13:59 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:13:59 -0500 (CDT) Subject: [ISN] Does Wi-Fi security matter? Message-ID: http://news.zdnet.co.uk/internet/security/0,39020375,39277577,00.htm By Tom Espiner ZDNet UK June 27, 2006 People 'just don't care' about Wi-Fi security according to researchers, but some senior security experts argue there's no need to secure networks at all A large percentage of Wi-Fi networks are "horribly insecure", according to researchers at Indiana University. In a study of almost 2,500 access points in Indianapolis, presented at the Workshop on the Economics of Information Security at the University of Cambridge on Monday, researchers found that 46 percent were not running any form of encryption. "People just really don't care about Wi-Fi security, and open Wi-Fi at home is a nice big target," said Matthew Hottell, lecturer in informatics at Indiana University. "Defaults [settings] are king," added Hottell. Most of the secured networks used routers whose security setting had been pre-installed by the vendor, rather than having being activated by the end user. Some used WEP encryption wizards to encourage people to turn on the security settings. "Education seems to have little effect. People with a higher economic status are not responsive to the heightened risk of privacy erosion, and people in general don't recognise that higher population density [heightens risk]," said Hottell. However, security expert Bruce Schneier argued that as long as people's devices were secure, having a secured network was unnecessary. "I have a completely open Wi-Fi network," Schneier told ZDNet UK."Firstly, I don't care if my neighbours are using my network. Secondly, I've protected my computers. Thirdly, it's polite. When people come over they can use it." University of Cambridge security expert Richard Clayton also questioned the assumption that unsecured networks were necessarily insecure. "What is your definition of secure?" Clayton asked the researchers. "Did you try to exploit the systems?" Hottell said the wardriving team had not attempted to hack any systems or read any network traffic. Microsoft's chief privacy advisor for Europe, Caspar Bowden, said there seemed to be a consensus among security experts that having a Wi-Fi network open to sharing has positive uses, but warned that people could not rely on WEP encryption if they wanted to secure networks. "If you do want to secure your network, look at end-to-end solutions rather than some of the dodgy crypto around like WEP," said Bowden. "There's only one thing worse than no security, and that's a false sense of security," he added. From isn at c4i.org Wed Jun 28 01:14:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:14:17 -0500 (CDT) Subject: [ISN] =?iso-8859-1?q?U=2ES=2E_vulnerable_to_=27cyber_Katrina=27?= =?iso-8859-1?q?=92?= Message-ID: http://www.gcn.com/online/vol1_no1/41172-1.html By Alice Lipowicz Contributing Writer 06/27/06 The United States is poorly prepared for a "cyber Katrina," with no coordinated plan for restoring and recovering the Internet after a major disruption, according to a new Business Roundtable report [1], released yesterday. Despite efforts to address the problem, the federal government and private sector have not developed a coordinated plan for restoring the Internet and maintaining confidence in financial markets following a major breach in functioning. The gaps identified include no cyberattack early warning system, unclear and overlapping responsibilities for responding to Internet disruptions, and no sufficient resources. "If there's a cyberdisaster, there is no emergency number to call - and no one in place to respond, because our nation simply doesn't have the kind of coordinated plan in place that we need to restart and restore the Internet," Edward Rust Jr., chairman of State Farm Insurance Companies and head of the Roundtable Security Task Force's working group on cybersecurity, said in a news release. "Government and industry must work together to beef up our cybersecurity and recovery efforts." The roundtable, which comprises chief executives of major corporations representing nearly a third of the total value of the U.S. stock market, said the private sector should take the lead in restoring the communications infrastructure following a disaster. The federal government should establish clearer roles and responsibilities. For example, while the Homeland Security Department said it has authority to declare a national cyberemergency and intends to consult with business leaders, the report said it is not clear how this consultation will occur or what the factors are for declaring an emergency. The federal government also should provide funding for long-term programs, and make sure that national response plans treat major Internet disruptions as serious national problems, the report said. The National Cyber Security Division within DHS receives about $70 million a year, but almost none of the funds support cyber-recovery, the report said. Federal authorities should set a clear policy for Internet recovery, which would define DHS' role and responsibility; define the responsibilities of the U.S. Computer Emergency Response team; specify how the Homeland Security Operations Center will be used; and clarify the roles of other agencies, such as the Federal Communications Commission and the Federal Emergency Management Agency, the report said. Private sector executives are urged to designate a point person for cyber-recovery, update their plans to prepare for a widespread Internet outage and the impact on movement of goods and services, and set priorities for restoring Internet service and corporate communications. The roundtable also urged creation of a federally funded panel of experts to assist in developing plans for recovering the Internet after a cyberdisaster. It also suggests DHS and industry jointly conduct large-scale cyberemergency exercises. [1] http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf From isn at c4i.org Wed Jun 28 01:14:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:14:26 -0500 (CDT) Subject: [ISN] Navy: Exposed personal data was Katrina-related Message-ID: http://www.fcw.com/article95068-06-27-06-Web By Bob Brewin June 27, 2006 The Navy said the personal information of more than 30,000 sailors that a civilian Web site exposed pertains to sailors and their families located in areas affected by Hurricane Katrina. Lt. Justin Cole, a spokesman for the chief of naval personnel, said the Navy collected the personal information in relation to hurricane relief operations. Cole said the Navy has no idea how someone published the information on the Web site. The site has removed that information. Cole declined to identify the site or its purpose, but he said it was not a medical or health information Web site. The Navy said last week it first became aware of the exposure of the personal information June 22 in a report by the Joint Task Force-Global Network Operations the Navy Cyber Defense Operations Command, part of the Naval Network Warfare Command (Netwarcom). The personal information was contained in five spreadsheet files on the Web site and included the name, birth dates and Social Security numbers of sailors and family members, the Navy said. The service mailed letters to all 30,618 service members and their families affected by the incident, the Navy added. The service said it has no evidence that someone has illegally used the personal information on the Web site. Cole said the Naval Criminal Investigative Service is investigating the incident. But he declined to provide further details. From isn at c4i.org Wed Jun 28 01:14:37 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:14:37 -0500 (CDT) Subject: [ISN] Apple updates Mac OS to squash bugs Message-ID: http://news.com.com/Apple+updates+Mac+OS+to+squash+bugs/2100-1002_3-6088787.html By Joris Evers Staff Writer, CNET News.com June 27, 2006 Apple Computer on Tuesday released an update for its Mac OS X that repairs several security flaws and includes feature updates. The update, Mac OS X 10.4.7, fixes four security vulnerabilities, Symantec said in an alert sent to customers. "These issues can be exploited to cause denial-of-service conditions, gain access to sensitive information, and execute code," it said. The security flaws lie in various components of Mac OS X, Symantec said. There is no known attack code for the vulnerabilities, the company said, indicating that there is no threat imminent to Mac users. An Apple representative did not immediately return calls seeking comment on the security issues. The Cupertino, Calif.-based company also had not published any security fix information on its security Web site as of Tuesday late afternoon. Apple's last security update was last in May, addressing bugs in Mac OS X and QuickTime. Aside from the security fixes, Mac OS X 10.4.7 delivers some improvements and repairs a few issues related to Mail, Finder and iChat, among other things, according to a posting on Apple's support Web site. If iChat users encounter a problem while trying to set up a conference, they can now send a message to Apple that automatically outlines what went wrong, much the same way Safari users can choose to send a message when the browser crashes, Apple said. The update also fixes a number of issues with syncing, improving support for Motorola phones and fixing some problems with .Mac syncing, according to Apple. Users can download Mac OS X 10.4.7 through Software Update or the standalone installer. Apple plans to showcase Mac OS 10.5, code-named Leopard, at its annual developer meeting in August, the company announced Monday. From isn at c4i.org Wed Jun 28 01:13:20 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:13:20 -0500 (CDT) Subject: [ISN] Ohio University Sued As Result Of Data Theft Message-ID: http://www.channelcincinnati.com/news/9431401/detail.html June 27, 2006 ATHENS, Ohio -- Two graduate students have filed lawsuits against Ohio University due to recent data thefts from school computers. Donald Jay Kulpa, 31, of Cincinnati, and Kenneth Neben, 34, formerly of Columbus and now living in New Jersey, sued OU, claiming their privacy had been violated. Kulpa and Neben are two of possibly 173,000 students, employees, or faculty whose Social Security numbers were stolen in five separate instances since March 2005. Of the 173,000 people, about 367,000 files containing personal information such as Social Security numbers, names, medical records, and home addresses were breached. The lawsuit was filed Friday in the Ohio Court of Claims in Columbus. On the same day, OU made a decision to spend $4 million to heighten computer security on campus. The lawsuit asks a judge to order the school to compensate for any financial loss as a result of identity thefts linked to security breaches at OU. They also want the school to pay for credit monitoring services for anybody whose personal information may have been breached. Kulpa and Neben's lawsuit seeks class-action status to represent anyone affected, including students, faculty, and employees. John Burns, OU's legal affairs director, said he expected a lawsuit but not one that reached class-action status. "We'll review it and we'll defend it," Burns said. Mark Mezibov, a Cincinnati lawyer representing Kulpa and Neben, said the university was negligent and indifferent in failing to protect personal information A recent consultants' report concluded that OU's Computer and Network Services division considered security as a low priority for the past decade. However, the division had an annual budget of about $11 million and recent annual surpluses averaging $1.4 million. Last week, OU suspended the director of Computer and Network Services and the Internet and systems manager, pending an investigation regarding the security breaches. On April 21, the university announced it had discovered a security breach at its training center for fledgling businesses. Since the incident, breaches have been reported at the alumni office, health center, and the department that handles records for businesses the university hires. Copyright 2006 by ChannelCincinnati.com. The Associated Press contributed to this report. From isn at c4i.org Wed Jun 28 01:14:52 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 28 Jun 2006 00:14:52 -0500 (CDT) Subject: [ISN] Navy contractor charged with sabotaging computer system Message-ID: http://home.hamptonroads.com/stories/story.cfm?story=106658&ran=64860 By TIM MCGLONE The Virginian-Pilot ? June 27, 2006 NORFOLK - A Navy contractor has been charged with sabotaging a computer system that plots the locations of ships and submarines. The computer intrusion could have caused collisions between Navy and commercial vessels, but it was uncovered before any serious harm was done, according to a criminal complaint unsealed Monday in U.S. District Court here. The suspect, Richard F. Sylvestre, 43, of Massachusetts, was charged with unauthorized access to a government national defense computer, a crime that carries a penalty of as much as 10 years in prison. Sylvestre said little during his first court appearance Monday. "Do you understand why you're before this court?" Magistrate James E. Bradberry asked Sylvestre . "Yes, sir," he replied. Sylvestre, listed in the court record as owner of computer company Ares Systems International, is accused of programming malicious software codes into computers at the Navy's European Planning and Operations Command Center in Naples, Italy, last month, according to the court records. Sylvestre later confessed to the crime, according to the complaint filed by a Naval Criminal Investigative Service agent in Norfolk. He told the agent he was upset that his company's bid on a project was passed over, the papers say. Ares already held a Navy contract to provide computer maintenance for the Navy's European Command. On May 21 , two Navy computers in Naples were rendered inoperable, the complaint says. A computer administrator determined that someone had programmed what's known as a "cron job" into the system. A cron job enables someone to schedule the start of program commands at some future date. The investigation determined that the commands were entered on a computer last used by Sylvestre on May 19, the complaint says. The computer administrator also discovered three additional infected computers that, had the programs been launched, would have shut down the entire network that tracks the locations of ships and submarines. The system helps prevent military and commercial vessels from running into each other. "Sylvestre denied that he had any intention to cause a collision or crash," the complaint says. Sylvestre returned to Norfolk on Sunday aboard the Air Mobility Command and was taken into custody by the U.S. Marshals. After Monday's court appearance, Bradberry allowed Sylvestre to post a $10,000 bond and return home to Massachusetts, but not without a stern warning first. "This is deadly serious business," Bradberry told him. "Don't take this lightly." A grand jury will hear the case within the month, a prosecutor said in court. Reach Tim McGlone at (757) 446-2343 or tim.mcglone at pilotonline.com. ? 2006 HamptonRoads.com/PilotOnline.com From isn at c4i.org Thu Jun 29 04:52:14 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Jun 2006 03:52:14 -0500 (CDT) Subject: [ISN] NHS mobile data security is pants Message-ID: http://www.theregister.co.uk/2006/06/28/nhs_mobile_security_survey/ By John Leyden 28th June 2006 Sensitive medical and personal details are in danger of exposure because of lax data security among health sector workers, according to a new survey. The study, sponsored by mobile security firm Pointsec, found that almost two thirds of health sector workers use inadequate security. Half of those in the NHS use their own mobile devices to store data, a basic breach of security practice. The Mobile device usage in the health care sector survey carried out by Pointsec and the British Journal of Healthcare Computing & Information Management also found found that one-fifth of the devices used to store data have no security on them at all. A further 40 per cent have only password-controlled access that would be easy for a skilled hacker to defeat using a dictionary-style attack. Only a quarter of respondents used passwords in conjunction with other security features such as encryption, biometrics, smart card and two-factor authentication. The 117 participants in the survey included information managers, IT managers and medical professionals in the NHS. A quarter of those who took part in the study supplied equipment to the health care sector. USB memory sticks or cards (76 per cent) were often used to download data among health care pros, followed by laptops (69 per cent), PDA/Blackberry (51 per cent), smartphones (nine per cent) and mobile phones (two per cent). Almost half (42 per cent) of respondents owned at least one of the devices they used. These mobile devices were commonly used to store work contact details (75 per cent), but nearly two thirds stored corporate data, and one in five used mobile devices to store security details, such as passwords and PIN codes. About half of the medical professionals surveyed stored patient records on mobile devices, a potentially serious risk to patient confidentiality given that a quarter of respondents have admitted losing a mobile device. Pointsec says its survey is evidence that inadequate security procedures are allowing mobile devices to "fall through the security net". It advises wider use of mobile encryption technologies, a business Pointsec itself specialises in. ? From isn at c4i.org Thu Jun 29 04:52:43 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Jun 2006 03:52:43 -0500 (CDT) Subject: [ISN] Security Diligence Is Overdue Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. SPI Dynamics http://list.windowsitpro.com/t?ctl=2FEE3:4FB69 Diskeeper http://list.windowsitpro.com/t?ctl=2FEDE:4FB69 CrossTec http://list.windowsitpro.com/t?ctl=2FEDC:4FB69 ==================== 1. In Focus: Security Diligence Is Overdue 2. Security News and Features - Recent Security Vulnerabilities - Two New Excel Vulnerabilities Surface - Workarounds for the First of Two Excel Vulnerabilities - Windows Defender 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Faster Intrusion Protection ==================== ==== Sponsor: SPI Dynamics ==== ALERT: "Top Web Application Hacker Tricks" Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation. Learn step-by-step vulnerability testing methods for your own Web Applications and guidelines for establishing best administration and coding practices. http://list.windowsitpro.com/t?ctl=2FEE3:4FB69 ==================== ==== 1. In Focus: Security Diligence Is Overdue ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I recently came across some very interesting survey information published by Deloitte Touche Tohmatsu (DTT). The company conducted a survey of security executives in 150 companies from 30 countries whose business relates to technology, media, and telecommunications (TMT). The results shed some light on why some companies are open to security breaches. http://list.windowsitpro.com/t?ctl=2FEF6:4FB69 According to the survey results, the majority of the surveyed companies consider themselves reactive (as opposed to proactive) when it comes to investing in information security. In other words, they spend money in response to breaches but don't typically spend nearly as much money to prevent breaches. Only 4 percent of the companies think they're addressing the problem sufficiently; only 25 percent have already implemented or are in the process of implementing antiphishing protection; only 37 percent provided security training to employees over the past 12 months; only 24 percent believe their current security tools are being used effectively; and only 33 percent perform security risk assessments. Another interesting pair of findings is that half of the companies who suffered breaches over the past 12 months were victims of insider attacks and only 47 percent of the companies believe they are adequately protected against such internal attacks. Brian Geffert, principal of Deloitte Security and Privacy Services, said about the survey findings, "When it comes to security, TMT companies are talking the talk but not yet walking the walk. Survey respondents say that security is a top concern, but it is still not being addressed across the organization from a risk-based perspective, despite recent breaches costing million[s] of dollars of damage and inestimable harm to companies' reputations, brands, revenue and productivity. In fact, more than half of security executives surveyed admit that their security investments are falling behind the threats or at best just catching up." Eye opening, isn't it? In a parallel study, DTT polled financial institutions as well as life sciences and health care companies. Although DTT didn't say how many companies took part in those studies, it did say that 78 percent of the financial institutions had experienced an external security breach and 49 percent had experienced an internal security breach in the past year. Seventeen percent of life sciences and health care companies had experienced an external security breach and 9 percent had experienced internal breaches. Wow! How many news stories have you read over the past several months about some company suffering either an intrusion or equipment loss that exposed people's private information? We can't go more than a week or so without yet another of these stories coming to the surface, which just reinforces DTT's findings. It seems to me, even more so in light of DTT's survey results, that the problems of intrusion and identity theft must be due to a lack of diligence, or maybe a lack of funding to support proper diligence. After all, with proper funding, how hard is it to diligently defend your enterprise network, and how hard is it to diligently protect your mobile computing devices and backup media? The former can be tedious, of course, but not overly difficult. The latter requires mostly attentiveness and common sense on the part of users to avoid theft or other forms of loss. If, in your opinion, your company isn't providing adequate resources for a diligent approach to information security, consider pointing your executives or decision makers to this editorial and DTT's press release. Maybe it'll help open some eyes. ==================== ==== Sponsor: Diskeeper ==== FREE UTILITY: SCANS YOUR SITE FOR SYSTEM SLOWDOWNS Disk Performance Analyzer for Networks is a FREE utility that remotely scans your networked systems looking for severe fragmentation-related disk performance bottlenecks. Disk fragmentation is a major source of slowdowns, freeze-ups and headaches; with Disk Performance Analyzer for Networks you can find and address potential problems before they become help desk calls. Find disk performance problems before they find you? download the FREE Disk Performance Analyzer for Networks now! http://list.windowsitpro.com/t?ctl=2FEDE:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2FEE4:4FB69 Two New Excel Vulnerabilities Surface You know the adage: When it rains it pours. On the heels of a zero- day Excel vulnerability reported two weeks ago come two more Microsoft- related vulnerabilities, one in Excel and one in Windows. http://list.windowsitpro.com/t?ctl=2FEEE:4FB69 Workarounds for the First of Two Excel Vulnerabilities Two weeks ago, a zero-day exploit was discovered that affects Microsoft Excel. The vulnerability could allow the execution of arbitrary code on an affected computer. Microsoft has published a security advisory that includes possible workarounds to help you protect your systems. http://list.windowsitpro.com/t?ctl=2FEEA:4FB69 Windows Defender Windows Defender Beta 2 is Microsoft's second antispyware beta release, but it really feels more like a new program. New graphics, tighter integration into the OS, and a streamlined interface all set this release apart from its predecessor, Microsoft AntiSpyware Beta 1. Jeff Fellinge gives you the skinny in this article on our Web site. http://list.windowsitpro.com/t?ctl=2FEEC:4FB69 ==================== ==== Resources and Events ==== Attend Black Hat 2006 in Las Vegas July 29 - August 3; 2,500+ international security experts, 10 tracks, no vendor sales pitches. http://list.windowsitpro.com/t?ctl=2FEF5:4FB69 Event Log (for Windows systems) and Syslog (for UNIX/Linux systems) contain a wealth of information. In this free Web seminar, you'll learn about the processes, challenges, and benefits of consolidating events on a centralized server. Plus--identify the 50 critical events that should be monitored in your enterprise. Live Event: Thursday, June 29 http://list.windowsitpro.com/t?ctl=2FEE9:4FB69 Make full use of your VoIP network--integrate Fax for IP to reduce TCO and increase the ROI for your investment. On-demand Web seminar http://list.windowsitpro.com/t?ctl=2FEDF:4FB69 Learn the essentials about how consolidating hardware and updating selected technologies can help you build an infrastructure that can handle change effectively. http://list.windowsitpro.com/t?ctl=2FEE2:4FB69 In this free podcast, Randy Franklin Smith outlines five points to consider when choosing an antispyware solution. Download the podcast today, and you could win an iPod! http://list.windowsitpro.com/t?ctl=2FEE1:4FB69 Implement real-time processes in your email and data systems--you could also win a Best Buy Gift Card! Register today; the contest ends June 30. http://list.windowsitpro.com/t?ctl=2FEE0:4FB69 ==================== ==== Featured White Paper ==== Strategically managing software licenses saves time and cuts costs by centralizing licensing operations. Use this 5-step program to quickly implement your license management program. http://list.windowsitpro.com/t?ctl=2FEDD:4FB69 Don't miss your chance to win a pair of Bose Triport Headphones! Download any white paper from Windows IT Pro before June 30 to enter. See the full selection of papers today at http://list.windowsitpro.com/t?ctl=2FEF2:4FB69 ==================== ==== Hot Spot ==== Free White Paper - "7 Steps for SIMple Log Monitoring" Activeworx collects event logs from all your security devices and vendors to provide a single Dashboard view along with correlated alerts; hundreds of compliance reports; and deep forensics tools. Easy to install and use. Personalized support. Click for Free White Paper - 7 Steps for SIMple Log Monitoring http://list.windowsitpro.com/t?ctl=2FEDC:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: WildPackets' OmniPeek Personal by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2FEF1:4FB69 Need an alternative to Ethereal and Wireshark? The OmniPeek Personal packet capture and analysis tool might be your answer. http://list.windowsitpro.com/t?ctl=2FEEB:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=2FEEF:4FB69 Q: Where is the remote wipe facility in Microsoft Exchange Server 2003 Service Pack 2 (SP2)? Find the answer at http://list.windowsitpro.com/t?ctl=2FEED:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Summer Special--Save 58% off Windows IT Pro Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=2FEE7:4FB69 Need Access to Helpful SQL Server Articles? Subscribe to SQL Server Magazine today and SAVE 58%! Along with your 12 issues, you'll get FREE access to the entire SQL Server Magazine online article archive, which houses more than 2,300 helpful articles. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=2FEE6:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Faster Intrusion Protection Third Brigade announced Deep Security 4.5, the newest release of its intrusion prevention system (IPS) that protects mission-critical hosts, applications, and data from malicious attacks. New features are designed to help customers deploy Deep Security more quickly. Customers can purchase Third Brigade Deep Security Manager to place Deep Security Agent software in IPS-ready mode on any number of hosts at no extra cost. Then when they're ready, they can switch the Agent from detection to prevention mode. Deep Security 4.5 also offers preconfigured security profiles for more than 80 software applications that run on Windows, Linux, and Solaris. And Third Brigade says it delivers new filters within hours of the announcement of new software vulnerabilities. For more information, go to http://list.windowsitpro.com/t?ctl=2FEF4:4FB69 Tell Us About a Hot Product and Get a Best Buy Gift Card! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Best Buy Gift Card if we write about the product in a Windows IT Pro What's Hot column. Send your product suggestion with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2FEF3:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2FEE8:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Jun 29 04:52:55 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Jun 2006 03:52:55 -0500 (CDT) Subject: [ISN] Storage Company's Online Security Breach Exposed Message-ID: http://cbs5.com/topstories/local_story_178210503.html By Sue Kwon Reporting Jun 27, 2006 (CBS 5) A CBS 5 investigation has confirmed a security breach at a popular self-storage company that may have exposed customers' private information on its website. AAAAA Rent-A-Space has taken its online payment system offline and is notifying thousands of customers to check for identity theft after CBS 5 told the company about a flaw on their website. Howard Fortner describes the security at AAAAA Rent-A-Space in Colma as tighter than Fort Knox. So he was surprised when the cyber gate was left wide open on the storage facility's website. While trying to make an online payment, Fortner says he accidently typed in someone else's storage unit number along with his password, which is his phone number. Up popped another customer's private information, including a name, address, credit card, and Social Security number. "I thought about mine's as vulnerable as that one," Fortner said. "I tried it with a different number, and several accounts opened up." His password opened at least five other customer profiles. After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company worked with the Arizona software developer who created the site's account-based program called "Web-Expres." By late Tuesday afternoon, they found the glitch and have taken the payment system offline until it is patched. AAAAA Rent-A-Space says its online payment system has been up for a year with no other incidents reported. The company says it plans to mail out 13,000 letters about the discovery to custmers in California and Hawaii, including those who have items stored at the 10 Bay Area facilities. (? MMVI, CBS Broadcasting Inc. All Rights Reserved.) From isn at c4i.org Thu Jun 29 04:53:06 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Jun 2006 03:53:06 -0500 (CDT) Subject: [ISN] Energy CIO outlines security plans Message-ID: http://www.fcw.com/article95092-06-28-06-Web By Michael Hardy June 28, 2006 Tom Pyke, chief information officer at the Energy Department, launched a security revitalization program there when he took the position in November 2005. Today that program is making strides in locking intruders out of the department's systems, he told an audience at a luncheon hosted by Input. DOE has been in the spotlight recently because of a successful attack in which cyberthieves stole personal data on about 1,500 contract and agency employees. That incident happened in July 2005, Pyke said, but it was not reported to agency leaders until recently. The revitalization project was not connected to that theft, he added. The thieves used an old-fashioned "social engineering" attack, sending an e-mail message with malicious code in an attachment. An employee clicked on the attachment, executing software that set up a "back door" for the thieves to access the network of the National Nuclear Security Agency, a semi-autonomous organization within DOE. DOE includes a network of national laboratories, and about 60 percent of the computer systems within the department are connected to national security, which calls for extra protection, he said. "We have a lot of the right policies and we have very bright people," Pyke said. "It's just a matter of [my] helping refocus priorities." DOE seems to be a favorite target of would-be hackers, with several hundred thousand attempted attacks a day, he said. Most of those, however, are routine and harmless, and fewer than 100 so far this year have been deemed "incidents" needing a response. The revitalization effort includes the increased use of encryption software, regular analysis of every aspect of cybersecurity throughout the department and the use of "red teams," employees who try to defeat the defenses to identify weaknesses, he said. Despite best efforts, however, agency leaders and the public need to understand "there's no such thing as perfect cyberdefense," Pyke said. "We have made systems so complex that there will be vulnerabilities, and sometimes those vulnerabilities will be exploited before we can get protection in place." From isn at c4i.org Thu Jun 29 04:53:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Jun 2006 03:53:18 -0500 (CDT) Subject: [ISN] U.S. Cybersecurity Chief May Have a Conflict of Interest Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/28/AR2006062801903.html Associated Press June 29, 2006 The Bush administration's cybersecurity chief is a contract employee who earns $577,000 under an agreement with a private university that does extensive business with the federal office he manages. Donald "Andy" Purdy Jr. has been acting director of the Homeland Security Department's National Cyber Security Division for 21 months. His two-year contract with Carnegie Mellon University in Pittsburgh has drawn attention from members of Congress. By comparison, the Homeland Security secretary, Michael Chertoff, is paid $175,000 annually. Purdy is on loan from the school to the government, which is paying nearly all his salary. Meanwhile, Purdy's cybersecurity division has paid Carnegie Mellon $19 million in contracts this year, almost one-fifth of the unit's total budget. Purdy said he has not been involved in discussions of his office's business deals with the school. "I'm very sensitive to those kinds of requirements," Purdy said. "It's not like Carnegie Mellon has ever said to me, 'We want to do this or that. We want more money.' " Some lawmakers who oversee the department questioned the decision to hire Purdy as acting cybersecurity director. They noted enduring criticism by industry experts and congressional investigators over the department's performance on cybersecurity matters. Purdy's contract "raises questions about whether the American people are getting their money's worth," Democratic Reps. Bennie Thompson of Mississippi and Loretta Sanchez and Zoe Lofgren, both of California, wrote in a letter to Republicans. Purdy, a longtime lawyer, has held a number of state and federal legal and managerial jobs. He has no formal technical background in computer security. Purdy controls a budget of about $107 million and as many as 44 full-time federal employees. He said his salary is commensurate with those of some other government contractors. Purdy's former boss and predecessor as cybersecurity chief, Amit Yoran, earned $131,342 before he resigned abruptly in October 2004. Chertoff agreed one year ago to create a position of assistant secretary over cybersecurity. The job is unfilled, a point of consternation among many security experts. Carnegie Mellon is highly regarded among experts who study hacker attacks and software flaws. The university declined to comment on Purdy's salary, citing employee confidentiality. It said it has avoided discussing government contracts with Purdy in his role as chief of the cybersecurity office that awards those contracts. The department said Purdy consulted with ethics lawyers when he signed his employment contract. Purdy is so careful about avoiding potential conflicts that he leaves the room when employees discuss contracts related to Carnegie Mellon's work, said one DHS official, who spoke on the condition of anonymity because this official is not authorized to speak with reporters. ? 2006 The Washington Post Company From isn at c4i.org Thu Jun 29 04:53:31 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 29 Jun 2006 03:53:31 -0500 (CDT) Subject: [ISN] Sale of Digital Security Firm Said to Be Near Message-ID: http://www.nytimes.com/2006/06/29/technology/29deal.html By ANDREW ROSS SORKIN and JOHN MARKOFF June 29, 2006 RSA Security, a pioneering digital security company, quietly put itself up for sale several months ago and is now near a deal with EMC or at least one other bidder, people involved in the auction process said last night. A deal, possibly worth more than $1.8 billion, could be reached in a few days, these people said. The company has a market value of $1.46 billion. RSA's board is expected to meet before the weekend to review final bids, these people said. They cautioned, however, that it remained possible that RSA could still decide against a sale. It could not be learned last night who was competing against EMC, the data storage giant. RSA, based in Bedford, Mass., makes physical security cards under the SecurID brand that are widely used in authentication systems at corporations around the world. The company is also active in developing antifraud technologies and a variety of encryption systems. RSA takes its name from the initials of its three founders: Ronald Rivest, Adi Shamir and Leonard Adelman. The three, who are academic researchers, are leading figures in the field of cryptography who developed an important algorithm in a technology known as public key cryptography. The company became a commercial success largely through the efforts of an early chief executive, Jim Bidzos, who became an outspoken advocate of commercial cryptography in the face of government opposition. He struck an early deal to use RSA technology in the Netscape browser. Today, the company has $322 million in annual revenue and $40.5 million in net income. RSA is widely known for sponsoring the RSA Security conference, a trade show and conference that has become the focus of the computer security industry. Shares of the RSA closed yesterday at $19.36, up 15 cents. From isn at c4i.org Fri Jun 30 12:35:54 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:35:54 -0500 (CDT) Subject: [ISN] Hacker breaks into Treasurer's Office Message-ID: http://www.journalstar.com/articles/2006/06/29/local/doc44a3fa6c4f795799631319.txt By NATE JENKINS Lincoln Journal Star June 30, 2006 Personal and financial information of more than 300,000 people may be in the hands of a hacker following a Wednesday break-in of the state computer system that processes child-support payments. A preliminary investigation of the incident suggests that the hacker did not download the information, said State Treasurer Ron Ross. But the possibility does exist. "Based upon the method of attack, it is more likely the hacker's intent was not to steal information, but rather to do something malicious since the hacker inserted a virus onto the server, which we immediately removed," Ross said. The child-support payment system was centralized in the treasurer's office five years ago and now processes $1 million in transactions daily. Identity information potentially stolen by the hacker, which investigators believe may be based outside the U.S. and possibly in Asia, includes: names, addresses, bank account numbers, social security numbers and tax identification numbers. Roughly 300,000 individuals and 9,000 employers may be affected. Ross said it was the first time the computer system, called KidCare, had been hacked. He was not aware of similar security breaches in other states. The break-in, which Ross said lasted about 40 minutes, was detected by an employee after coming to work Wednesday morning. The system is not monitored 24 hours a day by a person. The State Patrol has initiated a full investigation that could include help from the FBI and other agencies. Ross pledged to "get to the bottom of it" and implement new safeguards to prevent future break-ins. But that won't likely include round-the-clock monitoring of the system by a person. "I don't think we're at a point in government we want somebody standing by a computer screen 24-7, but we do need protocols in place," Ross said. "We thought we had good safeguards...somebody got in a door we didn't think they'd be able to get into." The hard drive and server affected by the breach were immediately replaced. Unlike many arms of state government, the child-support system is not part of the state's centrally controlled computer system, said Brenda Decker, chief information officer for the state. The incident will prompt state officials to take a closer look at whether it should be. "We're working with the State Patrol to see if we can make this as secure and hardened as the rest of the system," Decker said. Asked during a press conference if the child-support system had the best available security system, Ross said he believed it did. Those who pay or receive child-support should closely monitor their bank accounts, and are advised to close them if the see suspicious activity. ? 2002-2006, Lincoln Journal Star. All rights reserved. From isn at c4i.org Fri Jun 30 12:36:20 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:36:20 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-26 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-06-22 - 2006-06-29 This week: 88 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Plebo Aesdi Nael has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information and potentially compromise a user's system. Secunia has constructed a test for one of the issues, which is available at: http://secunia.com/internet_explorer_information_disclosure_vulnerability_test/ Additional details can be found in the referenced Secunia advisory. Reference: http://secunia.com/SA20825 -- VigilantMinds has reported a vulnerability in the Opera browser, which potentially can be exploited by malicious people to compromise a user's system. Additionally, a weakness has also been reported, which can be exploited to display the SSL certificate from a trusted site on an untrusted site. Further details are available in the referenced Secunia advisories. References: http://secunia.com/SA20787 http://secunia.com/SA19480 -- Two vulnerabilities have been reported in various F-Secure Antivirus products, which can be exploited by malware to bypass the scanning functionality. The vendor has released patches, which corrects these vulnerabilities. Please refer to referenced Secunia advisory for additional details. Reference: http://secunia.com/SA20858 -- VIRUS ALERTS: During the past week Secunia collected 253 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow 2. [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability 3. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability 4. [SA20787] Opera JPEG Processing Integer Overflow Vulnerability 5. [SA20825] Internet Explorer Information Disclosure and HTA Application Execution 6. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 7. [SA20773] Yahoo! Messenger Denial of Service Weakness 8. [SA20789] Cisco CallManager RealVNC Password Authentication Bypass 9. [SA20723] IBM HMC Sendmail and OpenSSH Vulnerabilities 10. [SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20862] Nokia PC Suite CDDBControl ActiveX Control Buffer Overflow [SA20861] Gracenote CDDBControl ActiveX Control Buffer Overflow [SA20789] Cisco CallManager RealVNC Password Authentication Bypass [SA20858] F-Secure Antivirus Products Scanning Bypass Vulnerability [SA20855] Lotus Domino Malformed vCal Processing Denial of Service [SA20851] Icculus.org Quake3 Engine Two Vulnerabilities [SA20790] MailEnable SMTP Service HELO Denial of Service [SA20777] Webmin Directory Traversal Vulnerability [SA20825] Internet Explorer Information Disclosure and HTA Application Execution [SA20856] CA Products Scan Job Description Format String Vulnerability [SA20816] Cisco Secure ACS Session Management Security Issue [SA20794] Trend Micro Control Manager "Username" Script Insertion [SA20830] Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness UNIX/Linux: [SA20879] Mandriva update for mutt [SA20866] Mandriva update for tetex [SA20854] Gentoo update for mutt [SA20850] Gentoo update for tikiwiki [SA20846] Gentoo update for hashcash [SA20844] Gentoo update for wv2 [SA20837] Gentoo update for emech [SA20836] Ubuntu update for mutt [SA20831] rPath update for kernel [SA20829] Mandriva update for gnupg [SA20828] Mandriva update for xine-lib [SA20826] Mandriva update for wv2 [SA20824] Mandriva update for libwmf [SA20811] Slackware update for gnupg [SA20810] Mutt IMAP Namespace Buffer Overflow Vulnerability [SA20805] EnergyMech "parse_notice" Denial of Service Vulnerability [SA20801] Ubuntu update for gnupg [SA20800] Hashcash "array_push" Buffer Overflow Vulnerability [SA20792] Debian update for courier [SA20791] SUSE update for freetype2 [SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability [SA20782] SGI Advanced Linux Environment Multiple Updates [SA20853] Mandriva update for gd [SA20849] Gentoo update for horde [SA20848] Ubuntu update for OpenLDAP [SA20840] cPanel "file" Parameter Cross-Site Scripting Vulnerability [SA20788] phpQLAdmin "domain" Cross-Site Scripting Vulnerability [SA20871] Ubuntu update for mysql-server [SA20832] Mandriva update for MySQL [SA20869] Slackware update for kdebase [SA20868] Slackware update for arts [SA20827] Mandriva update for arts [SA20786] Gentoo update for aRts [SA20785] Gentoo update for kdebase / KDM [SA20834] Debian update for pinball [SA20818] PHP "error_log()" Safe Mode Bypass Weakness [SA20809] HP-UX Kernel Denial of Service Vulnerability [SA20778] Emilia Pinball Compiled Plugins Loading Vulnerability Other: [SA20860] Cisco Wireless Access Point Web Management Vulnerability Cross Platform: [SA20823] Mambo MOD_CBSMS Module File Inclusion Vulnerability [SA20819] Mambo Pearl For Mambo Module File Inclusion Vulnerabilities [SA20815] phpBB THoRCMS Add-On "phpbb_root_path" File Inclusion [SA20814] Bee-hive Lite Multiple File Inclusion Vulnerabilities [SA20812] PrivateWire Registration Functionality Buffer Overflow [SA20787] Opera JPEG Processing Integer Overflow Vulnerability [SA20784] Helix DNA Server Heap Corruption Vulnerabilities [SA20779] W-Agora Multiple File Inclusion Vulnerabilities [SA20857] Scout Portal Toolkit "forumid" Parameter SQL Injection [SA20847] MF Piadas "page" Parameter File Inclusion Vulnerability [SA20842] Jaws Cross-Site Scripting and SQL Injection [SA20839] Custom dating biz dating script Multiple Vulnerabilities [SA20838] Anthill SQL Injection Vulnerabilities [SA20813] DeluxeBB Cross-Site Scripting and SQL Injection [SA20806] ICT "post" Parameter SQL Injection Vulnerability [SA20802] Softbiz Dating Script SQL Injection Vulnerabilities [SA20796] Open Guestbook Cross-Site Scripting and SQL Injection [SA20795] MyBB "showcodebuttons" SQL Injection Vulnerability [SA20793] IBM WebSphere Application Server Two Vulnerabilities [SA20780] YaBB SE "user" SQL Injection Vulnerability [SA20872] Metalhead Usenet Script "group" Cross-Site Scripting [SA20863] Hostflow Help Desk Script Insertion Vulnerability [SA20843] Phorum Cross-Site Scripting Vulnerability [SA20841] SiteBar "command" Cross-Site Scripting Vulnerability [SA20835] Sun Java System Application Server Cross-Site Scripting [SA20833] Dating Agent PRO Cross-Site Scripting and Information Exposure [SA20822] dotProject "login" Parameter Cross-Site Scripting Vulnerability [SA20821] Namo DeepSearch "p" Parameter Cross-Site Scripting [SA20820] aeDating Multiple Cross-Site Scripting Vulnerabilities [SA20817] Claroline Unspecified Cross-Site Scripting Vulnerability [SA20808] Qdig Cross-Site Scripting Vulnerabilities [SA20804] UebiMiau Cross-Site Scripting Vulnerabilities [SA20803] mvnForum "activatemember" Cross-Site Scripting [SA20798] H-Sphere Multiple Cross-Site Scripting Vulnerabilities [SA20797] XennoBB "tid" Cross-Site Scripting Vulnerability [SA20781] GL-SH Deaf Forum show.php Cross-Site Scripting ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20862] Nokia PC Suite CDDBControl ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-28 A vulnerability has been reported in Nokia PC Suite, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20862/ -- [SA20861] Gracenote CDDBControl ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-28 A vulnerability has been reported in GraceNote CDDBControl ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20861/ -- [SA20789] Cisco CallManager RealVNC Password Authentication Bypass Critical: Highly critical Where: From remote Impact: Security Bypass Released: 2006-06-23 Cisco has acknowledged a vulnerability in Cisco CallManager, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20789/ -- [SA20858] F-Secure Antivirus Products Scanning Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-06-28 Two vulnerabilities have been reported in various F-Secure Antivirus products, which can be exploited by malware to bypass the scanning functionality. Full Advisory: http://secunia.com/advisories/20858/ -- [SA20855] Lotus Domino Malformed vCal Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-28 Ollie Whitehouse has reported a vulnerability in Lotus Domino, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20855/ -- [SA20851] Icculus.org Quake3 Engine Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2006-06-28 Luigi Auriemma has reported two vulnerabilities in Icculus.org Quake3, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20851/ -- [SA20790] MailEnable SMTP Service HELO Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-26 DivisionByZero has reported a vulnerability in MailEnable, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20790/ -- [SA20777] Webmin Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-06-23 Keigo Yamazaki has reported a vulnerability Webmin, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20777/ -- [SA20825] Internet Explorer Information Disclosure and HTA Application Execution Critical: Less critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-06-27 Plebo Aesdi Nael has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20825/ -- [SA20856] CA Products Scan Job Description Format String Vulnerability Critical: Less critical Where: From local network Impact: DoS, System access Released: 2006-06-28 A vulnerability has been reported in some CA products, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20856/ -- [SA20816] Cisco Secure ACS Session Management Security Issue Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-06-26 Darren Bounds has reported a security issue in Cisco Secure ACS, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20816/ -- [SA20794] Trend Micro Control Manager "Username" Script Insertion Critical: Less critical Where: From local network Impact: Cross Site Scripting Released: 2006-06-27 Darren Bounds has discovered a vulnerability in Trend Micro Control Manager, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20794/ -- [SA20830] Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-06-26 Michael White and Graham Murphy have reported a weakness in Lanap BotDetect ASP.NET, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20830/ UNIX/Linux:-- [SA20879] Mandriva update for mutt Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-29 Mandriva has issued an update for mutt. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20879/ -- [SA20866] Mandriva update for tetex Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-28 Mandriva has issued an update for tetex. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20866/ -- [SA20854] Gentoo update for mutt Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-29 Gentoo has issued an update for mutt. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20854/ -- [SA20850] Gentoo update for tikiwiki Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-29 Gentoo has issued an update for tikiwiki. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20850/ -- [SA20846] Gentoo update for hashcash Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-27 Gentoo has issued an update for hashcash. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20846/ -- [SA20844] Gentoo update for wv2 Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-26 Gentoo has issued an update for wv2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/20844/ -- [SA20837] Gentoo update for emech Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-27 Gentoo has issued an update for emech. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20837/ -- [SA20836] Ubuntu update for mutt Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-28 Ubuntu has issued an update for mutt. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20836/ -- [SA20831] rPath update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2006-06-26 rPath has released an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information and cause a DoS (Denial of Service), and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/20831/ -- [SA20829] Mandriva update for gnupg Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-26 Mandriva has issued an update for gnupg. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20829/ -- [SA20828] Mandriva update for xine-lib Critical: Moderately critical Where: From remote Impact: System access, DoS Released: 2006-06-26 Mandriva has issued an update for xine-lib. This fixes a weakness, which can be exploited by malicious people to crash certain applications on a user's system Full Advisory: http://secunia.com/advisories/20828/ -- [SA20826] Mandriva update for wv2 Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-26 Mandriva has issued an update for wv2. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/20826/ -- [SA20824] Mandriva update for libwmf Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-28 Mandriva has issued an update for libwmf. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20824/ -- [SA20811] Slackware update for gnupg Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-28 Slackware has issued an update for gnupg. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20811/ -- [SA20810] Mutt IMAP Namespace Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-26 TAKAHASHI Tamotsu has reported a vulnerability in Mutt, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20810/ -- [SA20805] EnergyMech "parse_notice" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-27 A vulnerability has been reported in EnergyMech, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20805/ -- [SA20801] Ubuntu update for gnupg Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-27 Ubuntu has issued an update for gnupg. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20801/ -- [SA20800] Hashcash "array_push" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-27 A vulnerability has been reported in Hashcash, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20800/ -- [SA20792] Debian update for courier Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-23 Debian has issued an update for courier. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20792/ -- [SA20791] SUSE update for freetype2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-06-27 SUSE has issued an update for freetype2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise applications using the library. Full Advisory: http://secunia.com/advisories/20791/ -- [SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-06-23 A vulnerability has been reported in GnuPG, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20783/ -- [SA20782] SGI Advanced Linux Environment Multiple Updates Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information, Privilege escalation, DoS Released: 2006-06-23 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities, a weakness, and two security issues, which can be exploited by malicious, local users to perform certain actions with escalated privileges, to bypass certain security restrictions, and to cause a DoS (Denial of Service), and by malicious people to bypass certain security restrictions, to disclose system information, to cause a DoS (Denial of Service), and to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20782/ -- [SA20853] Mandriva update for gd Critical: Less critical Where: From remote Impact: DoS Released: 2006-06-28 Mandriva has issued an update for gd. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) against applications and services using libgd. Full Advisory: http://secunia.com/advisories/20853/ -- [SA20849] Gentoo update for horde Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-29 Gentoo has issued an update for horde. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20849/ -- [SA20848] Ubuntu update for OpenLDAP Critical: Less critical Where: From remote Impact: DoS, System access Released: 2006-06-27 Ubuntu has issued an update for OpenLDAP. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20848/ -- [SA20840] cPanel "file" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-27 Preth00nker has reported a vulnerability in cPanel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20840/ -- [SA20788] phpQLAdmin "domain" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 r0t has reported some vulnerabilities in phpQLAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20788/ -- [SA20871] Ubuntu update for mysql-server Critical: Less critical Where: From local network Impact: DoS Released: 2006-06-28 Ubuntu has issued an update for mysql-server. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20871/ -- [SA20832] Mandriva update for MySQL Critical: Less critical Where: From local network Impact: DoS Released: 2006-06-26 Mandriva has issued an update for MySQL. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20832/ -- [SA20869] Slackware update for kdebase Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-06-28 Slackware has issued an update for kdebase. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20869/ -- [SA20868] Slackware update for arts Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-28 Slackware has issued an update for arts. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20868/ -- [SA20827] Mandriva update for arts Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-26 Mandriva has issued an update for arts. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20827/ -- [SA20786] Gentoo update for aRts Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-06-23 Gentoo has issued an update for aRts. This fixes a security issue, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/20786/ -- [SA20785] Gentoo update for kdebase / KDM Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-06-23 Gentoo has issued an update for kdebase / KDM. This fixes a vulnerability, which can be exploited by malicious, local users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20785/ -- [SA20834] Debian update for pinball Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-06-26 Debian has issued an update for pinball. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20834/ -- [SA20818] PHP "error_log()" Safe Mode Bypass Weakness Critical: Not critical Where: Local system Impact: Security Bypass Released: 2006-06-26 Maksymilian Arciemowicz has discovered a weakness in PHP, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20818/ -- [SA20809] HP-UX Kernel Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-06-27 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20809/ -- [SA20778] Emilia Pinball Compiled Plugins Loading Vulnerability Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-06-26 A vulnerability has been reported in Pinball, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/20778/ Other:-- [SA20860] Cisco Wireless Access Point Web Management Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-06-29 A vulnerability has been reported in Cisco Wireless Access Point, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20860/ Cross Platform:-- [SA20823] Mambo MOD_CBSMS Module File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-27 Kw3[R]Ln has discovered a vulnerability in the MOD_CBSMS module for Mambo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20823/ -- [SA20819] Mambo Pearl For Mambo Module File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-28 Kw3[R]Ln has discovered some vulnerabilities in the Pearl For Mambo module for Mambo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20819/ -- [SA20815] phpBB THoRCMS Add-On "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-26 Kw3[R]Ln has reported a vulnerability in the "THoRCMS" add-on for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20815/ -- [SA20814] Bee-hive Lite Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-26 Kw3[R]Ln has discovered some vulnerabilities in Bee-hive Lite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20814/ -- [SA20812] PrivateWire Registration Functionality Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-06-27 Michael Thumann has reported a vulnerability in PrivateWire, which can be exploited by malicious people to cause a DoS and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20812/ -- [SA20787] Opera JPEG Processing Integer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-23 VigilantMinds has reported a vulnerability in Opera browser, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20787/ -- [SA20784] Helix DNA Server Heap Corruption Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-06-26 Mu Security research team has reported two vulnerabilities in Helix DNA Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20784/ -- [SA20779] W-Agora Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-06-23 Dedi Dwianto has discovered some vulnerabilities in W-Agora, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20779/ -- [SA20857] Scout Portal Toolkit "forumid" Parameter SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-28 Simo64 has discovered a vulnerability in Scout Portal Toolkit, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20857/ -- [SA20847] MF Piadas "page" Parameter File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-06-28 Kurdish Security has discovered a vulnerability in MF Piadas, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20847/ -- [SA20842] Jaws Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-27 rgod has discovered some vulnerabilities in Jaws, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20842/ -- [SA20839] Custom dating biz dating script Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 luny has reported some vulnerabilities in Custom dating biz dating script, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/20839/ -- [SA20838] Anthill SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-26 r0t has discovered two vulnerabilities in Anthill, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20838/ -- [SA20813] DeluxeBB Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-06-26 Two vulnerabilities have been discovered in DeluxeBB, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20813/ -- [SA20806] ICT "post" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-26 r0t has reported a vulnerability in ICT, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20806/ -- [SA20802] Softbiz Dating Script SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-26 Ellipsis Security has reported some vulnerabilities in Softbiz Dating Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20802/ -- [SA20796] Open Guestbook Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-06-27 Moroccan Security Team has discovered two vulnerabilities in Open Guestbook, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20796/ -- [SA20795] MyBB "showcodebuttons" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-06-26 imei addmimistrator has reported a vulnerability in MyBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20795/ -- [SA20793] IBM WebSphere Application Server Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Exposure of sensitive information Released: 2006-06-27 Two vulnerabilities have been reported in IBM WebSphere Application Server, where one has an unknown impact and the other can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/20793/ -- [SA20780] YaBB SE "user" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-06-23 Sam Thomas has discovered a vulnerability in YaBB SE, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20780/ -- [SA20872] Metalhead Usenet Script "group" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-28 luny has reported a vulnerability in Metalhead Usenet Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20872/ -- [SA20863] Hostflow Help Desk Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-28 r0t has reported a vulnerability in Hostflow, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20863/ -- [SA20843] Phorum Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-27 A vulnerability has been reported in Phorum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20843/ -- [SA20841] SiteBar "command" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-28 Botan has discovered a vulnerability in SiteBar, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20841/ -- [SA20835] Sun Java System Application Server Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 A vulnerability has been reported in Sun Java System Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20835/ -- [SA20833] Dating Agent PRO Cross-Site Scripting and Information Exposure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-06-26 Ellipsis Security has reported some vulnerabilities and a weakness in Dating Agent PRO, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20833/ -- [SA20822] dotProject "login" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 A vulnerability has been reported in dotProject, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20822/ -- [SA20821] Namo DeepSearch "p" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 Kil13r has reported a vulnerability in Namo DeepSearch, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20821/ -- [SA20820] aeDating Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 Ellipsis Security has reported some vulnerabilities in aeDating, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20820/ -- [SA20817] Claroline Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-27 securitynews has reported a vulnerability in Claroline, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20817/ -- [SA20808] Qdig Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 Two vulnerabilities have been discovered in Qdig, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20808/ -- [SA20804] UebiMiau Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 r0t has reported some vulnerabilities in UebiMiau, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20804/ -- [SA20803] mvnForum "activatemember" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 r0t has reported some vulnerabilities in mvnForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20803/ -- [SA20798] H-Sphere Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-27 r0t has reported some vulnerabilities in H-Sphere, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20798/ -- [SA20797] XennoBB "tid" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 r0t has discovered a vulnerability in XennoBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20797/ -- [SA20781] GL-SH Deaf Forum show.php Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-06-26 Some vulnerabilities have been discovered in GL-SH Deaf Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20781/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Jun 30 12:36:31 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:36:31 -0500 (CDT) Subject: [ISN] EMC to buy RSA for $2.1 billion Message-ID: http://news.com.com/EMC+to+buy+RSA+for+2.1+billion/2100-7350_3-6089665.html By Joris Evers Staff Writer, CNET News.com June 29, 2006 update: Data storage specialist EMC has agreed to acquire digital security company RSA Security for slightly less than $2.1 billion. EMC will pay $28 in cash for each share of RSA and the assumption of outstanding options, the Hopkinton, Mass., company said Thursday in a statement. That brings the aggregate purchase price to just under $2.1 billion, net of RSA's existing cash balance, it said. With the takeover, EMC said, it will create a company that can help organizations securely manage their information. EMC is a large provider of data storage products, while RSA sells identity and access management technologies, such as its SecurID tokens, as well as encryption and key management software. "EMC is where information lives and tomorrow EMC will be the company where information lives securely," Joe Tucci, chief executive of the data storage maker, said on a conference call. During the conference call, Tucci faced heat from financial analysts who questioned the relatively high price paid for RSA and the reasons for acquiring the company. "This company and this space are incredibly hot," Tucci said in response to the critique. "This was critical technology. I am telling you this was very competitive. Not having it would have put us at a severe disadvantage, and others that might have bought it would not have wanted to share it with us." To grow its business, EMC needs to integrate data storage and security, Tucci said. "That is mandatory and if you don't do it right, you fall off. The whole name of the game here is how you build continued value for the long shot." The announcement of the deal came after RSA Security earlier on Thursday issued a statement saying that it was in negotiations with unnamed parties on a potential strategic deal. That statement followed a New York Times report that said EMC was close to buying the digital security company. RSA put itself up for auction several months ago, the newspaper said. The acquisition is expected to be completed late in the third quarter or early in the fourth quarter of 2006, subject to customary closing conditions and regulatory approvals, EMC said. Upon completion of the deal, RSA will operate as EMC's Information Security Division, headquartered in Bedford, Mass. Art Coviello, RSA's current president and CEO, will become an executive vice president of EMC and president of the division. From isn at c4i.org Fri Jun 30 12:36:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:36:45 -0500 (CDT) Subject: [ISN] 'Blue Pill' Prototype Creates 100% Undetectable Malware Message-ID: http://www.eweek.com/article2/0,1895,1983037,00.asp By Ryan Naraine June 28, 2006 A security researcher with expertise in rootkits has built a working prototype of new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems. Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm COSEINC, says the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system. Rutkowska plans to discuss the idea and demonstrate a working prototype for Windows Vista x64 at the SyScan Conference in Singapore on July 21 and at the Black Hat Briefings in Las Vegas on Aug. 3. The Black Hat presentation will occur on the same day Microsoft is scheduled to show off some of the key security features and functionality being fitted into Vista. Rutkowska said the presentation will deal with a "generic method" of inserting arbitrary code into the Vista Beta 2 kernel (x64 edition) without relying on any implementation bug. The technique effectively bypasses a crucial anti-rootkit policy change coming in Windows Vista that requires kernel-mode software to have a digital signature to load on x64-based systems. The idea of a virtual machine rootkit isn't entirely new. Researchers at Microsoft Research and the University of Michigan have created a VM-based rootkit called "SubVirt" that is nearly impossible to detect because its state cannot be accessed by security software running in the target system. Now, Rutkowska is pushing the envelope even more, arguing that the only way Blue Pill can be detected is if AMD's Pacifica technology is flawed. "The strength of the Blue Pill is based on the SVM technology," Rutkowska explained on her Invisible Things blog. She contends that if generic detection could be written for the virtual machine technology, then Blue Pill can be detected, but it also means that Pacifica is "buggy." "On the other hand?if you would not be able to come up with a general detection technique for SVM based virtual machine, then you should assume, that you would also not be able to detect Blue Pill," she added. "The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices," she explained. eWEEK.com Special Report: The Rise of Rootkits Rutkowska stressed that the Blue Pill technology does not rely on any bug of the underlying operating system. "I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform," she added. Blue Pill is being developed exclusively for COSEINC Research and will not be available for download. However, Rutkowska said the company is planning to organize trainings about Blue Pill and other technologies where the source code would be made available. Rutkowska has previously done work on Red Pill, which can be used to detect whether code is being executed under a VMM (virtual machine monitor) or under a real environment. From isn at c4i.org Fri Jun 30 12:37:50 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:37:50 -0500 (CDT) Subject: [ISN] REVIEW: "Configuring SonicWALL Firewalls", Chris Lathem et al Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCNSWFW.RVW 20060602 "Configuring SonicWALL Firewalls", Chris Lathem et al, 2006, 1-59749-250-7, U$49.95/C$69.95 %A Chris Lathem %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-250-7 %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 amy at syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597492507/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597492507/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597492507/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 500 p. %T "Configuring SonicWALL Firewalls" Chapter one provides an overview of the basics of networking, information security (at a rather simplistic level), and firewalls. The features of SonicWALL devices are described in chapter two. The material is mostly at sales brochure level. While some negative points are raised the text is not particularly careful: at one point we are told that the SonicWALL can terminate any type of VPN (Virtual Private Network), while later it is admitted that it can terminate any IPSec VPN. Management and configuration is covered in chapter three, although the command line interface gets pretty short shrift. Access control and policy management is dealt with in chapter four. Chapter five reviews user accounts and authentication. The two routing protocols possible with SonicWALL, RIP (Routing Information Protocol) and OSPF (Open Shortest Path First), are described in chapter six. Chapter seven explains network address translation (NAT) and lists the SonicWALL dialogue boxes for it. Transparent (layer two) mode screenshots are contained in chapter eight. Chapter nine throws around terms like "attack detection and defence" and "intrusion prevention" but is really a list of the application proxy setting screens. IPSec adjustments are shown in chapter ten. Availability and redundancy functions are described in eleven. "Troubleshooting," in chapter twelve, enumerates various utilities and diagnostics. Chapter thirteen shows shots of the multi-device management system. This is a decent enough replacement for vendor documentation, but not much more. copyright Robert M. Slade, 2006 BKCNSWFW.RVW 20060602 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org It is bad to suppress laughter; it goes back down and spreads to your hips. Dictionary Information Security www.syngress.com/catalog/?pid=4150 http://victoria.tc.ca/techrev/rms.htm From isn at c4i.org Fri Jun 30 12:37:26 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:37:26 -0500 (CDT) Subject: [ISN] Stolen VA Laptop and Hard Drive Recovered Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352.html By Christopher Lee and Zachary A. Goldfarb Washington Post Staff Writers June 30, 2006 Federal officials yesterday announced the recovery of computer equipment stolen from an employee of the Department of Veterans Affairs. They said that sensitive personal information of 26.5 million veterans and military personnel apparently had not been accessed. The laptop and external hard drive, stolen May 3 from a VA data analyst's home in Aspen Hill, contained the names, birth dates and Social Security numbers of millions of current and former service members. The theft was the largest information security breach in government history and raised fears of potential mass identity theft. VA Secretary Jim Nicholson announced the recovery yesterday during a hearing of the House Committee on Veterans Affairs. "Law enforcement has in their possession the laptop and hard drive," Nicholson said. "The serial numbers match. They are diligently conducting forensic analysis on it to see if they can tell whether it's been duplicated or utilized or entered in any way, and that work is not complete. However, they did say to me that there is reason to be optimistic." FBI officials and local authorities said at a news conference that a person who had the laptop contacted U.S. Park Police on Wednesday after seeing news accounts and notices of a $50,000 reward offered by Montgomery County police. The devices were recovered in the "general vicinity" of Aspen Hill, said Chief Dwight E. Pettiford of the Park Police. FBI Special Agent in Charge William D. Chase, of the agency's Baltimore office, said it is "way too early" to say whether the person will get the reward or whether criminal charges will be filed soon. FBI spokeswoman Michelle Crnkovich said the tipster is not a suspect. "A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen," the FBI said in a statement. "A thorough forensic examination is underway, and the results will be shared as soon as possible." Lawmakers hailed the investigative work but said VA still has much to do to improve data security. "[T]he basic deficiencies leading to this data loss must be corrected," Rep. Steve Buyer (R-Ind.), chairman of the Veterans Affairs Committee, said in a statement. "The history of lenient policies and lack of accountability within VA management must be rectified." Rep. Lane Evans (Ill.), the committee's ranking Democrat, said in a statement: "Today's announcement does not relieve the Department of Veterans Affairs from fixing its broken data security system and failed leadership." The theft has proved to be an embarrassing and expensive management failure for VA. In a series of hearings, lawmakers have criticized Nicholson for the department's lax security practices and sluggish response, noting that the secretary was not told of the burglary for 13 days. The incident also has cast light on the department's consistent ranking near the bottom among federal agencies in an annual congressional scorecard of computer security. Pedro Cadenas Jr., the VA official in charge of information security, resigned yesterday for personal reasons, VA officials said. Earlier, a high-ranking political appointee was dismissed and a longtime career manager was forced to retire. The Bush administration this week asked Congress for $160.5 million to pay for free credit monitoring for veterans and military personnel. VA already has budgeted $25 million to create a call center to handle veterans' questions and to send letters alerting veterans about the theft. Several veterans groups have filed class-action lawsuits locally and in Kentucky against the government, seeking $1,000 in damages per affected veteran. Initially, VA thought that all of the 26.5 million people affected were veterans. But a database comparison revealed that the stolen equipment also contained Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel, including 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 reserve members. Nicholson said it is too early to tell whether free-credit monitoring for veterans is now unnecessary. VA still plans to hire a data analysis company to monitor whether veterans' identities are being stolen, he said. Rep. Bob Filner (D-Calif.) said yesterday that three VA documents obtained by the Veterans Affairs Committee indicate that the data analyst was authorized to take a laptop home and use a software package to access the data. That contradicted Nicholson's previous testimony that the employee was not authorized to have the information at home. "He got all the approvals that he was supposed to have," Filner said. "I don't know of a policy that he violated, if you'll tell me one. And that's the real negligence -- that there were no policies." Nicholson said he had not seen the documents, and declined to comment because the career analyst is challenging Nicholson's decision to fire him. Tim S. McClain, VA's general counsel, told the panel that one of the documents did not apply to the laptop that was stolen. He acknowledged that the other documents granted the analyst access to Social Security numbers and permitted him to have software at home. Jim Mueller, commander-in-chief of the national Veterans of Foreign Wars, applauded the equipment's recovery, but said in a statement that Nicholson still has much to do to repair the agency's reputation. "The longer Secretary Nicholson waits to hold people accountable, the more confidence he will lose in the eyes of America's veterans, their families, and those who wear the uniform today," he said. ? 2006 The Washington Post Company From isn at c4i.org Fri Jun 30 12:37:37 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:37:37 -0500 (CDT) Subject: [ISN] Indy VA office is missing backup tape with vets' records Message-ID: http://www.indystar.com/apps/pbcs.dll/article?AID=/20060630/NEWS02/606300440 By Maureen Groppe Star Washington Bureau June 30, 2006 WASHINGTON -- The Department of Veterans Affairs is missing a backup tape with more than 16,000 legal case records from an Indianapolis office serving veterans in Indiana and Kentucky. That disclosure came the same day Veterans Affairs Secretary Jim Nicholson announced the recovery of a stolen laptop computer and hard drive containing personal information on as many as 26.5 million veterans. The missing tape from the Regional General Counsel's Office in Indianapolis doesn't contain as much data as was on the stolen laptop, said U.S. Rep. Steve Buyer, R-Ind., who heads the House Veterans' Affairs Committee. But the information is of greater sensitivity, he said, because "much is privileged and confidential." The Indianapolis tape contains personally identifiable information on veterans, their dependents or department employees, such as dates of birth, Social Security numbers, patient records and other documentation related to legal cases handled by the Regional General Counsel's Office. The office, in the Federal Building in Indianapolis, handles VA cases involving such issues as collections on bankruptcies, hospital debt, tort claims, workers' compensation and other employee complaints. The cases also may involve neighboring states. Whether the tape was misplaced or stolen, or something else happened, Buyer said, "is completely open to the realm of imagination and speculation." Nicholson said veterans potentially affected are being notified and will have access to the same free credit-protection monitoring system that has been offered to those whose information was on the stolen laptop. Copyright 2006 IndyStar.com. All rights reserved From isn at c4i.org Fri Jun 30 12:36:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:36:57 -0500 (CDT) Subject: [ISN] Authorities warn of wireless cyber pirates Message-ID: http://www.9news.com/acm_news.aspx?OSGNAME=KUSA&IKOBJECTID=1db245df-0abe-421a-019d-d112657c4feb&TEMPLATEID=0c76dce6-ac1f-02d8-0047-c589c01ca7bf By Ward Lucas I-Team Reporter 6/28/2006 DOUGLAS COUNTY - The Sheriff's Department says it's going to start warning computer users that their networks may be vulnerable to hackers. It may be one of the first law enforcement agencies in the country to do so. Wireless computer equipment and home computer networks are everywhere these days. Almost all new computers sold are used by consumers to network in one way or another to other computers. However, that wireless capability may be making those computers vulnerable to hackers. "If someone is driving by on the street they could easily use your internet access to commit a crime, whether it's fraudulent credit card transactions or surfing child porn or something else," said Brian Radamacher, a member of the Douglas County Sheriff's Special Investigations Unit. Wireless computer equipment sends out signals that sometimes broadcast for up to a mile. Other computer users can home in on those signals and use them to access the internet. Radamacher says hackers can use stolen Internet access to make fraudulent credit card purchases or bank transfers. He also says hackers can upload or download such things as child pornography. That activity would be completely invisible to the legitimate owner of that network. However, it could make innocent computer users vulnerable to having their computers confiscated during police investigations. "The unfortunate thing is when we go to issue the warrants or something else you may end up getting your computer seized because of it," said Radamacher. "A lot of times it can take months to get your computer back after the processing." The Sheriff's Department plans to equip several of its community service and patrol cars with devices that detect unprotected computer networks. In cases where investigators can figure out who owns the networks, they'll try to warn of potential security issues. They'll also drop off brochures with instructions to computer users on how to password protect their networks. Copyright by KUSA-TV, All Rights Reserved From isn at c4i.org Fri Jun 30 12:37:12 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 30 Jun 2006 11:37:12 -0500 (CDT) Subject: [ISN] It's the Economy, Stupid Message-ID: http://www.wired.com/news/columns/0,71264-0.html By Bruce Schneier June 29, 2006 I'm sitting in a conference room at Cambridge University, trying to simultaneously finish this article for Wired News and pay attention to the presenter onstage. I'm in this awkward situation because 1) this article is due tomorrow, and 2) I'm attending the fifth Workshop on the Economics of Information Security, or WEIS: to my mind, the most interesting computer security conference of the year. The idea that economics has anything to do with computer security is relatively new. Ross Anderson and I seem to have stumbled upon the idea independently. He, in his brilliant article from 2001, "Why Information Security Is Hard -- An Economic Perspective" (.pdf), and me in various essays and presentations from that same period. WEIS began a year later at the University of California at Berkeley and has grown ever since. It's the only workshop where technologists get together with economists and lawyers and try to understand the problems of computer security. And economics has a lot to teach computer security. We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure. When you start looking, economic considerations are everywhere in computer security. Hospitals' medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients' privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the internet is insecure is that liability for attacks is so diffuse. In all of these examples, the economic considerations of security are more important than the technical considerations. More generally, many of the most basic security questions are at least as much economic as technical. Do we spend enough on keeping hackers out of our computer systems? Or do we spend too much? For that matter, do we spend appropriate amounts on police and Army services? And are we spending our security budgets on the right things? In the shadow of 9/11, questions like these have a heightened importance. Economics can actually explain many of the puzzling realities of internet security. Firewalls are common, e-mail encryption is rare: not because of the relative effectiveness of the technologies, but because of the economic pressures that drive companies to install them. Corporations rarely publicize information about intrusions; that's because of economic incentives against doing so. And an insecure operating system is the international standard, in part, because its economic effects are largely borne not by the company that builds the operating system, but by the customers that buy it. Some of the most controversial cyberpolicy issues also sit squarely between information security and economics. For example, the issue of digital rights management: Is copyright law too restrictive -- or not restrictive enough -- to maximize society's creative output? And if it needs to be more restrictive, will DRM technologies benefit the music industry or the technology vendors? Is Microsoft's Trusted Computing initiative a good idea, or just another way for the company to lock its customers into Windows, Media Player and Office? Any attempt to answer these questions becomes rapidly entangled with both information security and economic arguments. WEIS encourages papers on these and other issues in economics and computer security. We heard papers presented on the economics of digital forensics of cell phones (.pdf) -- if you have an uncommon phone, the police probably don't have the tools to perform forensic analysis -- and the effect of stock spam on stock prices: It actually works in the short term. We learned that more-educated wireless network users are not more likely to secure their access points (.pdf), and that the best predictor of wireless security is the default configuration of the router. Other researchers presented economic models to explain patch management (.pdf), peer-to-peer worms (.pdf), investment in information security technologies (.pdf) and opt-in versus opt-out privacy policies (.pdf). There was a field study that tried to estimate the cost to the U.S. economy for information infrastructure failures (.pdf): less than you might think. And one of the most interesting papers looked at economic barriers to adopting new security protocols (.pdf), specifically DNS Security Extensions. This is all heady stuff. In the early years, there was a bit of a struggle as the economists and the computer security technologists tried to learn each others' languages. But now it seems that there's a lot more synergy, and more collaborations between the two camps. I've long said that the fundamental problems in computer security are no longer about technology; they're about applying technology. Workshops like WEIS are helping us understand why good security technologies fail and bad ones succeed, and that kind of insight is critical if we're going to improve security in the information age. -=- Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can contact him through his website.