From isn at c4i.org Wed Mar 1 02:46:46 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:46:46 -0600 (CST) Subject: [ISN] Korea to Fight Web Attacks From China Message-ID: http://times.hankooki.com/lpage/tech/200602/kt2006022817142511780.htm By Kim Tae-gyu Staff Reporter 02-28-2006 To counter the problem of identity theft, the Korean government will block the backdoor Internet pathway from abroad, which were used to steal personal data by getting bypass links to the country's Internet network. The Ministry of Information and Communication Tuesday revealed steps aimed at controlling the nation's rampant personal data leakage to overseas countries, especially China. ``Since last week, in collaboration with Internet service providers, we already intercepted 2,600 illegal IPs, which were found to be the main routes for penetrating the Korean network,'' Lee Sung-ok, director general at the ministry, said. Identity theft en masse surfaced last month after complaints piled up that hackers stole private data, including resident registration numbers, from Koreans in order to subscribe to ``Lineage,'' the popular online game. Chinese hackers are suspected of leading the cyber crimes via a bypass link based on unlawful IPs, an alternative path other than the legitimate, primary one. ``In the future, we will continue to keep tabs on such illegal IPs geared toward breaking into the Korean network and stealing personal information,'' Lee said. Lee said the ministry will also urge local Internet firms to use an alternative system other then resident registration numbers, the Korean version of social security numbers, for signing up to Web sites. ``Furthermore, we will recommend Web sites use cell phones as a certification method to deter illegal subscribers. They can require people to enter their mobile phone numbers together with resident numbers when signing up,'' Lee noted. ``The site then will send certification figures via mobile handsets and users will be have to enter the multi-digit number on the Web site for user verification,'' he added. The Chinese government will be asked to delete the personal data of many Koreans in circulation in China's cyberspace, he said. To prevent the recurrence of massive personal data leakage, the ministry also unveiled a package of measures including propagation of security patches as well as firewalls. ``Currently, the penetration rates of security patches stand at just 38 percent. We will increase the figure 80 percent and mandate gaming companies to install Web firewalls,'' Lee said. Toward that end, the country's main portal and game sites will have to be equipped with programs that automatically install security patches on subscribers' computers. The ministry also looks to check the security of the country's 70,000 most-visited Web sites every day to shield them from onslaughts by unscrupulous crackers. From isn at c4i.org Wed Mar 1 02:47:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:47:23 -0600 (CST) Subject: [ISN] Companies Contemplate Life Without BlackBerrys Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/28/AR2006022801480.html By Yuki Noguchi Washington Post Staff Writer March 1, 2006 Eugene Stein is thinking about Plan B for the 1,900 BlackBerry e-mail devices under his charge that could be rendered useless if their maker, Research in Motion Ltd., gets slapped with a court-ordered shutdown. "It'd be pretty significant," said Stein, chief technology officer for law firm White & Case LLP. His backup plan for keeping the firm's employees connected to wireless e-mail is to use more Palm Treo devices with Good Technology Inc. software, a rival to the BlackBerry system. "I would have to use all my technical guys" and sink at least $40,000 into buying new devices, he said. "I can't buy and replace them all in one shot," but he has secured assurances from vendors that he will be able to order some Treos overnight, putting them in the hands of attorneys traveling internationally or working on key deals first. After that, he would experiment with the software upgrade RIM says it has developed, or replace the remaining BlackBerrys as soon as possible. It's hard not to resent RIM for not resolving its legal issues, Stein said. "They shouldn't have put me in this position." Many BlackBerry users are in limbo, awaiting a federal judge's decision about whether to shut down the company's U.S. operations for infringing on patents. But life is even harder for people like Stein, who manage information technology and have to make educated guesses about the outcome of the case, then make contingency plans. There are lots of factors to consider. At a hearing last week, U.S. District Judge James R. Spencer indicated that he would honor a 2002 jury decision finding RIM guilty of infringing McLean-based NTP Inc.'s patents. At the same time, on the morning of Friday's hearing, the U.S. Patent and Trademark Office rejected the validity of the second of the five relevant patents it originally granted to NTP -- a move RIM was hoping would sway public and judicial opinion in its favor. If all other legal measures fail and the judge orders service cut off for most non-government users -- roughly two-thirds of the 3.2 million U.S. subscribers -- RIM has said it has a software solution that will work around its patent problem. But information technology officers like Stein haven't had a chance to test it yet. Iron Age Corp.'s chief information officer, Drew Farris, is divided about what to do with the 150 BlackBerry e-mail devices that sales executives at his specialty shoe business rely on. On the one hand, Farris thinks RIM will settle its long-running patent dispute before a possible court-ordered shutdown. That would spare Farris's company from having to replace its devices at an estimated cost of $1,500 per user for equipment, software and training. On the other hand, it may not. "Based on what I've read and seen, I'm at a loss; I'd say it's 50-50" for either outcome, said Farris, who follows the case closely on Internet news sites and newsletters. RIM's problems have been good for competitors' business, including Good and Visto Corp., both of which have received hundreds of inquiries from companies looking for alternatives, and both of which have licensing agreements with NTP. But most businesses are still waiting for the judge's decision, said Todd Kort, an analyst with Gartner Inc. who said he has talked to 75 to 80 technology officers since November about their contingency plans. "They're under a fair amount of pressure from their users, and they're getting pressure from above" to make sure systems keep running uninterrupted, Kort said. "But of those, only four or five are in the process of switching service," because changing out the service is expensive and time-consuming, he said. Among other things, longtime BlackBerry users are used to the software and the ergonomics of their palm-size devices, so deploying something new would mean losing productivity while people figure out a new system. Kort remains optimistic that his clients won't have to do that. He said RIM is far more likely to either settle or deploy its work-around than shut down service. John Stevenson is placing his bets on the work-around. He retired this week as chief information officer at Sharp Electronics' U.S. division, but not before having to decide what to do about the 300 BlackBerrys used by company executives. "Do we go back to the old way of doing things -- using cell phones, text messaging, and laptop computers," or should the company think about buying a new set of devices at great expense, Stevenson wondered, and he consulted his peers through a trade group, the Society for Information Management. For now, he said, "we're counting on a BlackBerry work-around. Is that a dangerous plan without a Plan C? Maybe." John Jones is among those information technology executives who think the case won't amount to a hill of beans. "I just see this going in RIM's favor the entire way," said Jones, who is vice president for information technology at Pulver.com Inc., an Internet telephony and technology conference company. But even Jones has a backup plan. "Right now my colleague is taking a look at the new Microsoft push e-mail technology -- just in case." ? 2006 The Washington Post Company From isn at c4i.org Wed Mar 1 02:47:35 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:47:35 -0600 (CST) Subject: [ISN] DDoS Attacks Target Prominent Blogs Message-ID: http://news.netcraft.com/archives/2006/02/28/ddos_attacks_target_prominent_blogs.html By Rich Miller February 28, 2006 Several prominent weblogs have been hit with distributed denial of service (DDoS) attacks in recent weeks, as the target list for digital attackers continues to broaden. While some of the attacks appear to be politically motivated, on Monday a DDoS struck one of the blogosphere's most financially successful bloggers. Australian Darren Rowse confirmed that an outage Monday on his ProBlogger weblog was caused by a DDoS, but provided no details about the attackers or their motives. Rowse gained international attention last year when he revealed that he would make more than $100,000 as a solo blogger in 2005, primarily through earnings from Google AdSense advertising and commissions from affiliate referral programs. Has the success of professional bloggers made them viable financial targets for professional DDoS attackers? Sites with large volumes of transactions are the primary targets for a cottage industry of digital extortionists using DDoS attacks, usually launched through large botnets of compromised computers. These attacks have previously targeted online betting sites, payment gateways, domain parking services and even online games. An earlier series of attacks targeted the blog of Michelle Malkin, who led a movement among bloggers to mirror the controversial cartoons of the Prophet Mohammad that initially appeared in a Danish magazine. The attacks began Feb. 15, and escalated on Feb. 23, when an attack from a botnet in Turkey forced Malkin to post on the Pajamas Media weblog until her main site was available again. The attacks on Malkin's blog appear to be part of a broader pattern of hacker activism targeting sites that have featured the cartoons, including the defacement of hundreds of sites as well as denial of service attacks. From isn at c4i.org Wed Mar 1 02:48:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:17 -0600 (CST) Subject: [ISN] Wh00ps - Email from CSI last week Message-ID: ---------- Forwarded message ---------- Date: Tue, 28 Feb 2006 15:54:41 -0600 From: "Chris Keating, Director Of CSI" Reply-To: chriskeating @ cmp.com To: wk at ........... Subject: Email from CSI last week [csi_letter_header2.jpg] Dear CSI Member, I'm writing to apologize for a mistake we made in an e-mail message you received from us last week. In the rest of this note, I will explain the mistake we made and why we believe it merits an apology (and an explanation). But since your time is valuable, let me summarize in my first paragraph that an error occurred, in which your name and address were inadvertently given to one other CSI member or potential event attendee. This was caused by a mail merge error, not any kind of breach of security, nor was your information generally broadcast or the mailing list as a whole exposed in any way. Though the inadvertent distribution was limited in scope, we still take it very seriously. To try to ensure there are no more such errors, we are taking the steps outlined below. If you have any questions about the error or our reaction, please read the paragraphs that follow and if you still have questions beyond this explanation, please don't hesitate to contact me at the address given below. The message we sent last week invited you to join us for an Editorial Perspective TechWebCast called Security: The Application Point of View. The invitation still stands--we'd love to have you join us and you can find out more by Clicking Here. In last week's letter, we made use of a feature we're rather proud of: to help speed the process if you decided to register for the event, the e-mail message included a pre-filled registration form. Obviously, what's supposed to be in the pre-filled form is information about you--information you've shared with us in the past such as your business mailing address and your telephone number. This information did not include traditionally sensitive categories of information such as credit card numbers or social security numbers. The data for the form is merged with the email message content as each message is sent out. In this particular mailing, the data used for the merge had been corrupted, such that each recipient record included in part certain data relating to another recipient. As a result, each form we emailed was incorrectly pre-filled with the information of a different individual in the database who was not the recipient of the message. The specific condition that caused the database error to occur on this occasion is being corrected. Additionally, we are examining the possibility of designing new code for the application that merges the data with e-mail messages to assist in addressing problems of this type. If these efforts and other efforts do not result in making us sufficiently confident in our ability to catch such errors, we plan to remove the pre-filled form feature from future mailings until we can achieve that level of confidence. Again, your information was released to only one other CSI member or potential event attendee and no credit card or information of similar sensitivity was involved. Even a small slip-up, though, doesn't show as much respect for the trust you've placed in us as we'd like. Please accept my apologies and my assurance that we consider your privacy an integral part of our success as a security organization. With best regards, Chris Keating, Director Computer Security Institute chriskeating @ cmp.com If you would prefer not to be contacted again about such events, please opt-out here. CMP Media LLC 600 Community Drive Manhasset, NY 11030 CMP Privacy Policy From isn at c4i.org Wed Mar 1 02:46:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:46:30 -0600 (CST) Subject: [ISN] Three Fidesz workers suspended over hacking of MSZP server Message-ID: http://www.budapesttimes.hu/index.php?art=1508 Michael Logan Budapest February 27, 2006 Main opposition party Fidesz has suspended the three men believed responsible for hacking into the election campaign website of the ruling Hungarian Socialist Party (MSZP). The unnamed men were blamed for using the Fidesz server to hack into the website and download around 3,000 files, something that Fidesz initially denied before shifting the blame onto the "overzealous" employees. Police have asked Fidesz for the three workers' names. Counter-claims appear effective Fidesz leader Viktor Orb?n has attempted to play down the incident, despite the fact that police are now investigating, and other party members have claimed that the MSZP has committed similar crimes in the past. Daily N?pszabads?g claimed that Prime Minister Ferenc Gyurcs?ny's campaign schedule has now been thrown into doubt, as have many of the documents related to his speeches and itinerary. The paper said that Gyurcs?ny would now have to change his route around the country and change his speeches. However, it would seem that, despite the MSZP's efforts to draw attention to what it believes is a serious incident, polls conducted after the goings-on found that people do not particularly care. Pollsters found that, despite the vast majority of people saying information should not be collected by illegal means, only 10% believed that either party had used underhand methods in the campaign so far. From isn at c4i.org Wed Mar 1 02:48:32 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:32 -0600 (CST) Subject: [ISN] Symantec ranks Houston high in WiFi security survey Message-ID: http://www.chron.com/disp/story.mpl/business/silverman/3689686.html By DWIGHT SILVERMAN Copyright 2006 Houston Chronicle Feb. 27, 2006 Wireless networking has become the dominant way in which home users network their computers. WiFi is fast, fairly easy to set up and relatively inexpensive. But it's also by nature insecure. With WiFi networking, you're spewing your data into the ether, and most wireless hardware comes with the most basic security features turned off by default. Understanding human nature - and acknowledging the technical cluelessness of the average home user - you'd think that the majority of wireless home networks would be wide open, allowing anyone with a WiFi-enabled computer to connect to the Internet and possibly access personal data. But, based on a drive-by survey conducted by software maker Symantec, not in Houston. For two days in mid-November, Symantec security experts drove through neighborhoods in seven areas of Houston: Galleria/Memorial, the Heights, the Third Ward, Midtown/Montrose, Shadow Creek/Silverlake near Pearland, the Villages off I-10 West, and parts of the Westchase/near-Katy area. The specific Zip codes: 77056, 77008, 77004, 77006, 77002, 77584, 77024, 77082 and 77079. As they drove, they used WiFi "sniffing" devices to look for signals from wireless routers, a practice known as wardriving. They checked each one to see if it was encrypted - meaning signals between the routers and the devices that connected to them are scrambled - and whether the owners of the routers had changed the default network name, or SSID. Although the methodology was hardly foolproof, which I'll discuss in a minute, the results are interesting: * Symantec's researchers found a total 1,985 WiFi access points. * More than 61 percent were using encryption. * More than 80 percent had nondefault SSIDs. * The more affluent neighborhoods had a higher incidence of nonencrypted access points, although there were far more residential WiFi networks in the richer areas. * The highest percentage of nonencrypted networks was in the Villages, at almost 47 percent. The lowest percentage was in the Third Ward and West Houston, with about 30 percent. Jonah Paransky, a senior manager for security products at Symantec, said four other cities had been surveyed in a similar fashion - New York, Los Angeles, Chicago and Washington, D.C. - and Houston had the highest percentage of encrypted residential networks. Symantec would not release the specific numbers for the other cities. Congratulations, gang! It's good to be No. 1 at something other than obesity and pollution - although you folks in the Villages obviously have some work to do. Now, while these numbers are interesting, a couple of aspects make the survey's results less than ironclad. The researchers primarily focused on the central and western parts of the area, and largely ignored the far-flung suburbs. Adding those into the mix might have produced dramatically different results. In addition, they only looked for encrypted versus open networks. But there are other ways to secure a WiFi network without encryption, including a technique known as MAC filtering. All network cards, whether wired or wireless, have a unique serial number. You can tell a WiFi router to only accept connections from computers with certain MAC numbers, thus locking out unknown users. It's possible that some of the unencrypted networks were using MAC filtering. Paransky argued that MAC filtering isn't truly secure, because it's possible to capture traffic between a PC and a router if it's not encrypted. He offered these tips for wireless network security, many of which should be familiar to readers of this column: * Turn on encryption. D'oh! * Change the default SSID in your router, and if the router allows it, turn off broadcasting of the SSID. This makes your home network invisible to those casually looking for wireless connections, although it can be spotted with the right software or equipment. * Place your wireless router as close to the middle of your house as possible, which decreases the chance its signal could be detected from the street. It also helps decrease WiFi dead spots. Newer routers that use range-boosting technologies such as MIMO, and the upcoming 802.11n routers, will blast signals for greater distances, so depending on your house's size, this may not have much effect. * Use a software firewall even though your router likely has one built in. Paransky said if intruders manage to penetrate your network, firewalls on each machine may keep others protected. And, of course, because the survey was done by Symantec ? which makes the Norton line of security software ? Paransky suggested users keep up-to-date antivirus and antispyware on all their computers. You didn't think the Symantec people went to all this trouble out of the goodness of their hearts, now did you? From isn at c4i.org Wed Mar 1 02:48:54 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:54 -0600 (CST) Subject: [ISN] Who's Reading Your Cell's Text Messages? Message-ID: http://www.eweek.com/article2/0,1895,1931904,00.asp By Paul F. Roberts February 27, 2006 Have you ever hit "Send" on a text message on your mobile phone before addressing it? Ever wondered where all those lost SMS text messages go? If so, you might want to speak with Stan Bubrouski, whose cell phone has been channeling wayward text messages from across the country for years. Bubrouski, a computer science major at Northeastern University in Boston, is the proud owner of 'Null at vtext.com,' an account on the popular Verizon text messaging service that allows Internet users to send e-mail and IM messages directly to his cell phone as SMS text messages. Bubrouski said he was just being clever when he signed up for a Verizon vText account with the user name 'null,' after his parents bought him his first mobile phone during his freshman year at Northeastern, in 2001. "I've been paying for it ever since," Bubrouski told eWEEK. Bubrouski's new vText account didn't just hook him up with his friends, it also opened the door to a blizzard of unsolicited messages from individuals and companies that, for the last five years, have unwittingly forwarded reams of data to his phone. That data has become more sensitive in recent months, as companies rush to deliver everything from SAT test scores to medical information and automobile diagnostics to cell phones and PDAs. Bubrouski's experience, while unusual, could be a sign of growing pains in the wireless industry, as companies rush to provide wireless data services, overlooking steps that could secure the data in transit, according to one security expert. Bubrouski, who is finishing his senior year at Northeastern, noticed something strange about his vText account almost immediately after activating it in 2001. "I started getting phantom text messages with no callback number and an empty 'From:' field," Bubrouski wrote. Initially, the content of the messages was innocuous, he said. "It was things like 'don't forget to drop the car off at baker's' and to 'call mom at 781-XXX-XXXX', stuff like that," Bubrouski wrote. The problem worsened in mid-2002, when Bubrouski's phone began channeling what he claims were dozens of messages from an e-mail address used by General Motors' then-new "OnStar" system. The messages quickly filled up the memory on his cell phone and contained diagnostic response to tests on a beta version of OnStar. "Basically, peoples' cars were sending messages to my phone," Bubrouski wrote. Bubrouski contacted GM and was able to reach someone familiar with the OnStar tests, and get them to stop the messages after about a week. "I was happy again - for about two weeks," he wrote. Next, Bubrouski's phone started receiving SMS sports scores and news from ESPN, the sports cable network, which had struck up a partnership with Verizon. Bubrouski's phone was still getting dozens of messages from the service, but because the service wasn't public yet, he couldn't find anyone at Verizon or ESPN who had heard of it and could help him with his problem. Bubrouski said he deleted the messages from his phone. He was unable to provide proof of the OnStar or ESPN messages to eWEEK. In a pattern that would repeat itself in the years to come, Bubrouski simply blocked the ESPN e-mail address using a blocking list at vtext.com and waited for the next stream of messages to hit his phone. Over time, Bubrouski accumulated a block list of around 15 "offenders"?individuals and companies who were sending him large volumes of unsolicited information. Bubrouski theorizes that his choice of user name is the culprit in the data leaks. In the world of software design, "Null" is commonly used to represent "no value" or "0." Developers of mobile services use the "Null" address during testing routines, assuming that the messages won't be sent to anyone. Verizon may also be substituting "Null" for an invalid or missing "To" address in messages sent over Vtext, he said. Misplaced "Call Mom" messages aren't likely to harm anyone, but by late 2004, the unsolicited SMS problem exploded, and took on a darker nature, as mobile data services started popping up all over to take advantage of a new generation of feature-rich mobile phones, Bubrouski said. "I was getting people's grades, order information from unknown retailers, personal messages with people's credit card numbers [and] social security numbers," he wrote. Most of the messages were sent by individuals, but many arrived in volume from companies like eMbience Inc. of San Diego, Calif., which unwittingly sent reams of MapQuest Traffic data to Bubrouski's phone. An eMbience spokeswoman said that Bubrouski's vText account was the same as an account used by engineers for internal testing. Once eMbience was informed, in November, that MapQuest test messages were going to Bubrouski's phone, they changed the address used in testing for the company's services. Another company involved was Vocel Inc., also of San Diego, which develops mobile data services for companies including The Princeton Review and Random House. The company's Princeton Review service helps students study for a variety of standardized tests using their cell phone, including the SAT, GRE and LSAT, according to Tyler Jensen, vice president of operations at Vocel. A new Vocel service that is in testing called "Pill Phone" sends medication reminders to individuals' cell phones, he said. Messages from both the Princeton Review Service and Pill Phone were accidentally sent to Bubrouski's phone because of a flaw in a sharing feature in the service that allows test results completed on the phone to automatically be forwarded in SMS or e-mail format to a third party such as a parent or tutor, he said. Messages without a "To" address were not delivered by the service. However, because of a programming flaw in the client server software, messages with an invalid address, such as a blank space, were translated as "Null," and wound up on Bubrouski's phone, Jensen said. "The fault was entirely ours," he said. Vocel was informed of the problem by Bubrouski on Feb. 8 and had the problem fixed by Feb. 10. Verizon Wireless sues another spammer. Click here to read more. While the Princeton Review messages that Bubrouski received were from a service that is in production, the Pill Phone messages were merely test data generated by Vocel engineers, not actual reminders, he said. For example, text messages from server at vocel.com told Bubrouski that "A student at 4105704297 has just completed Princeton Review Word Set 1 with a score of 71%." A message from pillphone at vocel.com informed him that "A user at 7325894169 has not responded to his/her 01:45 PM dose of Pronestyl-SR," according to examples of data provided to eWEEK. Vocel does not channel sensitive data from third-party servers. All the data that is circulated, such as test scores and medication information?is entered by the cell phone user, or generated on his or her phone, Jensen said. Still, Vocel is taking the incident seriously. "This was a wake-up call for us from the standpoint of ensuring that back-end systems are doing verification and checking," he said. Jensen was loath to criticize Verizon, which provides SMTP gateways that route data sent from cell phone users and providers like Vocel to its customers. However, others said that Bubrouski's experience may be a sign of larger problems with the way that providers like Verizon are running their text messaging networks. SMS users, like e-mail users, rely on the fact that carriers like Verizon won't accidentally deliver improperly formatted messages, such as those with no addressee, to an unrelated address, said John Pescatore, a vice president at Gartner. "There's no way that this should be happening. No e-mail system would ever do that," he said. Verizon should be rejecting messages with improperly formatted addressee information, not forwarding it to an account, he said. Bubrouski agrees. "I'd have to say Verizon is at fault. Sure, service providers make mistakes, but Verizon shouldn't be accepting messages from no one to no one," he said. Verizon declined to comment in detail on Bubrouski's case. However, Verizon wireless spokesman Jeffrey Nelson thanked eWEEK for bringing the 'Null' account issue to the company's attention, and said Verizon is looking into the issue. The problems that Bubrouski experienced may be particular to Verizon's network. However, security is a larger problem in text messaging and e-mail, where trust is assumed between senders and receivers of message data, said Brian Berger, a vice president of marketing at Wave Systems Inc. and marketing chair at the TCG (Trusted Computer Group). TCG is developing specifications for hardware building blocks, including the TPM (Trusted Platform Module) chip that can secure transactions from mobile devices. Companies like Nokia, Motorola, ARM, Vodaphone, Wave Systems, as well as Intel and IBM are participating in the process, and specifications are expected this Summer, Berger said. As mobile devices become more powerful and are used to log into secure networks, and conduct high value transactions, users will need to have a way to authenticate themselves, manage passwords and prove their identity using mobile phones, he said. While Verizon works on the problem, Bubrouski said he's grown accustomed to his plight as a shepherd for lost text messages. "I've received thousands of text messages over the past five years," he wrote. "Probably only about 200 or so were actually meant for or even sent to me directly." Getting rid of his vText account would stop the stream of unwanted SMS message problem, but Bubrouski said he enjoys reading the messages he receives, and blocks companies and individuals when the volume of SMS they're sending him gets too high. "I've kind of gotten used to it," he wrote. From isn at c4i.org Fri Mar 3 05:29:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:29:30 -0600 (CST) Subject: [ISN] Fight Spam with Blacklists Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Availl http://list.windowsitpro.com/t?ctl=22685:4FB69 St.Bernard Software http://list.windowsitpro.com/t?ctl=22670:4FB69 ==================== 1. In Focus: Fight Spam with Blacklists 2. Security News and Features - Recent Security Vulnerabilities - Over 45,000 New Malware Threats Discovered in 2005 - Phishing Sites Increase Significantly in December 2005 - Combining LogParser and Sed 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Block Bots and Other Web Malware ==================== ==== Sponsor: Availl ==== Ensure instant access to files at all remote servers and eliminate 95% of your network traffic. Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs? Get a free software trial, and register for the free seminar. http://list.windowsitpro.com/t?ctl=22685:4FB69 ==================== ==== 1. In Focus: Fight Spam with Blacklists ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I'd guess that the biggest spam headache we all face is false positives--messages that are inadvertently flagged as spam. False positives can be a significant problem, particularly for businesses. After all, you don't want business associates to think you're ignoring them. I recently wrote in the Security Matters blog about my findings with one particular mail server's various filters (at the URL below). The system uses a dozen filters to help eliminate unwanted email. One thing to keep in mind about filters is that what works for one entity might not work as well for another. You should try several filters and monitor your systems to determine what works best to eliminate the particular types of unwanted mail you receive. http://list.windowsitpro.com/t?ctl=2267E:4FB69 That said, my findings for the organization in question might be interesting to you. After observing the filters process more than 254,000 messages, I found that the most effective one for this particular organization is a simple language filter. The filter drops messages written in character sets that aren't used by the organization. Language filters might not be appropriate for every business, particularly those that have international relations, but many businesses might find such filtering useful. The second most effective filter is an IP blacklist filter. IP blacklist filters query blacklist service providers about a given IP address, including the address of the message sender and any addresses that relayed a particular message along its delivery route. If the result of the query shows that the IP address is on the service provider's blacklist, then the probability is high that the message is spam. Some blacklist service providers also track addresses that are known to send viruses, Trojan horses, worms, back doors, and other sorts of malware. These blacklists can be useful in helping you keep such nuisances off your network. A reader of the Security Matters blog asked which blacklists are used by the organization that I wrote about, so I thought I'd share those names here. The list of blacklist service providers is ordered based on the success rate of discovering blacklisted IP addresses: sbl-xml.spamhaus.org blackholes.five-ten-sg.com dnsbl.sorbs.net t1.dnsbl.net.au bl.spamcop.net no-more-funn.moensted.dk sbl.csma.biz cn-kr.blackholes.us cbl.abuseat.org multihop.dsbl.org list.dsbl.org Another type of blacklist filtering is simple Uniform Resource Identifier (URI) filtering. Message content is scanned to locate all URIs in the body. Then those URIs can be checked against URI blacklist services to see whether any belong to known spammers. At the time I conducted my tests, I knew of only one URI blacklist provider, Spam URI Realtime Blocklists (SURBL), whose DNS address is multi.surbl.org. Since then, I've learned about another URI blacklist service provider, URIBL.COM, whose DNS server address is multi.uribl.org. I just started using URIBL.COM last week, so I'm not yet sure how well it performs. Keep in mind that blacklist filters can also produce false positives. However, most people agree that using a blacklist filter is highly effective. Other types of filters you might investigate or write your own scripts for are ones that check for weird spelling patterns (such as "s.A v.e. B 1 g.!!!") and SMTP header validators that check for standards compliance. For an explanation of how blacklist filters work, see "Dynamic Blacklists Demystified," at the first URL below. For links to other articles about blacklist filters on our Web site, use the second URL below. http://list.windowsitpro.com/t?ctl=22680:4FB69 http://list.windowsitpro.com/t?ctl=2266F:4FB69 Jeff Makey publishes a monthly report that shows which IP blacklist services perform best for his environment. Bookmark his report page URL (listed below) and check out the report once in a while--over time, you might learn about new IP blacklist service providers that you didn't know existed. http://list.windowsitpro.com/t?ctl=22684:4FB69 ==================== ==== Sponsor: St.Bernard Software ==== Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now! http://list.windowsitpro.com/t?ctl=22670:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=22676:4FB69 Over 45,000 New Malware Threats Discovered in 2005 According to Panda Software, more than 123 new malware threats were discovered every day in 2005. That adds up to more than 45,000 new malware threats being discovered last year. The figures represent a 240 percent increase over 2004, in which some 13,000 new threats were recorded by the company. Panda thinks there's a specific reason for the trend. Read about it in this news article on our Web site. http://list.windowsitpro.com/t?ctl=2267F:4FB69 Phishing Sites Increase Significantly in December 2005 The Anti-Phishing Working Group (APWG) published its Phishing Activity Trends Report for December 2005. According to data gathered by the group, more than 7197 new phishing sites were created in December 2005 and attacks are becoming more sophisticated. http://list.windowsitpro.com/t?ctl=2267C:4FB69 Combining LogParser and Sed Scrolling through the Windows event logs for specific information can be burdensome, and most administrators probably review the logs only when something bad happens or when something is broken. In this article on our Web site, Jeff Fellinge shows a method for extracting interesting data from event logs by using LogParser and parsing the data by using Sed. http://list.windowsitpro.com/t?ctl=2267D:4FB69 ==================== ==== Resources and Events ==== Dev Connections provides world-class education for developers, architects, DBAs, and IT professionals. *WinConnections (2 conferences for the price of 1): April 9-12, 2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22687:4FB69 *DevConnections (4 conferences for the price of 1): April 2-5, 2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22688:4FB69 *DevConnections Europe coming to Nice, France, April 24-27, 2006. EARLY BIRD SPECIAL ends 1 March! http://list.windowsitpro.com/t?ctl=2267B:4FB69 Learn why new features in Windows Server 2003 R2, including large clustering, increased RAM, and 64-bit support, make it the ideal platform for your collaboration tools. Live event: March 28; 12:00 pm EST http://list.windowsitpro.com/t?ctl=22671:4FB69 Find out or what policies help or hurt in protecting your company's assets and data. View this on-demand seminar today! http://list.windowsitpro.com/t?ctl=22672:4FB69 Learn how to leverage new features in SQL Server 2005 to extend your existing backup and restore capabilities. View the on-demand Web seminar now! http://list.windowsitpro.com/t?ctl=22673:4FB69 Implement real-time processes in your email and data systems--you could also win an iPod Nano! http://list.windowsitpro.com/t?ctl=22675:4FB69 ==================== ==== Featured White Paper ==== Get the tips you need to prepare for and comply with the PCI Data Security Standard, including how to define the 12 major requirements and how those requirements affect IT. http://list.windowsitpro.com/t?ctl=22674:4FB69 ==================== ==== Hot Spot ==== Cyclades AlterPath(TM) KVM/netPlus KVM over IP Switches Cyclades AlterPath(TM) KVM/netPlus is the industry's first KVM solution to offer Cyclades AdaptiveKVM(TM) technology that combines Microsoft(R) Remote Desktop Protocol (RDP) functionality with KVM over IP access. Download Cyclades AdaptiveKVM white paper at www.cyclades.com/wit and visit us at FOSE 2006 Washington, D.C., March 7-9, Booth 2807. http://list.windowsitpro.com/t?ctl=22689:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: How to Nip a Little More Spam in the Bud by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=22683:4FB69 Most spam filtering systems do a good job of tagging spam, but many can be tweaked for better detection and better performance. I ran a test on more than 254,000 email messages to see which filters work best. My tests were conducted against live incoming email on a legitimate mail server. Read what I found in this blog article. http://list.windowsitpro.com/t?ctl=2267E:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=22682:4FB69 Q: How can I use a script to delete a computer from a domain? Find the answer at http://list.windowsitpro.com/t?ctl=22681:4FB69 Security Forum Featured Thread: Running WSUS A forum participant would like to establish Windows Server Update Services (WSUS) on his Windows Server 2003 backup server. He knows that WSUS requires Microsoft IIS and wonders whether he should use a dedicated server and whether there are any related security concerns. Join the discussion at http://list.windowsitpro.com/t?ctl=2266E:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Subscribers have it all! Become a VIP subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs per year that contain the entire article database. Don't miss out--sign up now: http://list.windowsitpro.com/t?ctl=22679:4FB69 Save 44% Off the Windows Scripting Solutions Newsletter For a limited time, order Windows Scripting Solutions and SAVE up to $30 off the regular price. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article database (more than 500 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=22677:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Block Bots and Other Web Malware Websense announced enhanced features in Websense Web Security Suite 6.2 and Websense Web Security Suite--Lockdown Edition 6.2, which are scheduled to ship in Q2. The new versions of the Web security and Web filtering software will block access to Web sites that host bot command-and-control centers, eliminate non-HTTP bot network traffic, block the launch and spread of bots, and extend protection to mobile employees. Websense also launched Websense Web Protection Services. Comprising three security services--SiteWatcher, BrandWatcher, and ThreatWatcher--Websense Web Protection Services give Websense Security Suite customers a view of their Web servers and external-facing Web sites and protection of customers' online brand. For more information, go to http://list.windowsitpro.com/t?ctl=2268A:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=22686:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2267A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Mar 3 05:29:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:29:59 -0600 (CST) Subject: [ISN] Phones stolen in Iraq used for sex chatlines Message-ID: http://www.guardian.co.uk/Iraq/Story/0,,1721387,00.html David Hencke Westminster correspondent March 2, 2006 The Guardian It certainly was not part of Britain's plans to win the hearts and minds of the people of Iraq. But the Foreign Office has been apparently paying for an adult sex chatline in a Baghdad street for 17 months without knowing it. The Foreign Office has had to tell MPs that an investigation into how a diplomat lost two satellite phones in Iraq has nothing to do with terrorism but more to do with a budding entrepreneur and a telephone porn network. FO officials had already admitted that the lost phones had cost them ?594,000 in unauthorised phone bills but it is now bracing itself for an extremely critical report from the Commons public accounts committee on how it came to pay phone bills, which at one stage hit ?212,000 in one month, without asking questions. Sir Michael Jay, permanent secretary at the FO, told MPs: "All the pattern of usage of these phones ... points to some kind of criminal activity ... It was almost as though they were taken and used as a kind of mobile phone booth at the end of the street where anybody could come along and use them. "After that, they appear to have been used for a couple of scams based on what are known as personal numbers and premium numbers." Sir Michael said the premium rate numbers were used for betting agencies or adult phone lines, and that one of the FO phones had been "on virtually full time with the person who is, as it were, making the call getting some benefit from it." Sir Michael said initial inquiries had revealed a series of blunders. The phones were already activated when they were sent to Baghdad and they were not properly logged in - so no one realised at first that they had been stolen. None of the bills were initially challenged until people realised the phones had gone missing. The rules at all embassies have now been changed and no phone is sent abroad already activated for use. Edward Leigh, chairman of the committee, told him: "In terms of this mobile phone being on permanently at the end of a street in Iraq, that gives a whole new meaning to winning hearts and minds in Iraq, but it is quite serious." Austin Mitchell, Labour MP for Great Grimsby, whose phone had been swiped and used to dial a betting agency, asked if the FO had tried to get its money back. Since the disclosure, Richard Bacon, Tory MP for Norfolk South, has made further inquiries: "It appears that they haven't been able to find the culprit or trace the phone. You would have thought having spent hundreds of millions of pounds setting up a sophisticated listening centre at GCHQ it would be very easy to trace a satellite phone and who was operating it in Iraq. But it doesn't appear anything was done. It just beggars belief that the FO kept paying the bills." Sir Michael has promised to try to get the money back. But so far the only thing FO staff appeared to have done is to try to ring the premium rate number. Sir Michael told MPs they did not get a reply. From isn at c4i.org Fri Mar 3 05:30:24 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:30:24 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-9 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-23 - 2006-03-02 This week : 66 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave Player, which can be exploited by malicious people to compromise a user's system. For additional details please refer to the referenced Secunia advisory below. Reference: http://secunia.com/SA19009 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 2. [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow 3. [SA16280] IBM Lotus Notes Multiple Vulnerabilities 4. [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA18989] The Bat! Email Subject Header Buffer Overflow Vulnerability 7. [SA19014] Website Generator PHP Code Injection Vulnerability 8. [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability 9. [SA18990] ArGoSoft Mail Server Pro Multiple Vulnerabilities 10. [SA19001] iCal "Calendar Text" Script Insertion Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow [SA19067] Mail Transport System Professional Mail Relay Vulnerability [SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion [SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability [SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities [SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection [SA19001] iCal "Calendar Text" Script Insertion Vulnerability [SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability [SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability [SA19006] SpeedProject Products ZIP and JAR Directory Traversal [SA19059] HP System Management Homepage Directory Traversal [SA19077] M4 Project enigma-suite Default Account Password Weakness [SA19057] Internet Explorer Iframe Folder Deletion Weakness UNIX/Linux: [SA19000] Mandriva update for metamail [SA19071] Flex Unspecified Scanner Vulnerabilities [SA19065] Debian update for gpdf [SA19041] Sun Solaris update for Perl [SA19036] iGENUS Webmail File Inclusion Vulnerability [SA19030] Gentoo update for graphicsmagick [SA19029] Debian update for bmv [SA19021] Debian update for pdftohtml [SA19016] Trustix update for sudo / tar [SA19012] SUSE Updates for Multiple Packages [SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow [SA18999] Ubuntu update for tar [SA19046] NuFW TLS Socket Handling Denial of Service [SA19038] SUSE update for kernel [SA19035] Ubuntu update for postgresql [SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service [SA19015] Trustix update for postgresql [SA19005] SUSE update for heimdal [SA19042] Sun Solaris HSFS File System Privilege Escalation Vulnerability [SA19027] Gentoo update for noweb Other: [SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting [SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability Cross Platform: [SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability [SA19055] PeHePe Membership Management System Two Vulnerabilities [SA19047] ShoutLIVE Multiple Vulnerabilities [SA19028] phpRPC Library Arbitrary Code Execution Vulnerability [SA19020] freeForum Multiple Vulnerabilities [SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities [SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities [SA19061] MyBB "comma" Parameter SQL Injection Vulnerability [SA19056] sendcard Unspecified SQL Injection Vulnerabilities [SA19053] DirectContact Directory Traversal Vulnerability [SA19048] LanSuite LanParty Intranet System "fid" SQL Injection [SA19045] EKINboard Multiple Vulnerabilities [SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability [SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability [SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities [SA19007] Calcium "EventText" Script Insertion Vulnerability [SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion [SA19003] iUser Ecommerce Unspecified Vulnerabilities [SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting Vulnerability [SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities [SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities [SA19050] WordPress Cross-Site Scripting Vulnerabilities [SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability [SA19031] JFacets "ProfileID" Profile Change Vulnerability [SA19026] 4images "template" Parameter File Inclusion Vulnerability [SA19014] Website Generator PHP Code Injection Vulnerability [SA19011] PEAR Archive_Tar Directory Traversal Vulnerability [SA19034] MySQL Query Logging Bypass Security Issue [SA19018] Issue Dealer Unpublished Content Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-24 Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19009/ -- [SA19067] Mail Transport System Professional Mail Relay Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-01 A vulnerability has been reported in Mail Transport System (MTS) Professional, which can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/19067/ -- [SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 KeyShore and Yog have reported a vulnerability in StoreBot 2002 Standard Edition, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19060/ -- [SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-28 Nemesis Security Audit Group has discovered a vulnerability in SPiD, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19033/ -- [SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-27 Mustafa Can Bjorn has discovered two vulnerability in Pentacle In-Out Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19024/ -- [SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-03-01 KeyShore and Yog have reported a vulnerability in StoreBot 2005 Professional Edition, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19019/ -- [SA19001] iCal "Calendar Text" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 KeyShore and Yog have discovered a vulnerability in iCal, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19001/ -- [SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 runvirus has reported a vulnerability in bttlxeForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19043/ -- [SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-02-28 KeyShore and Yog have reported a vulnerability in Parodia, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19025/ -- [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has discovered a vulnerability in WinACE, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19013/ -- [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has reported a vulnerability in StuffIt and ZipMagic, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19010/ -- [SA19006] SpeedProject Products ZIP and JAR Directory Traversal Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has reported a vulnerability in various SpeedProject products, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19006/ -- [SA19059] HP System Management Homepage Directory Traversal Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2006-03-01 A vulnerability has been reported in HP System Management Homepage, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19059/ -- [SA19077] M4 Project enigma-suite Default Account Password Weakness Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-01 A weakness has been reported in M4 Project enigma-suite, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19077/ -- [SA19057] Internet Explorer Iframe Folder Deletion Weakness Critical: Not critical Where: From remote Impact: Manipulation of data Released: 2006-02-28 cyber flash has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into deleting local folders. Full Advisory: http://secunia.com/advisories/19057/ UNIX/Linux:-- [SA19000] Mandriva update for metamail Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-02-23 Mandriva has issued an update for metamail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19000/ -- [SA19071] Flex Unspecified Scanner Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-03-01 Some vulnerabilities have been reported in Flex, which has an unknown impact. Full Advisory: http://secunia.com/advisories/19071/ -- [SA19065] Debian update for gpdf Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-28 Full Advisory: http://secunia.com/advisories/19065/ -- [SA19041] Sun Solaris update for Perl Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-01 Sun has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable Perl application. Full Advisory: http://secunia.com/advisories/19041/ -- [SA19036] iGENUS Webmail File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-27 rgod has reported a vulnerability in iGENUS Webmail, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19036/ -- [SA19030] Gentoo update for graphicsmagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-27 Gentoo has issued an update for graphicsmagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19030/ -- [SA19029] Debian update for bmv Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-28 Debian has issued an update for bmv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19029/ -- [SA19021] Debian update for pdftohtml Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-28 Full Advisory: http://secunia.com/advisories/19021/ -- [SA19016] Trustix update for sudo / tar Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2006-02-27 Trustix has issued updates for sudo and tar. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, and malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/19016/ -- [SA19012] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2006-02-27 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and HTTP response splitting attacks, cause a DoS (Denial of Service), and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19012/ -- [SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-24 Jean-S?bastien Guay-Leroux has discovered a vulnerability in zoo, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19002/ -- [SA18999] Ubuntu update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-23 Ubuntu has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/18999/ -- [SA19046] NuFW TLS Socket Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-28 A vulnerability has been reported in NuFW, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19046/ -- [SA19038] SUSE update for kernel Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-02-28 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, bypass certain security restrictions and cause a DoS (Denial of Service), and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/19038/ -- [SA19035] Ubuntu update for postgresql Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-27 Ubuntu has issued an update for PostgreSQL. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19035/ -- [SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-27 Evgeny Legerov has reported a vulnerability in FreeBSD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19017/ -- [SA19015] Trustix update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-27 Trustix has issued an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/19015/ -- [SA19005] SUSE update for heimdal Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-27 SUSE has issued an update for heimdal. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19005/ -- [SA19042] Sun Solaris HSFS File System Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-02-27 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/19042/ -- [SA19027] Gentoo update for noweb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-27 Gentoo has issued an update for noweb. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19027/ Other:-- [SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-28 Preben Nyl?kken has reported a vulnerability in Thomson SpeedTouch 500 Series, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19069/ -- [SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-01 /dev/0id has reported a vulnerability Compex NetPassage WPE54G, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19037/ Cross Platform:-- [SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-27 James Bercegay has reported a vulnerability in RunCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19058/ -- [SA19055] PeHePe Membership Management System Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-01 Yunus Emre Yilmaz has reported two vulnerabilities in PeHePe Membership Management System, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19055/ -- [SA19047] ShoutLIVE Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-27 Aliaksandr Hartsuyeu has reported some vulnerabilities in ShoutLIVE, which can be exploited by malicious people to conduct script insertion attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19047/ -- [SA19028] phpRPC Library Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-27 James Bercegay has reported a vulnerability in phpRPC, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19028/ -- [SA19020] freeForum Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-28 Aliaksandr Hartsuyeu has reported some vulnerabilities in freeForum, which can be exploited by malicious people to conduct script insertion attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19020/ -- [SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-01 Liz0ziM has discovered some vulnerabilities in N8cms, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19068/ -- [SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-28 SAUDI has reported two vulnerabilities in d3jeeb Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19062/ -- [SA19061] MyBB "comma" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-01 D3vil-0x1 has discovered a vulnerability in MyBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19061/ -- [SA19056] sendcard Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-01 Sumit Siddharth has reported some vulnerabilities in sendcard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19056/ -- [SA19053] DirectContact Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-28 Donato Ferrante has discovered a vulnerability in DirectContact, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19053/ -- [SA19048] LanSuite LanParty Intranet System "fid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-27 x128 has discovered a vulnerability in LanSuite LanParty Intranet System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19048/ -- [SA19045] EKINboard Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-28 Aliaksandr Hartsuyeu has reported some vulnerabilities in EKINboard, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/19045/ -- [SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-28 Luigi Auriemma has reported a vulnerability in CrossFire, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19044/ -- [SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-02-27 papipsycho has reported a vulnerability in PwsPHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19023/ -- [SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-02-23 Matt Van Gundy has reported some vulnerabilities in PEAR Auth, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19008/ -- [SA19007] Calcium "EventText" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 KeyShore and KeyYog have discovered a vulnerability in Calcium, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19007/ -- [SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 Aliaksandr Hartsuyeu has reported a vulnerability in Simple Machines Forum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19004/ -- [SA19003] iUser Ecommerce Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-23 Some vulnerabilities with unknown impacts have been reported in iUser Ecommerce. Full Advisory: http://secunia.com/advisories/19003/ -- [SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 Yunus Emre Yilmaz has discovered a vulnerability in TOPo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19070/ -- [SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-28 Revnic Vasile has discovered some vulnerabilities in CGI Calendar, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19066/ -- [SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-27 Mustafa Can Bjorn has reported some vulnerabilities in MyPHPNuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19052/ -- [SA19050] WordPress Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-03-01 K4P0 has discovered two vulnerabilities in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19050/ -- [SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 A vulnerability has been reported in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19039/ -- [SA19031] JFacets "ProfileID" Profile Change Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-28 A vulnerability has been reported in JFacets, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19031/ -- [SA19026] 4images "template" Parameter File Inclusion Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-27 rgod has reported a vulnerability in 4images, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19026/ -- [SA19014] Website Generator PHP Code Injection Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-24 Nemesis Security Audit Group has discovered a vulnerability in Website Generator, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19014/ -- [SA19011] PEAR Archive_Tar Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has discovered a vulnerability in PEAR Archive_Tar, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19011/ -- [SA19034] MySQL Query Logging Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-02-27 1dt.w0lf has discovered a security issue in MySQL, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19034/ -- [SA19018] Issue Dealer Unpublished Content Disclosure Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-02-28 A weakness has been reported in Issue Dealer, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19018/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 3 05:27:47 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:27:47 -0600 (CST) Subject: [ISN] Sourcefire Officials Hopeful Over Sale Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/03/02/AR2006030201907.html By Ellen McCarthy Washington Post Staff Writer March 3, 2006 Executives of Sourcefire Inc., the Columbia company whose sale to an Israeli firm has been delayed pending a national security review, said yesterday that they believe the concerns surrounding the deal can be resolved. In early October the information security firm announced an agreement to be acquired for $225 million by Check Point Software Technologies Ltd., the firm run by Israeli tech pioneer Gil Schwed. Though based in Ramat Gan, Israel, the firm has a U.S. headquarters in Redwood City, Calif., and is publicly traded on the Nasdaq Stock Market. The Sourcefire deal nevertheless has come under scrutiny, apparently because of the company's contracts with sensitive government clients, and is being investigated by the Committee on Foreign Investments in the United States. "I'm pretty stunned. Who would've figured 140 people in Columbia, Maryland, would be embroiled in a world controversy?" said Wayne Jackson, Sourcefire's chief executive. CFIUS is the interagency panel that is reviewing the potential purchase by a company from the United Arab Emirates of a British firm that operates U.S. ports. Five-year-old Sourcefire sells software that monitors computer networks for potential threats. About 13 percent of its revenue comes from federal clients, including civilian and defense agencies, Jackson said. Tony Fratto, a spokesman for the Treasury Department, which leads CFIUS, said, "Certain members of the committee have outstanding concerns that there's potential risks to national security were the transaction to proceed." Sourcefire is something of a darling of the local tech sector, in part because of its roots in the open-source community. The company was founded in 2001 by Martin Roesch, a programmer who started working on the basic product, "Snort," in an open-source forum that allows anyone to see the programming code and contribute to it. Though the product was eventually commercialized and Sourcefire brought in more than $30 million in revenue last year, the basic code remains freely available to anyone with an Internet connection. "What nobody's talking about is the fact that Snort, which is at the center of all this hubbub, is open source. . . . China could be using it. Iran could be using it. North Korea could be using it," Jackson said. "Nothing's being transferred except control, and those are issues that could certainly be addressed with the committee." Because such investigations are often kept secret, even from the parties involved, executives of Sourcefire and CheckPoint may not know which aspects of the deal are raising red flags for regulators. The companies would not comment on the details of the investigation or on their discussions with government officials. Still, Jackson said he is "confident that measures can be put in place to mitigate whatever risks the federal government believes might exist." He also said the firm will continue to serve its federal customers throughout the investigation, which is expected to conclude this month with a report to the president. Check Point, the Israeli firm, manufactures a widely used firewall program and has a separate federal sales office to market to the U.S. government. It has acquired U.S. firms in the past, including San Francisco-based Zone Labs Inc. in 2004. The Sourcefire deal is being closely watched regionally because it has a number of local investors, including Core Capital Partners LP of the District, New Enterprise Associates of Baltimore, and the Maryland Department of Business and Economic Development. Inflection Point Ventures of Newark, Del., and Sierra Ventures and Sequoia Capital, both of Menlo Park, Calif., also have invested in the firm. None of the venture capitalists would comment publicly on the investigation. Ray Rice, a limited partner in Core Capital, said he is confident that Sourcefire will have a number of other suitors if the Check Point deal is killed. "Frankly, I can wait six more months," Rice said. Jackson said the company is committed to seeing the Check Point acquisition through and is cooperating with the committee. ? 2006 The Washington Post Company From isn at c4i.org Fri Mar 3 05:30:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:30:45 -0600 (CST) Subject: [ISN] US man faces five years for hacking supervisor's PC Message-ID: http://www.theregister.co.uk/2006/03/02/us_education_hack/ By John Leyden 2nd March 2006 A former federal computer security expert faces a possible five year jail term after pleading guilty to hacking a US Department of Education computer. Kenneth Kwak, 34, of Chantilly, Virginia, admitted snooping on his supervisor's email and internet surfing activities while employed as a system auditor for the US Department of Education. Kwak placed unspecified software on his boss's computer that allowed him to access files on the system without permission. He shared snippets gleaned from his repeated spying forays with colleagues around the office. In a statement [1] the DoJ said: "Kwak carried out his crime and invaded his supervisor's privacy for personal entertainment; there is no indication he profited financially from his actions." As part of a plea bargaining agreement, Kwak pleaded guilty to one count of unauthorised access to a protected computer during a hearing in the District of Columbia federal court before US District Judge Royce Lamberth on Wednesday. He faces a maximum of five years in jail and a fine of $250,000 over the offence. Sentencing has been set for 12 May. The case was investigated by the Computer Crime Investigations Division of the Department of Education's Inspector General's Office. Kwak's prosecution was carried as part of the "zero-tolerance policy" recently adopted by the US Attorney's office over computer hacking offences. ? [1] http://releases.usnewswire.com/GetRelease.asp?id=61702 From isn at c4i.org Fri Mar 3 05:31:12 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:31:12 -0600 (CST) Subject: [ISN] OMB: Agency compliance with cybersecurity law improving Message-ID: http://www.govexec.com/story_page.cfm?articleid=33498 By Daniel Pulliam dpulliam at govexec.com March 2, 2006 Agencies improved slightly in fiscal 2005 at meeting computer security standards, according to a report released Wednesday by the Office of Management and Budget. The percentage of agency information technology systems certified and accredited rose from 77 percent in fiscal 2004 to 85 percent in 2005, just short of an administration goal of 90 percent, OMB stated. Furthermore, the number of systems with tested contingency plans increased from 57 percent to 61 percent over that same period, the report to Congress [1] on the implementation of the 2002 Federal Information Security Management Act found. The number of agency IT systems also grew in that time, rising 19 percent from 8,623 to 10,289. Contractors or other non-government organizations manage 1,105 of those systems on behalf of the government. The Defense Department, which houses 3,583 IT systems, went from 58 percent of systems certified and accredited to 82 percent, though the Pentagon inspector general gave the department a "poor" certification and accreditation rating in the OMB report. The Veterans Affairs Department, which reported 14 percent of its systems as certified and accredited in fiscal 2004, reported that all 585 of its systems were certified and accredited the next year. None of the inspector generals rated the certification and accreditation process as failing, but eight rated it as "poor." Four agency inspector generals rated it as "good," while the Social Security Administration IG was the only one to rate it as "excellent." Included in the report were goals needed to maintain a "green" status -- the highest available grade -- in e-government on the Bush administration's quarterly management score card. They involved certifying and accrediting all IT systems by July 1, 2006, installing and maintaining all systems with proper security configurations and including continuity of operations provisions in the agency's infrastructure. In fiscal 2005, agencies for the first time assigned risk levels to IT systems, with 1,646 categorized as "high impact" and another 2,497 as "moderate impact," the OMB report noted. Eighty-eight percent of those rated as "high impact" were certified and accredited, it said. Richard Tracy, chief technology and security officer of the Telos Corp., an IT contractor, said he was pleased to see that agencies were not "picking the low hanging fruit" by certifying and accrediting the low-impact systems in order to improve their cybersecurity scores. He said agencies are spending significant resources on the certification and accreditation process in order to improve the grades, but added that he would be curious to know whether they'll be able to continue monitoring the systems once FISMA compliance is reached. OMB highlighted the oversight of contractor systems as a reason for "strategic and continued management attention" and asked agency inspectors general to confirm that systems operated by contractors meet FISMA requirements. Inspectors general for the Pentagon and the Homeland Security and State departments told OMB their agencies "rarely" conduct oversight of contractor-operated IT systems. Inspectors for NASA and the Agriculture and Health and Human Services departments said their agencies "sometimes" oversee IT systems operated by contractors. Another area for concern according to OMB is the number of systems with tested security controls, which dropped from 76 percent in fiscal 2004 to 72 percent in fiscal 2005. Agencies' handling of incident reporting drew concern from OMB as well, with DHS finding "sporadic reporting by some agencies and unusually low levels of reporting by others." "Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event," the OMB report stated. Agencies' process for planning, implementing and evaluating deficient IT security policies -- known as POA&M -- drew concern because of ineffective processes at the Defense, Agriculture, DHS and the Interior, Transportation and Treasury departments. House Government Reform Committee staffers still are reviewing the report, according to Drew Crockett, spokesman for the panel's chairman, Rep. Tom Davis, R-Va. The committee is scheduled to release its annual cybersecurity grades and discuss the OMB report at a March 16 hearing with Karen Evans, administrator of OMB's Office of Electronic Government and Information Technology, testifying, Crockett said in a statement. [1] http://www.whitehouse.gov/omb/inforeg/reports/2005_fisma_report_to_congress.pdf From isn at c4i.org Fri Mar 3 05:31:55 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:31:55 -0600 (CST) Subject: [ISN] Apple Fixes Critical Safari Bug, 16 Other Flaws Message-ID: http://www.informationweek.com/news/showArticle.jhtml;?articleID=181500394 By Gregg Keizer March 2, 2006 Apple Computer on Wednesday released its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines. The update, dubbed Security Update 2006-001, comes just over a week after news broke of a critical flaw in the operating system and the Safari Web browser, leading to intense defense of Mac security by Apple users. The Safari vulnerability could let attackers hijack a Mac simply by enticing its user to a malicious Web site in a so-called "drive-by download" that's a common menace to Windows users but unheard of in the Mac world. The problem stemmed from Safari's (and Mac OS X's) trust of certain file types, specifically ZIP archives. Attackers could pack a ZIP with malicious scripts that the Mac would automatically run, the German firm Heise Security said last week. "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)," Apple's alert read. The speed with which Apple patched the vulnerability may impress Windows users -- who are used to waiting weeks if not months for fixes from Microsoft -- but it's not unusual, said Mike Murray, director of research at vulnerability management vendor nCircle. "There are a couple of reasons why Apple could patch this so quickly," said Murray. "First of all, Safari's based on open-source code, and that code is pretty well understood. Second, the vulnerability didn't seem that complex. The biggest factor in Apple's quick turnaround, however, has nothing to do with the Safari code or the bug. "Internet Explorer is tied into the core of the [Windows] operating system," Murray said. "If you change IE, something could break on the OS. The QA cycle has to be much longer, since one little change could break the whole damn thing. "But Safari is a stand-alone browser, like Firefox. If a patch introduces a bug in Safari, big deal. It's not affecting the [Mac] OS." That's the reason why Apple could put together a patch within a week, and why, Murray added, Firefox developers can do the same when vulnerabilities are found in that cross-platform browser. "Microsoft's strategy of tying the browser into the operating system has made it so much more difficult to patch," Murray added. Apple's e-mail client has also been patched so that it will warn the user when a malicious attachment may be trying to disguise itself as a "safe" file type. Safari accounted for 4 of the 17 fixes, including one in its RSS implementation. All four were serious -- judged "critical" by Danish vulnerability tracker Secunia -- since they allowed for remote code or script execution. The update also fixes iChat, Apple's instant messaging client, so IM threats such as the recent OSX/Leap.a worm could be blocked. Leap.a was the first-ever Mac OS X worm. "With this update, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said in the alert. Other patches in the update fixed a problem with the PHP programming language within the Apache server module, solved two issues in Apple's Directory Services, corrected a potential problem mounting malicious network servers, and quashed bugs in FileVault and IPSec within virtual private network (VPN) sessions. Although the new Intel-based Macs have been issued an operating system update since they debuted in January -- from 10.4.4 to the current 10.4.5 -- this was the first security fix released for those machines. Separate downloads are available on Apple's download site for Mac OS X 10.3.9 (Panther) clients and servers, as well as Mac OS X 10.4.5 (Tiger) Intel and PowerPC editions. Mac users who have Software Update enabled will automatically receive the update. Copyright ? 2005 CMP Media LLC From isn at c4i.org Mon Mar 6 05:30:40 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:40 -0600 (CST) Subject: [ISN] Linux Advisory Watch - March 3rd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 3rd 2006 Volume 7, Number 10a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gpdf, pdftohtml, tutos, bmv, xpdf, module-init-tools, udev, gnupg, gawk, dhcp, system-config-netboot, xterm, GraphicsMagick, noweb, metamail, mplayer, squirrelmail, unzip, gettext, tar, heimdal, and liby2util. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. ---- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi ---- ARC: A Synchronous Stream Cipher from Hash Functions By: Angelo P. E. Rosiello and Roberto Carrozzo Abstract We consider a simple and secure way to realize a synchronous stream cipher from iterated hash functions. It is similar to the OFB mode where the underlying block cipher algorithm is replaced with the keyed hash function, adopting the secret suffixx method[20]. We analyzed the key, the keystream and the necessary properties to assume from the underlying hash function for the stream cipher to be considered secure. Motivated by our analysis we conjecture that the most effcient way to break the proposed stream cipher is to break the hash function or through exhaustive search for the keyspace K of k bits, that requires O(2k) operations. Keywords : stream cipher, key, keystream, one-time pad cryptosystem, hash function, keyed hash function. 1.1 Algorithm Requirements The algorithm should have a flat keyspace allowing any random bit string to be a possible key. The algorithm should make easier the key-management for software implementations. The typed password should not become directly the key, else the actual keyspace is limited to keys constructed with the 95 characters of printable ASCII1. The algorithm should be easily modifiable satisfying minimum or maximum requirements. Moreover, according to basic engineering software theories, the algorithm does not have to bind developers with static u se of pre-defined logical block functions, but it is important to let wide alternatives during the implementation of the software[13, 17]. The algorithm should be simple to code, otherwise programmers could make implementation mistakes if the structure is too complicated[13]. 1.2 Areas of Application Nowadays encrypting information has become a 'must', which means that a good crypto algorithm must give to the community the possibility to manage safe data. Practical applications pertain to: * Bulk Encryption: data files or a continuous data stream (e.g. important information saved on hardisks such as databases or any kind of secret document); * Data Transmission: a lot of communication mediums need a secure way to crypt exchanged information (e.g. Internet packets, wireless connections, radio signals, etc.); * Small Encryption: banks and commercial companies need secure encryption methodologies to interact with customers by small encryption technologies. Definitely, a good algorithm should be suitable for lots of disparate situations. Read Full Paper http://www.linuxsecurity.com/images/stories/arc-hash.pdf ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gpdf packages fix several vulnerabilities 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121760 * Debian: New pdftohtml packages fix several vulnerabilities 28th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121765 * Debian: New tutos package fixes several vulnerabilities 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121790 * Debian: new bmv packages fix arbitrary code execution 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121791 * Debian: New xpdf packages fix several problems 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121792 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: module-init-tools-3.2-0.pre9.0.FC4.4 23rd, February, 2006 This module-init-tools adds a stub /etc/modprobe.conf.dist which is included by older /etc/modprobe.conf config files. This avoids the printing of a warning Matrox framebuffer modules are also not autoloaded with this version. http://www.linuxsecurity.com/content/view/121727 * Fedora Core 4 Update: udev-071-0.FC4.3 23rd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121728 * Fedora Core 4 Update: gnupg-1.4.2.1-3 24th, February, 2006 The previous update, to version 1.4.2.1, could produce errors when gpg attempted to read certain keyrings produced by earlier versions of GnuPG. This update includes a fix for that bug. http://www.linuxsecurity.com/content/view/121740 * Fedora Core 4 Update: gawk-3.1.4-5.4 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121741 * Fedora Core 4 Update: util-linux-2.12p-9.14 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121759 * Fedora Core 4 Update: dhcp-3.0.2-34.FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121787 * Fedora Core 4 Update: system-config-netboot-0.1.38-2_FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121788 * Fedora Core 4 Update: xterm-208-2.FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121789 * Gentoo: GraphicsMagick Format string vulnerability 26th, February, 2006 A vulnerability in GraphicsMagick allows attackers to crash the application and potentially execute arbitrary code. http://www.linuxsecurity.com/content/view/121750 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: noweb Insecure temporary file creation 26th, February, 2006 noweb is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/121751 * Mandriva: Updated metamail packages fix vulnerability 23rd, February, 2006 Ulf Harnhammar discovered a buffer overflow vulnerability in the way that metamail handles certain mail messages. An attacker could create a carefully-crafted message that, when parsed via metamail, could execute arbitrary code with the privileges of the user running metamail. http://www.linuxsecurity.com/content/view/121722 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated mplayer packages fix integer overflow vulnerabilities 24th, February, 2006 Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. The updated packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/121749 * Mandriva: Updated squirrelmail packages fix vulnerabilities 27th, February, 2006 Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188) http://www.linuxsecurity.com/content/view/121763 * Mandriva: Updated unzip packages fix vulnerabilities 28th, February, 2006 A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/121764 * Mandriva: Updated gettext packages fix temporary file vulnerabilities 28th, February, 2006 The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext. These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack. The updated packages have been patched to address this issue.

http://www.linuxsecurity.com/content/view/121776 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: tar security update 1st, March, 2006 An updated tar package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux 4. This update has been rated as having Moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121781 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:010) 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121738 * SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:011) 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121739 * SuSE: kernel various security problems 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121756 * SuSE: gpg,liby2util signature checking 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121777 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Mar 6 05:30:54 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:54 -0600 (CST) Subject: [ISN] State college in Colorado warns 93,000 after laptop theft Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109208,00.html By Robert McMillan MARCH 03, 2006 IDG NEWS SERVICE A state college in Denver believes it may have lost sensitive information on more than 93,000 students after one of the school's laptop computers was stolen from an employee's home late last month. The unnamed employee of Metropolitan State College had been using the information, including student names and Social Security numbers, to write a grant proposal, the college said Thursday. The data, which appears to have been unencrypted, was also being used by the employee to write a master's degree thesis, the school said. The laptop was stolen on Feb. 25, but Denver police asked the school to wait until March 1 to go public with news of the theft to help with the ongoing investigation. Students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester are now being notified of the incident via letter, the college said. Although there is no evidence that any of this data has been used for identity theft, there are a number of unanswered questions related to the incident. One question is whether or not the sensitive information was actually stored on the computer at the time of the theft, according to college President Stephen Jordan. "The employee, does not recall whether he had deleted those files from the laptop," he said in a statement. A second question is whether the employee should have been storing this type of data outside of school premises for the purposes of a masters thesis. The college is "investigating whether the employee had obtained permission ... to use the data in his thesis," the college said. The college is now reviewing its policies regarding laptops, particularly related to unencrypted information, Jordan said. The college Web site includes tips on avoiding laptop theft, and on preventing stolen information from being used following such an event. The college did not immediately return calls seeking comment for this story on Friday. From isn at c4i.org Mon Mar 6 05:31:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:31:12 -0600 (CST) Subject: [ISN] Hey Neighbor, Stop Piggybacking on My Wireless Message-ID: http://www.nytimes.com/2006/03/05/technology/05wireless.html By MICHEL MARRIOTT March 5, 2006 For a while, the wireless Internet connection Christine and Randy Brodeur installed last year seemed perfect. They were able to sit in their sunny Los Angeles backyard working on their laptop computers. But they soon began noticing that their high-speed Internet access had become as slow as rush-hour traffic on the 405 freeway. "I didn't know whether to blame it on the Santa Ana winds or what," recalled Mrs. Brodeur, the chief executive of Socket Media, a marketing and public relations agency. The "what" turned out to be neighbors who had tapped into their system. The additional online traffic nearly choked out the Brodeurs, who pay a $40 monthly fee for their Internet service, slowing their access until it was practically unusable. Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. As they do, new sets of Internet behaviors are creeping into America's popular culture. "I don't think it's stealing," said Edwin Caroso, a 21-year-old student at Miami Dade College, echoing an often-heard sentiment. "I always find people out there who aren't protecting their connection, so I just feel free to go ahead and use it," Mr. Caroso said. He added that he tapped into a stranger's network mainly for Web surfing, keeping up with e-mail, text chatting with friends in foreign countries and doing homework. Many who piggyback say the practice does not feel like theft because it does not seem to take anything away from anyone. One occasional piggybacker recently compared it to "reading the newspaper over someone's shoulder." Piggybacking, makers of wireless routers say, is increasingly an issue for people who live in densely populated areas like New York City or Chicago, or for anyone clustered in apartment buildings in which Wi-Fi radio waves, with an average range of about 200 feet, can easily bleed through walls, floors and ceilings. Large hotels that offer the service have become bubbling brooks of free access that spill out into nearby homes and restaurants. "Wi-Fi is in the air, and it is a very low curb, if you will, to step up and use it," said Mike Wolf of ABI Research, a high-technology market research company in Oyster Bay, N.Y. This is especially true, Mr. Wolf said, because so many users do not bother to secure their networks with passwords or encryption programs. The programs are usually shipped with customers' wireless routers, devices that plug into an Internet connection and make access to it wireless. Many home network owners admit that they are oblivious to piggybackers. Some, like Marla Edwards, who think they have locked intruders out of their networks, learn otherwise. Ms. Edwards, a junior at Baruch College in New York, said her husband recently discovered that their home network was not secure after a visiting friend with a laptop easily hopped on. "There's no gauge, no measuring device that says 48 people are using your access," Ms. Edwards said. When Mr. Wolf turns on his computer in his suburban Seattle home, he regularly sees on his screen a list of two or three wireless networks that do not belong to him but are nonetheless available for use. Mr. Wolf uses his own wired network at home, but he says he has piggybacked onto someone else's wireless network when traveling. "On a family vacation this summer we needed to get access," Mr. Wolf recalled, explaining that his father, who took along his laptop, needed to send an e-mail message to his boss on the East Coast from Ocean Shores, Wash.. "I said, 'O.K., let's drive around the beach with the window open.' We found a signal, and the owner of the network was none the wiser," Mr. Wolf said. "It took about five minutes." Jonathan Bettino, a senior product marketing manager for the Belkin Corporation, a major maker of wireless network routers based in Compton, Calif., said home-based wireless networks were becoming a way of life. Unless locking out unauthorized users becomes commonplace, piggybacking is likely to increase, too. Last year, Mr. Bettino said, there were more than 44 million broadband networks among the more than 100 million households in the United States. Of that number, 16.2 million are expected to be wireless by the end of this year. In 2003, 3.9 million households had wireless access to the Internet, he said. Humphrey Cheung, the editor of a technology Web site, tomshardware.com, measured how plentiful open wireless networks have become. In April 2004, he and some colleagues flew two single-engine airplanes over metropolitan Los Angeles with two wireless laptops. The project logged more than 4,500 wireless networks, with only about 30 percent of them encrypted to lock out outsiders, Mr. Cheung said. "Most people just plug the thing in," he said of those who buy wireless routers. "Ninety percent of the time it works. You stop at that point and don't bother to turn on its security." Martha Liliana Ramirez, who lives in Miami, said she had not thought much about securing her $100-a-month Internet connection until recently. Last August, Ms. Ramirez, 31, a real estate agent, discovered a man camped outside her condominium with a laptop pointed at her building. When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: "Oh my God. He could be stealing my signal." Yet some six months later, Ms. Ramirez still has not secured her network. Beth Freeman, who lives in Chicago, has her own Internet access, but it is not wireless. Mostly for the convenience of using the Internet anywhere in her apartment, Ms. Freeman, 58, said that for the last six months she has been using a wireless network a friend showed her how to tap into. "I feel sort of bad about it, but I do it anyway," Ms. Freeman said her of Internet indiscretions. "It just seems harmless." And if she ever gets caught? "I'm a grandmother," Ms. Freeman said. "They're not going to yell at an old lady. I'll just play the dumb card." David Cole, director of product management for Symantec Security Response, a unit of Symantec, a maker of computer security software, said consumers should understand that an open wireless network invites greater vulnerabilities than just a stampede of "freeloading neighbors." He said savvy users could piggyback into unprotected computers to peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography. "The best case is that you end up giving a neighbor a free ride," Mr. Cole said. "The worst case is that someone can destroy your computer, take your files and do some really nefarious things with your network that gets you dragged into court." Mr. Cole said Symantec and other companies had created software that could not only lock out most network intruders but also protect computers and their content if an intruder managed to gain access. Some users say they have protected their computers but have decided to keep their networks open as a passive protest of what they consider the exorbitant cost of Internet access. "I'm sticking it to the man," said Elaine Ball, an Internet subscriber who lives in Chicago. She complained that she paid $65 a month for Internet access until she recently switched to a $20-a-month promotion plan that would go up to $45 a month after the first three months. "I open up my network, leave it wide open for anyone to jump on," Ms. Ball said. For the Brodeurs in Los Angeles, a close reading of their network's manual helped them to finally encrypt their network. The Brodeurs told their neighbors that the network belonged to them and not to the neighborhood. While apologetic, some neighbors still wanted access to it. "Some of them asked me, 'Could we pay?' But we didn't want to go into the Internet service provider business," Mrs. Brodeur said. "We gave some weird story about the network imposing some sort of lockdown protocol." Andrea Zarate contributed reporting from Miami for this article, and Gretchen Ruethling from Chicago. From isn at c4i.org Mon Mar 6 05:31:30 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:31:30 -0600 (CST) Subject: [ISN] Symantec Takes Heat For Changing Adware Advice Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=181500850 By Gregg Keizer Mar 3, 2006 Symantec's out-of-court settlement with an adware maker is a loss for users, an anti-spyware researcher said this week. Friday, Feb. 24, the Cupertino, Calif. security company announced that it had dismissed its lawsuit against browser and e-mail toolbar maker Hotbar.com, Inc. Last June, Symantec filed a zero-dollar suit against the New York company, saying then that it was seeking a legal ruling that would affirm the position that Hotbar's programs "are indeed adware and can be treated as computer security risks." Under the new arrangement struck with Hotbar, Symantec has agreed to dismiss the lawsuit but will still classify the company's software as "adware." Symantec called it a victory. "What we got out of this was peace from these guys," said Joy Cartun, Symantec's senior director of legal affairs. "We didn't change our detection, so in that way we won." Hotbar, which had hounded Symantec with at least five litigation threats in the first half of 2005, is now blocked from any further action, said Cartun. "We get them to go away, but without having to make a change in our detection of them [as adware]." Hotbar's chief executive, however, was convinced that he had won. "Both sides now recognize that our application is disclosing its behavior," said Oren Dobronsky. "We've gained that recognition, so that when users scan for spyware, they don't get some kind of alert and by default, then remove it." Symantec acknowledged that although its security software will continue to detect Hotbar's products as adware, it has changed the recommendation it gives to customers. Previously, Symantec recommended that users delete Hotbar; now, says Symantec, it's reclassified Hotbar's toolbars as "low-risk" and recommends that users ignore the software and let it be. "We're telling users what it is, and assisting them to make a choice [whether to keep or remove Hotbar]," argued Symantec's Cartun. She also claimed that Symantec had been thinking of making the change long before Hotbar started complaining. "The change was driven not by Hotbar, but from what we learned what our customers wanted. They wanted guidance," she said. "The change was on a totally independent track [from the lawsuit]." Noted anti-spyware researcher Ben Edelman isn't buying that. By backing down on its recommendation from delete to ignore, said Edelman, Symantec's not serving its customers. "If I was an IT guy paying Symantec to defend my computers, I'd ask 'what are we paying them for, I still see Hotbar on a user's computer,'" said Edelman. "Something's gone wrong at Symantec." This isn't the first time that an anti-spyware maker has backed off from a vendor. A year ago, Microsoft quietly changed the advice it gave users on programs supplied by Claria, one of the largest adware purveyors. The resulting storm in the press and by bloggers forced Microsoft to issue an open letter to customers explaining why it made the changes. Symantec's move is more of the same, said Edelman. "They just don't get it. Whether software gets consent from users to install isn't the only thing they should be looking at." He questioned whether users of Hotbar understood they would get pop-up, pop-under, and auto-opening ads when they consented to the installation, and criticized the company for targeting kids with come-ons to download and install their toolbars. "Children may be less able to assess the merits of an Hotbar offer," Edelman wrote on his Web site in an analysis of Hotbar done last May. "[They're ] less able to determine whether Hotbar software is a good value, less likely to realize the privacy and other consequences of installing such software, less inclined to examine a lengthy license agreement." Symantec and other security vendors claiming to sniff out adware and spyware should take factors like those into account, Edelman told TechWeb. "Unfortunately, this isn't the kind of analysis that comes naturally to security experts," he said. "They're used to thinking of worms as all bad, and they're not in a position to shift gears to more subjective decisions." Still, Edelman's hopeful, if not because of the Symantec dismissal, then because of the general trend he sees shaping up. "What's interesting is how much things have changed since last spring. Then, there were new letters going out to anti-spyware companies every week. That's stopped as far as we know. "Why? I think the legal merits have sunk in, and that adware makers know they don't have a leg to stand on." From isn at c4i.org Mon Mar 6 05:30:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:12 -0600 (CST) Subject: [ISN] Trojan horse couple indicted Message-ID: http://www.globes.co.il/serveen/globes/DocView.asp?did=1000067928&fid=1725 Yitzhak Danon Globes 5 Mar 06 The Office of the State Attorney today filed charges with the Tel Aviv District Court against the couple Ruth and Michael Haephrati. The office has also asked that the couple be remanded until the end of proceedings. The Haephrati couple are charged with numerous offences related to industrial espionage. Ruth Haephrati is to be charged with aggravated fraud, inserting material and viruses into a computer (the Trojan horse), unlawful wire tapping, invasion of privacy and unlicensed management of a database. Michael Haephrati is to be charged with aiding and abetting his wife in the committing of the offences listed above. According the indictment, Michael Haephrati conceived and developed the Trojan horse software back in 2000 and subsequently attempted to offer it lawfully to various security bodies. In mid-2004, he used Ruth Haephrati, who handled the marketing activities, to contact the private investigators involved in the affair, with a view to using the software for criminal purposes. The investigators in question used the software to access information regarding competitors or other private entities, on behalf of their corporate or private clients. The State Attorney's office stressed that the investigation into the companies and individuals who commissioned the industrial espionage was ongoing. It also listed the types of data that had been accessed by the Trojan horse software used to hack into victims? computers. These include documents created using word processing software, electronic spread sheets, slide presentations, scanned documents and others. The material accessed by the hackers contained expensive and sensitive intellectual property. The Trojan horse also provided real-time sensitive images of material being viewed on hacked computers as well as of recordings of voice communications conducted between infected machines. Also accessed were email correspondence, passwords typed on the keyboards of hacked computers, a list of all texts typed on them, as well as lists of archived files and websites visited. From isn at c4i.org Tue Mar 7 01:12:23 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Mar 2006 00:12:23 -0600 (CST) Subject: [ISN] Oracle on track of secure search Message-ID: http://australianit.news.com.au/articles/0,7204,18341811%5E15841%5E%5Enbv%5E,00.html Bloomberg MARCH 07, 2006 ORACLE, the world's third- biggest software maker, has begun selling software that allows users to search only personal data on their work computers such as email, word documents and calendar appointments. Chief executive Larry Ellison says the California company's new search program "is one of the biggest products in years," and may help draw users away from Google, which also offers software for searching content on computers and operates the world's most-used internet search site. "Google has always had a good search, but it was the security side that it's not good at," Ellison told reporters at the annual Oracle OpenWorld Tokyo 2006 conference in Japan. "We have the security problem solved. That's what we're good at, and that's the hard part of the problem." The business-oriented Oracle Secure Enterprise Search 10g, which the company began offering worldwide today, uses a crawler that categorises what files a user can or cannot access depending on its security policies. To run the search, the user needs a password, and the results are tailored to the specific user's security settings. The software is downloadable for a free trial, Oracle Japan public relations director Takeo Tamagawa says. He declines to comment on how much the software will cost. "No one yet has done a good job of securely searching private data, even though private data is the most valuable. "Most people want to search private data much more often than they need to search public data," Ellison says. Ellison says he is also striving to make Oracle the top software maker for business systems through its "global strategy of innovation and acquisition." "In software, the more customers you have for a product, the more you can invest in research and development to make that product better," he says. "The top position is critical in allowing you to invest in engineering and continue to improve and innovate." After the $US10.6 billion takeover of PeopleSoft in January 2005, Oracle is now the world's biggest maker of software for handling payrolls and other human resource tasks, he says. The January 31 acquisition of California-based Siebel Systems also makes Oracle "a world leader" in customer relationship management, Ellison says. In enterprise resource planning software, which provides applications to help business manage product planning, parts purchasing and inventory management, Oracle is second, behind Germany's SAP, he says. From isn at c4i.org Tue Mar 7 01:12:35 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Mar 2006 00:12:35 -0600 (CST) Subject: [ISN] Server hack at Georgetown Univ. probed Message-ID: http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,109245,00.html By Jaikumar Vijayan MARCH 06, 2006 COMPUTERWORLD Georgetown University in Washington has called in the U.S. Secret Service to investigate a server breach that may have exposed confidential information including the names, dates of birth and Social Security numbers belonging to more than 41,000 people. The breach appears to have been caused by an external hacker and involved a server that was being managed by a Georgetown University researcher as part of a grant to manage information on the various services provided through the District of Columbia's Office of Aging, according to a university statement released Friday. The breach was first discovered during routine internal monitoring of university networks by Georgetown's information security office on Feb. 12, according to Erik Smulson, a university spokesman. The server that was compromised was immediately disconnected from the network. But because "it took some time to recognize the scope and nature of the exposure, the computer intrusion was not disclosed to the Office on Aging until Feb. 24, he said. Law enforcement officials were notified on Feb. 27, and the Secret Service took custody of the compromised server for forensic testing the next day. Only data that was on the Office of Aging server was compromised, Smulson said. He added that the breach did not affect any of the university's core computer systems containing financial and admission records. There is no evidence that the compromised information has been misused so far, he said. Georgetown University is now notifying the people whose information may have been exposed in the incident, Smulson said. But that task is complicated by the fact that the breached server contained records dating to 1983 on people who may be now deceased, he said. "We are making every reasonable effort to notify affected individuals," he said. Georgetown has established a toll-free phone number, 1-866-740-2458, and a Web site http://identity.georgetown.edu where people can get more information. According to a university source close to the incident who requested anonymity, the server in question was under the control of an individual who was not technically qualified to be a systems administrator. "Because we're a university and fairly open, there are many computing fiefdoms all over the place," often run by individuals with grant money, the source said in an e-mail. Because the university information system office has not figured out a way to manage these independently run computing environments, there can be gaps in security, he said. In an e-mail informing the university community about the incident, Georgetown's CIO, David Lambert, said the broad base of research and service programs conducted across campus "creates an additional responsibility for every research principal investigator, department chair and program director in the university to focus attention on information security. "As part of our increased focus on the security of all systems in the Georgetown network, the security office will launch a program throughout the spring and summer focused on enhancing the security of confidential information contained on campus and departmental servers," Lambert said without elaborating. From isn at c4i.org Tue Mar 7 01:13:24 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Mar 2006 00:13:24 -0600 (CST) Subject: [ISN] REVIEW: "Practical Internet Law for Business", Kurt M. Saunders Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKPRILFB.RVW 20051117 "Practical Internet Law for Business", Kurt M. Saunders, 2001, 1-58053-003-6, U$73.00 %A Kurt M. Saunders %C 685 Canton St., Norwood, MA 02062 %D 2001 %G 1-58053-003-6 %I Artech House/Horizon %O U$73.00 800-225-9977 fax: 617-769-6334 artech at artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580530036/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580530036/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580530036/robsladesin03-20 %O Audience s- Tech 1 Writing 2 (see revfaq.htm for explanation) %P 162 p. %T "Practical Internet Law for Business" The preface states that this book is intended to allow business and system managers to understand the legal issues surrounding electronic commerce. Chapter one provides a brief and basic historical overview of the Internet, stressing the decentralized nature, and the fact that nobody is in charge. Jurisdiction, and the rulings in regard to it, are discussed in chapter two. (Somewhat ironically, in view of the topic, while international decisions are mentioned, the material is definitely oriented to the legal system of the United States.) Encryption is the topic of chapter three, which deals with export controls on cryptographic software (even though the regulations have been extensively liberalized) and electronic signature laws (even though many of these laws allow for completely unencrypted "signatures"). Chapter four very briefly examines the issue of trade secrets, seemingly without much relation to the Internet. Trademarks, on the other hand, do have a great deal of relevance to the net in cybersquatting cases and the like, and are addressed in chapter five. Some of the material on copyright, in chapter six, repeats content dealt with in chapter five. Chapter seven provides an interesting and detailed examination of email privacy in the workplace. Chapter eight is rather vague, since its definition of "online crime" is not very specific. (Some of the case law presented is also reported simplistically: the account of United States vs Thomas, for example, does not deal with the issue of community standards that made the material legal in California but not in Tennessee.) The book closes with patent law, in chapter nine (oddly separated from the other intellectual property topics in chapters four to six), most of which deals with the non-patentability of software. This work is a lot about law, and not very much about the Internet. How practical it may be is a question that individual readers will have to answer. copyright Robert M. Slade, 2005 BKPRILFB.RVW 20051117 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu We are currently being told to follow our bliss. However, tradition tells us that ignorance is bliss. Taking these two statements together would explain a lot about modern society. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Mar 8 02:10:08 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:10:08 -0600 (CST) Subject: [ISN] Korea Goes From Computer Security Threat to Victim Message-ID: http://english.chosun.com/w21data/html/news/200603/200603070011.html Mar. 7, 2006 Korea is increasingly becoming a target of hackers who seek to steal Internet users?? personal information while shedding its dubious status as a leading threat to online security. The ??Internet Security Threat Report?? released by the online security firm Symantec on Monday ranks Korea 10th as a source of security attacks in the second half of 2005, down from ninth in the first half and a shaming second in 2002. The report is produced by analyzing logging records in firewalls and attack detection systems of Symantec??s 20,000 corporate customers in 180 countries. South Korea was the world??s no. 2 after the U.S. as a source of spam in the first half of last year, accounting for 14 percent of spam messages in the world, but the nation improved to third place with the figure declining to 9 percent from July to December. However, Korea moved up to fifth place from sixth in terms of infection with bots, malicious programs which provide hackers with unauthorized control of a computer to steal confidential information or attack specific websites. By using bots, hackers are able to stop individual computers or corporate computer systems from working when they want and to steal financial data and other confidential information to cause large-scale security failures. Symantec claims this means nations around the world need to strengthen computer system security. China has joined countries on the security black list after it moved up to second place following the U.S. as a source of security attacks. The number of attacks from China increased by 153 percent in the second half of 2005, 72 percentage points more than the global average of 81 percent. China??s also rose to second place as a source of spam responsible for 12 percent, up from fourth place in the first half. From isn at c4i.org Wed Mar 8 02:10:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:10:21 -0600 (CST) Subject: [ISN] OMB: Modest Gains in Federal Cyber Security Message-ID: http://blog.washingtonpost.com/securityfix/2006/03/omb_modest_improvement_in_fede.html By Brian Krebs March 7, 2006 Federal government agencies have improved their overall computer and network security over the past year, but many agencies are still not doing enough to secure their systems against viruses and other cyber attacks, according to an annual report released by The White House last week. The White House's Office of Management and Budget issued the findings as part of its yearly review of how well agencies are meeting the standards set forth in the Federal Information Security Management Act (FISMA), which establishes specific requirements for information security programs at federal agencies. Lawmakers in the U.S. House have used OMB's findings for the past several years to issue "computer security report cards" to federal agencies. Last year, the House Government Reform Committee awarded federal agencies a combined grade of "D-plus" for security in 2004, up from a "D" in 2003. Another round of report cards are likely to be issued later this month. Among the improvements in 2005, the OMB cited a 32 percent increase in the number of federal systems that were certified and accredited as secure, a 28 percent increase in the number of systems tested with cyber attack contingency plans, and "modest" increases in the development of agencywide plans to address persistent computer security problems. However, the OMB also pointed to continued weaknesses in several key areas, including the oversight of work done by outside contractors. According to the report, at least six of the 24 agencies reviewed said they only "rarely" or "sometimes" reviewed whether work done by contractors met the government's minimum security requirements. The report also cited a 4 percent drop in the number of systems tested annually for computer security weaknesses. The OMB found that federal agencies spent $5 billion securing government systems -- or 8 percent of the total federal information-technology budget of $62 billion. During this period, the total number of reported computer systems increased by 19 percent to 10,289. The Department of Homeland Security, which is trying to keep track of digital attacks against federal civilian systems, tracked 3,569 reported security "incidents" in 2005. These ranged from infections by computer viruses and worms to distributed denial-of-service attacks, which use thousands of hacked PCs to overwhelm a Web site with so much traffic that legitimate users are shut out. Of those incidents, 1,806 involved some type of malware and 31 were distinct DDOS attacks. Another 304 were related to some form of unauthorized access. But according to OMB, those numbers almost surely mask a much larger number of attacks: "DHS continues to find sporadic reporting by some agencies and unusually low levels of reporting by others. Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event, e.g., the widespread propagation of an Internet worm." OMB said that in an effort to address this problem, DHS has installed at three agencies (and has funding to install at six others) an automated tool that "monitors network flow information and ... transmits data to DHS." The White House didn't elaborate on what kind of monitoring that "tool" does exactly, but it probably warrants closer scrutiny. From isn at c4i.org Wed Mar 8 02:10:34 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:10:34 -0600 (CST) Subject: [ISN] Soldiers use tech skills in Camp Parks cyber-attack simulation Message-ID: http://www.insidebayarea.com/trivalleyherald/localnews/ci_3578646 By Ben Semmes STAFF WRITER 03/07/2006 CAMP PARKS - Capt. Joe Salazar's may never have guessed that the skills he learned tinkering with computers when he was younger would prove useful in the Army. But Salazar, 34, who works as a systems administrator for Lockheed Martin in Sunnyvale, and a number of other high-tech workers are utilizing their computer skills in a special unit of the Army Reserve based at Camp Parks in Dublin. A member of the Army Reserve Information Operations Command's western operations center, along with about 60 other soldiers, Salazar, was busy last week fighting off viruses and other mock cyber-threats as part of the unit's second annual drill. Comprised of 300 full- and part-time soldiers nationwide, the unit was created in 2001 to provide defensive tech-support to the U.S. Army to protect vital computer systems from enemy hackers. The soldiers working in the unit have brought their tech skills developed in Silicon Valley to literally the front lines of digital warfare. Although Salazar earned a degree in legal studies from the University of California, Berkeley, he said it was his computer hobby that led to a job at Lockheed and ultimately to his position in the Army Reserve, which he joined in 1991. "(Currently) I'm rebuilding a laptop that was hit by a vulnerability," Salazar said, describing one of his many responsibilities during last week's four-day drill. The exercise was also a nationwide competition between all five Information Operations Commands - located at Camp Parks, Massachusetts, Maryland, Texas and Pennsylvania - to see what team acted most effectively in keeping critical network services up and running. During the exercise, Army personnel located in Maryland acted as hackers, attempting to infiltrate the network and cause havoc across the system. It was Salazar's job to fix the problem once other soldiers identified it. "What scan are we being hit by here?" Salazar yelled to Chief Warrant Officer Tom Millar, another reservist in the unit who works as an information technology specialist at Santa Clara University. "The stuff I can do at work is more restricted than what I can do as a reservist," Salazar said. As a reservist, Salazar must work at least one weekend a month in addition to the required two-weeks a year and he said this is not a problem with his employer. Fred Conley, Salazar's boss and head of the management information systems department at Lockheed, said the company holds the vast majority of its contracts with the U.S. Department of Defense and understands the responsibilities of men and women in uniform. "We as a company are supportive of all our (military people)," he said. "We will keep their job open as long as they are actively deployed. As for the more normal use of reservists, as policy we allow them to take three weeks with pay." Salazar's fellow soldiers in the Information Operations Command are employed by Microsoft, Dell, Cisco Systems, Symantec and Mitre among other companies, said unit commander Lt. Col. Darryl Hensley. The soldiers in the Camp Parks unit are clearly a source of pride for Hensley and he said he's hoping for a repeat of last year's performance when they won the first national competition. "The laptop is our rucksack," Hensley said. "I don't want to say that the laptop is our weapon because (our operations are) all defensive." From isn at c4i.org Wed Mar 8 02:11:01 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:11:01 -0600 (CST) Subject: [ISN] Citibank cards pulled after network breach Message-ID: http://www.networkworld.com/news/2006/030706-citibank-network-breach.html By Robert McMillan IDG News Service 03/07/06 Citigroup is reissuing MasterCard credit and debit cards used in the U.K., Russia and Canada, saying they may have become compromised following an unspecified breach of its network. "Last year, Citibank and our customers were the victims of a third-party business' information breach," the company said Wednesday in a statement. "In mid-February, we detected several hundred fraudulent cash withdrawals in three countries. We are currently reissuing cards, as appropriate, to affected customers." In an earlier statement, published in media outlets, Citigroup said that the accounts may have been compromised in "previous retailer breaches in the U.S.," and that the company was aware of fraudulent ATM cash withdrawals being made in the U.K., Russia, and Canada. The company did not say how many cards were affected by these breaches. Citigroup, which does retail banking under the name Citibank, did not provide any details on the retailer breaches that prompted this action, but it said it has blocked PIN-based transactions on some cards in those three countries. Last week Wal-Mart Stores' Sam's Club members-only retail chain confirmed that it was looking into a possible compromise of its fuel station point of sale system. But no PINs were used in any of the fraudulent transactions reported in this case, which involved about 600 cards, according to Wal-Mart. News of the Citigroup breach first surfaced over the weekend, when Boing Boing Web site contributor Jake Appelbaum reported that he had been unable to use a Citibank ATM card in Toronto. After calling Citibank customer service on Saturday night, Appelbaum was told that he would have to return to the U.S. to change his PIN number before the ATM component of his card would be useable again. "They told me by using my ATM card on the Canadian network it automatically locked the ATM portion of my card," he said in an interview Tuesday. The MasterCard portion of the card continued to work normally, but Appelbaum was left frustrated by the fact that he was unable to access the cash in his bank account as he waits for a reissued card, and that Citibank could not say whether the new card will work in Canada. "I was dumfounded by that," he said. "It was the worst customer service I've ever heard of from a bank." He had some advice for Citibank customers travelling abroad. "Cancel your account and get a new bank," he said. "I'm going to close my Citibank account, not just because of the security problems, but because of the way they deal with their customers when they're stranded." From isn at c4i.org Wed Mar 8 02:11:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:11:17 -0600 (CST) Subject: [ISN] Mac OS X hacker tale rebuked Message-ID: http://www.macworld.co.uk/news/index.cfm?NewsID=14029 By Macworld staff March 07, 2006 A new Mac OS X hacker competition has been launched at the University of Wisconsin. The competition ends on Friday March 10. Hackers are being asked to change the front page of a website that's stored on a Mac mini: "Running Mac OS X 10.4.5 with Security Update 2006-001, two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open." The competition is a response to a report on ZDNet news this week, which claimed a hacker had managed to break into Mac OS X in under half an hour. What that report didn't explain was that anyone who wanted to try to hack that test Mac was given a local account on the machine which could be accessed using SSH. This effectively put the hacker in front of the machine and made the exercise much easier to accomplish. The organisers of the new Mac hack competition said: "Yes, there are local privilege escalation vulnerabilities for OS X; likely some that are 'unpublished'. But this machine was not hacked from the outside just by being on the internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction." Most consumer Macs won't hold user accounts for unknown people, won't have any ports open and will most likely be behind a firewall, making the earlier Mac OS X hacking exercise unrepeatable. Macs cannot be hacked "just by being on the internet", the competition organisers stressed. From isn at c4i.org Thu Mar 9 01:33:10 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:33:10 -0600 (CST) Subject: [ISN] Blacklists Aren't for Everyone Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. St.Bernard Software http://list.windowsitpro.com/t?ctl=230B5:4FB69 8e6 Technologies http://list.windowsitpro.com/t?ctl=230C1:4FB69 ==================== 1. In Focus: Blacklists Aren't for Everyone 2. Security News and Features - Recent Security Vulnerabilities - Oracle Secures Search with Authorized Results - RedBrowser Trojan Targets J2ME-based Phones - Viruses Jump from PCs to Mobile Devices 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Limit User Privileges and Block Unwanted Apps ==================== ==== Sponsor: St.Bernard Software ==== The Next Generation in Patch Management At last, a unique solution that speeds the tedious tasks of system vulnerability management with automated patching and settings configuration features found in no other solution: - Manage an entire distributed network, including remote and disconnected machines, from a central console - Assign Roles and Rights for optimum IT staffing and security - Provide dual system security with integrated security settings management - Wake on LAN lets you successfully patch machines that are turned off - Low acquisition and renewal pricing and flexible licensing model Download your free trial today and find out how easy and cost- effective securing your systems can be. Download Now! http://list.windowsitpro.com/t?ctl=230B5:4FB69 ==================== ==== 1. In Focus: Blacklists Aren't for Everyone ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about blacklist services (the article is at the URL below), and I received some responses that I'll share with you this week. http://list.windowsitpro.com/t?ctl=230BA:4FB69 One reader wrote to say that, lately, Spam and Open Relay Blocking System (SORBS) "is blocking almost all email from Yahoo, Hotmail, and some other large ISPs." He has quit using SORBS because it caused problems for a few clients. Another reader also wrote about his problem with SORBS. He said that "one of our main mail servers received a piece of spam with a forged From address that went to one of [SORBS's] honeypots. We received an email to a nonexistent [email address] and sent a nondelivery response to the forged address at the honeypot. The result of a single email sent last November was that any [host on the Internet] using SORBS regarded our email server as a spam sender. The email had originated in Brazil and our email server was just the last link in the chain." He then described his ordeal in trying to get his server removed from SORBS's database. At the SORBS site (URL below), you'll read that "affected IPs [of the mail server which sent spam] will only be delisted when US$50 is donated to a SORBS nominated charity or good cause. The charities and good causes SORBS approves will not have any connection with any member of the SORBS administrators, either past or present." I have no problem with donating to charity, but trying to force that on people is unprofessional and unreasonable. The reader found an alternative way to have his IP address removed from the SORBS database, but SORBS doesn't make the alternative clear on its Web site. http://list.windowsitpro.com/t?ctl=230C2:4FB69 In my tests, the SORBS blacklist service was only marginally better than the service provided by dnsbl.net.au (DNS server: t1.dnsbl.net.au), so I might not continue using SORBS in light of what the two readers have revealed. A third reader wrote to "strongly disagree with your recommendation to use blacklists, even though they are effective. My opinion is based on the fact that it is very easy to get blacklisted even without reason and very difficult to get out of the blacklist. This can cause long delays with email delivery and sometimes businesses depend on it--even though they shouldn't. I also don't like the attitude of some of the service providers for blacklisting, it is very frustrating to contact them." What I recommend is that you do what works for your particular networks. If you find that blacklists work and aren't much of a management problem, then use them--they can be very effective. On the other hand, if you experience trouble with an entity such as SORBS, it might be best to drop that service in favor of another. Some readers also offered comments about filtering particular languages. I think that some readers took offense to such filtering. I truly meant no offense. My point is simply that if no one in your organization reads a particular language, then any inbound mail in that language can be dropped. For example, approximately 48 percent of the email received by the mail servers I tested appears to be written in Asian languages--in particular, Japanese, Korean, and Taiwanese. None of the people that those mail servers support read any Asian languages, so we set the filters to drop all Asian language mail. As a result, processing overhead is reduced. ==================== ==== Sponsor: 8e6 Technologies ==== Stop Spyware Now - Free White Paper! Spyware remains a problem for most companies, disrupting productivity, wasting time and money. Now 8e6 Technologies' free White Paper proposes breakthrough solutions to counteract the Spyware problem: recognize potential infections, stop unauthorized programs at the source. Get the Free White Paper: http://list.windowsitpro.com/t?ctl=230C1:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=230B0:4FB69 Oracle Secures Search with Authorized Results Oracle announced its new enterprise search engine, Secure Enterprise Search 10g. One difference between Oracle's solution and other search engines is that Oracle's will return only the results that a person is authorized to access. http://list.windowsitpro.com/t?ctl=230BB:4FB69 RedBrowser Trojan Targets J2ME-based Phones The first malware was discovered that intentionally targets mobile phones that use Sun Microsystems' Java 2 Platform, Micro Edition (J2ME). Dubbed RedBrowser, the Trojan horse program tries to send text messages to a high-cost toll number in Russia. According to Kaspersky Lab, the mobile phone owner is charged between $5 and $6 for accessing the toll number. http://list.windowsitpro.com/t?ctl=230B8:4FB69 Viruses Jump from PCs to Mobile Devices Docking your mobile device to your PC is no longer without considerable risk. The Mobile Antivirus Researchers Association (MARA) reported the first virus that can jump from a PC to a Windows CE or Windows Mobile device. The virus was sent to MARA anonymously. http://list.windowsitpro.com/t?ctl=230BD:4FB69 ==================== ==== Resources and Events ==== DevConnections Europe Early Bird Special extended through 15 March Four conferences for the price of one! Don't miss DevConnections Europe--coming to Nice, France, April 24-27, 2006. http://list.windowsitpro.com/t?ctl=230B6:4FB69 Use virtualization technology to leverage your IT assets, address critical business needs, and get the most out of your existing hardware with Windows Server 2003 R2. Live Event: April 4, 12:00 pm EST http://list.windowsitpro.com/t?ctl=230AB:4FB69 Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=230AE:4FB69 Efficiently replicate file changes across WANS without worrying about your remote server backups using the improved Distributed File System in WSS R2. Live Event: March 14, 12:00 pm EST http://list.windowsitpro.com/t?ctl=230AC:4FB69 SPECIAL PODCAST OFFER: Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient. http://list.windowsitpro.com/t?ctl=230AF:4FB69 ==================== ==== Featured White Paper ==== Manage your data growth, improve reliability, and speed data recovery using continuous data protection. http://list.windowsitpro.com/t?ctl=230AD:4FB69 ==================== ==== Hot Spot ==== Automate IT security compliance now! FREE White Paper demonstrates how you can reduce time spent on IT policy compliance by as much as 90%, while improving your security posture. Cambia's agentless software continuously discovers all changes to network assets, intelligently determines which changes pose a risk to security and compliance and works with administrators to fix breaches quickly. http://list.windowsitpro.com/t?ctl=230C0:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Network Security Toolkit 1.4.0 by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=230BF:4FB69 This excellent bootable toolkit has been updated with several useful enhancements, including an updated OS, new Web interfaces, and updates to included applications. Learn more in the blog article. http://list.windowsitpro.com/t?ctl=230BC:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=230BE:4FB69 Q: How can I delegate permission for a user or group to control certain services? Find the answer at http://list.windowsitpro.com/t?ctl=230B9:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Windows IT Pro Magazine Article Library--access available Sign up for a Monthly Online Pass and get INSTANT access to all articles, tools, and helpful resources published on WindowsITPro.com, including exclusive subscriber-only content. You'll get 24/7 access to the full Windows IT article library (includes more than 9,000 articles) and get the latest digital issue of Windows IT Pro delivered right to your inbox. Sign up now: http://list.windowsitpro.com/t?ctl=230B2:4FB69 Windows IT Pro Magazine--SAVE 58% Windows IT Pro is a must-have in 2006! Subscribe now and plug into the largest independent Windows IT community in the world. Along with loads of how-to articles, time-saving advice, and expert tips and solutions, you'll gain exclusive access to the entire online Windows IT Pro article library FREE. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=230B1:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Limit User Privileges and Block Unwanted Apps Winternals Software announced the release of Protection Manager, which enables granular control of user and application privilege levels and blocks all unauthorized executables. You install Protection Manager on a central console and deploy it to clients throughout the network. Then for each user role, you can specify one of four execution attributes for each application: denied from executing under any circumstances, allowed to execute with administrator privileges when required, allowed to execute in the user's context with limited user privileges, or allowed to execute normally. Protection Manager is licensed by server and workstation and works with Windows Server 2003, Windows XP, and Windows 2000 computers; for more information, go to http://list.windowsitpro.com/t?ctl=230B7:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=230C3:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=230B4:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 9 01:33:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:33:24 -0600 (CST) Subject: [ISN] Debit Card Fraud Tied to OfficeMax Breach Message-ID: http://www.eweek.com/article2/0,1895,1935677,00.asp By Paul F. Roberts March 8, 2006 Debit card fraud that has affected customers at a number of credit unions in central Massachusetts is linked to transactions at office supply retailer OfficeMax, according to investigators. Dozens of credit union members in the towns of Leominster and Fitchburg, Mass., have been defrauded of more than $45,000 in the last few weeks by criminals in the United States and abroad, according to law enforcement officials in those towns. The fraudulent transactions involve cloned Visa debit cards and may be linked to the theft of blocks of PINs from OfficeMax or an intermediary processor, sources familiar with the case said. In Leominster, police know of about 40 victims of incidents at a number of credit unions in the area, dating back to Feb. 28, said Detective Scott Wolfeasazder of the Leominster Police Department. New victims are turning up every day, he said. "Just today I found out that City Employees Federal Credit Union had seven accounts accessed, with funds withdrawn from five of them," he said, adding that Leominster Credit Union has had to close 500 debit accounts because of the fraud. Most of the withdrawals are small, up to $500, and many were conducted in Barcelona, Spain, though ATMs in the United States and Canada have also been used. In total, the damages are upwards of $30,000, he said. All the victims the police have reached at this point shopped at OfficeMax and used a Visa debit card, Wolfeasazder said. "That's the common denominator on this end," he said. In neighboring Fitchburg, police know of dozens of residents who have had debit cards used fraudulently, with totals of around $17,000 in damages, said Sgt. Glen Fossa of the Fitchburg Police Department. The transactions date back to mid-February and were linked to ATMs in Illinois, Turkey, Great Britain and Switzerland, he said. The random nature of the fraud and its geographic distribution indicate that the stolen information is being fenced on the Internet, investigators say. According to multiple sources, thieves may have made off with PIN blocks, or groups of encrypted debit card PIN information, as well as a key to decrypt the information. That information is being used to format "white cards," or blank magnetic stripe credit cards, according Fossa and Wolfeasazder. For the card accounts stolen from Leominster and Fitchburgh credit union customers, the stolen information appears to be tested in California first, then used for fraudulent transactions all over the world, Detective Wolfeasazder said. Law enforcement does not know if the PIN information was stolen from OfficeMax or a partner company, or whether it was taken in an electronic hack or leaked by an insider. At least one source familiar with the investigation, who asked to remain anonymous because of the ongoing investigation, named OfficeMax as the source of the PIN block information. However, OfficeMax, based in Itasca, Ill., maintains that its network has not been compromised, according to Bill Bonner, the company's spokesperson. "We have no knowledge of a security breach at OfficeMax," he said. Criminals have turned to debit card accounts because they are less well-protected by anti-fraud technology than traditional credit card accounts, said Mike Urban, director of fraud technology operations at FairIsaac, a Minneapolis, Minn., company that monitors ATM and banking fraud. FairIsaac is monitoring a number of ATM fraud incidents around the country and notifies card issuers when it identifies fraudulent activity on an account, Urban said. "We are seeing a significant increase in stolen PIN cards," he said. From isn at c4i.org Thu Mar 9 01:33:43 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:33:43 -0600 (CST) Subject: [ISN] Porn Billing Leak Exposes Buyers Message-ID: http://www.wired.com/news/technology/0,70356-0.html By Quinn Norton Mar, 08, 2006 Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers, security experts say. The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites -- providing billing services for such outlets as DominaBDSM and Top-Nude.com. The transactions documented in the database are dated between 1998 and 2003, spanning a period at the height of iBill's success. The company didn't respond to repeated e-mail and telephone inquires by Wired News. Two caches of stolen iBill customer data were discovered separately by two security companies while conducting routine research into malicious software online. Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information. Secure Science found that data in February 2005, and reported it to the FBI's Miami field office, the company says. The FBI declined comment. Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries labeled Ibill_1m.txt on a spamming website. That list appeared to date from 2003. IBill has a troubled history. Founded in 1997 by executives of a Florida-based BBS software developer, by 2002 iBill was a big player in internet billing, processing approximately $400 million in credit card transactions per year, according to SEC filings. The company took 15 percent off the top in fees. Todd Dugas, a former inside sales representative for iBill, estimates that pornography made up 85 percent of the business. But when Atlanta-based InterCept acquired iBill for $120 million in 2002, it immediately encountered problems. New rules from Visa made it more complicated and costly to process adult website transactions, and "accounts dropped like flies," says Dugas. Meanwhile MasterCard levied $5.85 million in fines against iBill for an unusually high volume of "charge backs" -- consumer-disputed charges -- though InterCept managed to recoup most of the fine from iBill's previous owners. In September 2004, iBill lost the contract with its upstream credit-card processor, First Data, which had grown wary of being associated with adult content. Website operators relying on iBill for payments had to wait months for their checks while First Data held the money in escrow. Roger Jacobs, who followed the story of iBill for adult industry publications AVN and XBiz, described low morale and a hemorrhaging of employees during this period. Lance James of Secure Science and Adam Thomas of Sunbelt Software speculate that the company's troubles may have left them vulnerable to information embezzlement: The breach, they say, has all the markings of an inside job. The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack attack. Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's internet connection. Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market. What happened with the records from there is anyone's guess. The 1 million addresses found by Sunbelt Software were being used for spamming. Sunbelt found the database by tracing malware-infected computers as they connected to the internet to refresh their list of spam targets. The target list turned out to be the iBill database, hosted on a rogue website. Secure Science's James says the 17 million database entries he found is prime data for spamming, phishing attacks, pretext phone calls and even possible hacking of vulnerable computers at the IP addresses listed. Independently, Wired News found that entries from the smaller cache are listed as mortgage leads on a spammer community site, specialham.com. (The website's homepage offered no contact information and Wired News was unable to reach the registered owner of the domain, one "Juice Wobble.") This suggests that the database was marketed as a lead list for outside businesses. "I can attest to the fact that this goes on with phishing groups," says James. "They break in and steal leads and then sell those leads to (black market) leads companies, who resell them to legitimate companies, and sometimes the same companies they stole them from." "The fact that a total of 17,781,462 iBill records have been found in the hands of criminal hackers is quite disturbing, be it an inside job or the successful work of criminal hackers," says Thomas. Contacted by Wired News, one of the victims of the breach expressed dismay that his information was in the hands of criminals. The 41-year-old San Diego man says he allowed a "business partner" to use his credit card on an adult website dedicated to finding resources in Tijuana's red light district, with discussion groups and locations of prostitutes. "Life is difficult enough," says the victim. "It makes the net that much less secure in my eyes.... I plan to not use any credit card information on any site." The man says that neither iBill nor the FBI notified him of the breach. Because the information didn't include Social Security, credit-card or driver's-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims. A year after the FBI first learned of the larger leak, they have also failed to issue any public warnings. In January of last year, iBill was purchased by Interactive Brand Development for $23.5 million. On Monday, IBD's stock closed at 8 cents a share in over-the-counter trading. From isn at c4i.org Thu Mar 9 01:34:01 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:34:01 -0600 (CST) Subject: [ISN] Security Researchers Terminate Sites Selling Trojans Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=181502074 By Gregg Keizer Mar 8, 2006 Several Web sites selling made-to-order Trojan horses to hackers have been shut down, the two cooperating security companies who led the investigation said Wednesday. U.S.-based RSA Security and Spain's Panda Software collaborated in the effort to identify, locate, and shutter five sites. Three were marketing la carte Trojans for launching targeted identity theft attacks against users of specific financial institutions, while two were sites where the buyers could monitor the infections the malware caused. Once installed on users' PCs, the Trojans would return data to the hackers, including systems' IP addresses and bank or brokerage passwords. "The collaboration between RSA Security and Panda Software has been key to rapidly dismantling these dangerous Web sites for creating and selling targeted malware," said Luis Corrons, director of PandaLabs, in a statement. Panda kicked off the investigation after it discovered a new Trojan, dubbed "Briz.a." Clues in Briz.a's code led Corrons' team to the scam; Panda then brought in RSA, which runs an around-the-clock anti-fraud center acquired during its December 2005 purchase of New York City-based Cyota. RSA contacted the ISPs hosting the sites to tell them that they were harboring illegal services. "It is critical to have industry collaboration and knowledge sharing such as Panda and RSA demonstrated in this complex case," said Chris Young, senior vice president of RSA Cyota, in an accompanying statement. From isn at c4i.org Thu Mar 9 01:34:22 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:34:22 -0600 (CST) Subject: [ISN] Internet "cloaking" emerges as new Web security threat Message-ID: http://www.gcn.com/online/vol1_no1/40075-1.html By Wilson P. Dizard III GCN Staff 03/08/06 Terrorist organizations and other national enemies have launched bogus Web sites that mask their covert information or provide misleading information to users they identify as federal employees or agents, according to Lance Cottrell, founder and chief scientist at Anonymizer of San Diego. The criminal and terrorist organizations also increasingly are blocking all traffic from North America or from Internet Protocol addresses that point back to users who rely on the English language, Cotrell told an educational seminar in Washington at the FOSE 2006 trade show's Homeland Security Center yesterday. FOSE is sponsored by PostNewsweek Tech Media, the parent company of Government Computer News. Among the risks of the terrorist cloaking practice are that the organizations can provide bogus passwords to covert meetings. By doing so they can pinpoint federal intelligence agents who attend the meetings, making them vulnerable to being kidnapped or becoming the unwitting carriers of false information, Cottrell said. Cloaking is just one means by which hostile intelligence organizations can exploit the ability of IP addresses to reveal the physical location - and frequently the organizational identity - of a user visiting a Web site. Another method Cottrell described was a case in which hackers set a number of criteria that they all shared using the Linux operating system and the Netscape browser, among other factors. When federal investigators using PCs running Windows and using Internet Explorer visited the hackers' shared site, the hackers' system immediately mounted a distributed denial-of-service attack against the federal system. Cottrell said his company had helped humanitarian activists in the former Yugoslav republic of Kosovo shield themselves from attacks by paramilitary goons employed by Serbian strongman Slobodan Milosevic. The Milosevic paramilitaries were using the activists' IP addresses to pinpoint their physical locations and follow up with attacks aimed at preventing the activists' campaigns against specific human rights abuses. "Imagine the kind of damage a mole at Google could do," Cottrell said, noting that Google keeps logs of the Web searches it provides, which provide a comprehensive picture of users' Web traffic patterns. In a similar fashion, Web-savvy intelligence specialists can use IP address data to analyze what types of information a particular federal user is seeking and, by inference, what types of intelligence or counterintelligence operations federal agencies are carrying out. Cottrell described a situation in which Anonymizer employees had worked on a Navy aircraft carrier that allowed sailors to access the Web. He noted that by analyzing Web traffic that could be traced back to that ship via the IP addresses of its public browsers, hostile intelligence services could determine the name of the ship, the port it was visiting and other information. Cottrell said his company, which sells technology to prevent the use of IP address information for such purposes, had shielded the identities of the providers of 25,000 tips to the FBI in one recent three-month period. Even as the use of IP address security technology is critical to maintaining Web security, Cottrell noted that the use of firewalls, antivirus software, measures to defeat social engineering and reduce human error are also essential. Anonymizer has received a contract from the Broadcasting Board of Governors, the foreign-policy agency that runs the Voice of America international radio service, to provide technology that the people of Iran can use to circumvent their government's Web censorship program. Anonymizer also soon will launch, at its own expense, a service that will allow the people of China to overcome Beijing's massive program to censor the Web, Cottrell said. From isn at c4i.org Thu Mar 9 01:34:40 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:34:40 -0600 (CST) Subject: [ISN] Hackers get inside province's system Message-ID: http://www.canada.com/vancouversun/news/story.html?id=20b74870-ceb9-4723-a6ee-cf55548e2001&k=21513 Miro Cernetig Vancouver Sun March 08, 2006 VICTORIA -- The RCMP is investigating how hackers cracked the B.C. government's computer network to place unauthorized software and movies on government hard drives, the provincial government disclosed Tuesday. The revelation, the latest in a spate of embarrassing security breaches, came from the New Democratic Party, which raised the issue in the legislature. "The opposition has been advised that at least one breach of security that involved a minimum of 78 government computers and access through [the] highest level of passwords and involving several ministries occurred," said NDP house leader Mike Farnworth. He did not name his source. "Apparently, the government found out on the sixth of February of this year that outsiders had been accessing the system for at least two months." Government officials, who are still investigating revelations by The Vancouver Sun that the province auctioned computer data tapes containing confidential records on thousands of British Columbians, initially suggested the NDP was exaggerating a minor breach in which no personal information was stolen. Less than an hour later, however, Labour Minister Michael de Jong released a Feb. 3 "security incident report" that warned government employees that 78 computers across various ministries were "heavily compromised . . . by an intrusion that has loaded 'hacker' programs and movie files onto them." The attack came from a service provider in the Netherlands. The NDP said it allowed round-the-clock use of government computers on weekends, and from 5 p.m to 6 a.m. on weekdays. De Jong said "this wasn't a privacy issue in the sense that somebody was trying to access personal information. "They [the hackers] were trying to make use of the network." The mystery is what for? De Jong did not say what type of material was being deposited onto the government network and skirted answering a question about whether it involved pornography. But experts have found hackers often try to infiltrate networks with large Internet bandwidth and storage capacity such as governments', then set up illegal mirror sites that allow them to distribute and store first-run movies and pornography for free. Hackers then sell passwords to enable people to access the network and the illegal material stored on it. It does appear that some government computers have been targeted by computer hackers, NDP researchers said. Their search of Internet sites commonly used by hackers dealing in pirated software, which hackers call Warez, found what appears to be at least two government computers listed. It wasn't clear if they are still actively being targeted by hackers. Farnworth said he does not know the extent of the hackers' penetration and has no evidence that people's privacy was compromised. But he is asking Privacy Commissioner David Loukidelis to carry out his own investigation to eliminate any concerns. "If [the allegations are] proven accurate, I further request that you report out on the causes of the breach, the magnitude of the breach and what files were at risk," Farnsworth asks the commissioner in a letter. From isn at c4i.org Thu Mar 9 01:32:32 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:32:32 -0600 (CST) Subject: [ISN] University nixes Mac hacker contest Message-ID: http://news.com.com/University+nixes+Mac+hacker+contest/2100-7349_3-6047735.html By Joris Evers Staff Writer, CNET News.com March 8, 2006 A Mac OS X hacker challenge apparently got a systems engineer at the University of Wisconsin-Madison into trouble with university administrators. Dave Schroeder on Monday invited hackers to break into a Mac Mini he attached to the university network. The challenge would last until Friday, he announced. The contest was in response to an earlier challenge, which Schroeder criticized as too easy. But the event ended early--Tuesday night. On Wednesday, information emerged that the contest had drawn the scrutiny of the university's chief information officer, Annie Stunden. "The Mac OS X 'challenge' was not an activity authorized by the UW-Madison," Brian Rust, a university spokesman, said in an e-mailed statement. "Once the test came to the attention of our CIO, she ended it...Our primary concern is for security and network access for UW services." The same statement also appeared on Schroeder's challenge Web site Wednesday afternoon. "Dave was well-meaning, but he did the test pretty much on his own," Rust said in a phone interview. Universities are often the target of cyberattacks. The academic institutions face the challenge of balancing the need to share information on large networks with the need to secure data. The Mac OS X contest ended without a negative impact on the University of Wisconsin-Madison's network, Rust said. "We were able to handle the traffic, and there were no compromises to university systems," he said. The university apologized for any inconvenience its action caused to the Mac community. The university is distancing itself from the challenge. "If Dave wants to continue this test, he has to do that privately, not using university systems," Rust said. Schroeder had said he wants to publish some details on the attempts that were made to hack his Mac. The computer was connected to the Net for more than 30 hours, apparently without being compromised. In the earlier challenge, an anonymous hacker claimed he was able to compromise OS X within 30 minutes using an undisclosed vulnerability. However, attackers in that case had been given user-level access to the system rather than being shut out completely. These hacker challenges came after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a serious vulnerability. Security experts are also questioning the effectiveness of Apple's latest patch. From isn at c4i.org Fri Mar 10 01:17:39 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:17:39 -0600 (CST) Subject: [ISN] Apple: Finding the Root of the Problem Message-ID: http://www.businessweek.com/print/technology/content/mar2006/tc20060308_032391.htm By Arik Hesseldahl Byte of the Apple MARCH 8, 2006 To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar. The second potentially major Mac security incident in as many weeks has thankfully been debunked. Earlier this week I wrote a blog entry about a Mac Mini owner in Sweden who configured his machine as a server and challenged hackers to gain access to it. The Mini was -- as hackers like to say -- "owned" only 30 minutes after the challenge started. By "owned," I mean rooted. An outside attacker, through a remote Internet connection, was able to get "root" access -- the highest and most powerful level of administrative access on a Unix-based computer (which Macs running OS X happen to be). Root access gives the bearer free reign on a machine, no questions asked. Files can be altered or deleted. Accounts assigned to other users can be changed or deleted altogether. The potential for misuse of the privilege has caused Apple to ship its machines with root access disabled by default. Root can be re-enabled only through a series of technical contortions understood by advanced users. Even so, the Swedish attacker said he succeeded with an "unpublished" exploit -- a method that hasn't been publicly documented. If your Mac is connected to the Internet all day, as mine is, you can see the fright such news might generate. It's like knowing a criminal gang has a master key to your home and thousands of others, and that the only defense you really have so far is that they haven't found you yet. BIASED STUDY. That is, if it were true. It turns out the original reports weren't forthcoming with all the facts. The person who "rooted" the Mac already had a user name and password, as if he were a regular day-to-day user. In fact, having an account on this Mac was a prerequisite to taking part in the challenge. From there, the person used some method -- most likely having to do with weaknesses in the Unix underpinnings of the Mac operating system -- to gain escalated access. These kinds of "privilege escalation" vulnerabilities have cropped up on the Mac over the years and date back decades to FreeBSD, the variant of Unix on which Mac OS X is based. But remember, you can't take advantage of this type of vulnerability unless you already have access to the machine -- which implies having been given permission for that access in the first place. The pseudo break-in and misleading reports didn't sit well with Dave Schroeder, a network systems engineer and Mac enthusiast at the University of Wisconsin in Madison. He's been outspoken on the issue of Mac security, portraying recent reports as overblown. So he set up his own challenge, inviting the world to hack a Web page -- the very page he used to tell the world about the challenge -- running on a Mac Mini he set up as a Web server. His challenge mirrored the one in Sweden, with one critical difference: No one would have an account on the machine. They'd be locked out and therefore would have to break in. His aim was to demonstrate the flaws in the Swedish test, and provide a more realistic test of Mac security. The tech news site Slashdot picked up news of the challenge and quickly spread the word. A NEW CHALLENGE. Attacks on the machine surged. It recorded more than 4,000 login attempts, and Web traffic to it spiked to 30 megabits per second. Half a million people visited the Web site (http://test.doit.wisc.edu/). That little Mac Mini was one busy server, but it remained online. Most of the network traffic conveyed attempts to break in: Web exploits seeking a wedge into the machine via the public page; dictionary attacks, which make repeated guesses at passwords at high speed; and a scanning tool known as Nessus, software that scans for known vulnerabilities. The machine even came under what's known as a denial of service attack, in which an attacker hammers a machine with thousands of requests for information in an attempt to overwhelm the server and thus create an exploitable weakness. For 38 hours, nothing worked. The Mac Mini held its ground against the worst that the multitudes could throw against it. The contest ended earlier than originally planned and even appears to have gotten Schroeder in trouble with his employer, since it wasn't sanctioned by the university. I'm hearing he may face some kind disciplinary action. The University of Wisconsin apparently isn't interested in such a real-world ad-hoc test, no matter how successful and harmless it proved to be. Schroeder wasn't available for comment. This illustrates changing perceptions about Mac security. The Mac is increasingly on the radar screen of people who have long ignored it and who, for whatever reason, want to find the chinks in as-yet virtually impregnable armor. And while it may indeed be a more secure system than anything put out by Microsoft (MSFT ) and its many hardware partners including Dell (DELL ), Hewlett-Packard (HPQ ), Gateway (GTW ) and others, the level of attention can only increase. Hackers love nothing more than a difficult challenge -- which Windows ceased to be a long time ago. SOWING FEAR And as Apple Computer (AAPL) gains attention for its innovation, superior software and so far relatively airtight security, people in the media -- including myself -- will be watching with interest and not a small amount of anxiety for the moment when the first really nasty and widespread Mac security vulnerability shows up. Until that happens, even little hiccups are going to trigger an avalanche of negative publicity. Uninformed media sources will do what they do best -- sow fear, uncertainty, and doubt. And the first time a really big Mac security incident occurs it will cause some people who are considering a Mac over a cheaper Windows-based system to change their minds. Vulnerabilities in Windows are so common they don't really make the news anymore. But a large-scale, widespread incident on the Mac could badly wound Apple's reputation. LOCK DOWN. It's for this reason that I think the time has come for Apple to consider doing what many other companies like IBM (IBM ) and Oracle (ORCL) have: create a position of chief security officer. This person would be a well-known computer security expert, ideally from outside Apple, who would wave the flag for all things related to Mac security, debunking myths, correcting the record, and providing a public face when issues crop up. And when something does go wrong -- and I think eventually something will -- he or she would be Apple's ombuds officer evaluating what failed, where, when and how, and then take responsibility for seeing that it's fixed, reporting on the matter to CEO Steve Jobs, Apple's board of directors, and (where appropriate) its shareholders and customers. I talked briefly with Apple's Bud Tribble, vice-president of software technology. He called my idea a "good suggestion" but said the company would be reticent to assign security issues to any single individual, and that the responsibility of a CSO instead tends to rest with everyone. "For pretty much all the senior people at Apple, security is one of the top jobs on their list," he says. "When we think about security and how we design software, the basic approach is to make it as secure as possible, because most people really aren't security experts. We try to make sure things are pretty well locked down out of the box." CONFIDENCE BUILDER. While the Mac's Unix underpinnings suffer from the occasional vulnerability, they still present a security advantage, Tribble says. "Unix is sort of a kid that grew up in a tough neighborhood," he says. That neighborhood was a networked environment where people were constantly trying to figure out tricks to log into the system. So over the decades, lots of holes have been plugged. You can't say that about Windows. And I admit, creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft. From isn at c4i.org Fri Mar 10 01:18:13 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:13 -0600 (CST) Subject: [ISN] Former White House staffer named to head DHS policy committee Message-ID: http://www.govexec.com/dailyfed/0306/030706nj1.htm By Shane Harris National Journal March 7, 2006 The Bush administration has been excoriated for appointing politically well-connected but professionally inexperienced people to important positions at the Homeland Security Department. A recent appointment may do little to quiet those complaints: The department announced that a 28-year-old former White House staffer is heading a policy committee that gathers expert advice -- on behalf of the president and the Homeland Security secretary -- on key areas of homeland security, including threats to infrastructure and preventing terrorist attacks that use weapons of mass destruction. Douglas L. Hoelscher is the new executive director of the Homeland Security Advisory Committees and the "primary representative" of department Secretary Michael Chertoff in dealing with more than 20 advisory boards. Among them is the Homeland Security Advisory Council, which includes such high-powered figures as Gov. Mitt Romney of Massachusetts, former Lockheed Chairman Norman Augustine, and former Defense and Energy Secretary James Schlesinger. Hoelscher has no management experience, a review of his professional credentials shows. He came to government in 2001 as a low-level White House staffer, arranging presidential travel, according to news reports. He earned $30,000 a year, salary documents show. A department statement said that Hoelscher will provide "strategic counsel" to Chertoff and represent him before the committees. In so doing, Hoelscher will be contending with formidable voices in U.S. policy-making from the private sector, state and local government, and academia. Members of the boards are "titans in their fields," said Daniel Ostergaard, Hoelscher's predecessor. At 34, Ostergaard is young, too, but he is a former Coast Guard officer with two master's degrees, one of them from Harvard University's Kennedy School of Government. One group that Hoelscher will be coordinating with is the National Security Telecommunications Advisory Committee, which includes top executives from BellSouth, Boeing, and Microsoft. "The administration has named a qualified and talented professional to cultivate these partnerships," Stewart A. Baker, Homeland Security's assistant secretary for policy, said in a statement. "Doug will ... increase overall coordination between department leadership and our homeland-security partners." Homeland Security is reeling from a congressional report on its botched Hurricane Katrina response, which found poor coordination between the White House, the department, and the private sector. Hoelscher declined to be interviewed for this article; a Homeland Security spokeswoman said that he was on jury duty. But in a personal profile that Hoelscher created for the Web site Friendster.com, he offered some personal insights. He listed William Bennett's The Death of Outrage: Bill Clinton and the Assault on American Ideals among his favorite books and wrote, "I'm usually fairly quiet in a group setting -- I am not a talker but a pretty good listener." Hoelscher launched his political career after graduating from the University of Iowa in 1999. During the 2000 campaign, he worked for Wisconsin's Republican Party, campaign finance records show. In 2001, he was a political coordinator in the White House Office of Political Affairs, which was run by Ken Mehlman, who was Bush's Midwest regional political director in the 2000 campaign and is now the Republican National Committee chairman. (Mehlman didn't respond to an interview request.) In 2004, Hoelscher worked for the RNC. The following year he became Homeland Security's White House liaison, "obtaining information from the department," said Joanna Gonzalez, a department spokeswoman. During Katrina, he helped deploy volunteers from the department to the Gulf Coast, she said. The congressional report on Katrina noted that some of those employees had trouble making it to the region because of departmental miscommunications. Hoelscher also "made sure [that department political appointees] were all placed in the office where they were happiest and ... fit best," Gonzalez said. Controversial political appointments at the department include Michael Brown, the former FEMA director, who was a longtime friend of Bush's 2000 campaign director, Joe Allbaugh; Julie Myers, who's married to Chertoff's chief of staff and heads the Immigration and Customs Enforcement Bureau despite lacking law enforcement credentials; and Eduardo Aguirre Jr., a career Texas banker with Bush family ties, who was director of U.S. Citizenship and Immigration Services. One congressional staffer defended the appointment, noting that high turnover plagues the department and that Hoelscher has performed well. "He has been very proactive" in notifying Hill staffers of political appointments, the staffer said. Acknowledging Hoelscher's youth and limited experience, the staffer said that he wouldn't be left on his own: "There's plenty of adult supervision" at the department. From isn at c4i.org Fri Mar 10 01:18:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:56 -0600 (CST) Subject: [ISN] Shadowboxing With a Bot Herder Message-ID: http://blog.washingtonpost.com/securityfix/2006/03/post.html By Brian Krebs March 9, 2006 Security Fix had an interesting online conversation Tuesday night with a hacker who controls a vast, distributed network of hacked Microsoft Windows computers, also known as a "botnet." I went into the interview knowing very little about this individual, other than his online alter ego, "Witlog," and that he has infected close to 30,000 Windows PCs with his computer worm, which he claims is powered by code that he downloaded from a Web site, modified slightly, and set loose on the 'Net. I came away from the interview no more knowledgeable about his background, age, location or motivation, but perhaps with a stark reminder of how just a little bit of knowledge can be such a dangerous thing. Witlog claims he doesn't use his botnet for illegal purposes, only "for fun." I found that claim pretty hard to believe given a) the income he could make installing ad-serving software on each computer under his control, combined with b) the risk he is taking of getting caught breaking into so many computers. The kid I wrote about in the Post magazine story on the connection between botnets and spyware was making $6,000 to $10,000 per month installing adware on a botnet half the size of the one Witlog claims to have. I was introduced to Witlog through several security experts who are part of the Shadowserver.org crew, a group of talented volunteers who dedicate a great deal of their free time and energy toward making life more difficult for bot herders like Witlog. Shadowserver has been cataloging Witlog's every move for the past two months or so, and shared with me records showing Witlog seeding his botnet with adware from DollarRevenue.net, which pays distributors $0.30 for each install of their pop-up ad-serving software on a computer in the United States; distributors can earn $0.20 per install for Canadian PCs, and ten cents per install for computers based in the United Kingdom. Installs on PCs in other countries net the distributor two cents or less. Witlog admitted to me that he made at least $400 by installing adware on his bots and conducting a petty distributed-denial-of-service attack against a couple of Web sites that knocked them offline for a while. For all I know, that could be the extent of it. He also admitted that he lets his buddies use his botnet for their own purposes, which he claims not to know much about. But what blew me away was how he created the botnet, which is powered by a worm that spreads only through known network security holes in Microsoft Windows and which require no action on the part of the victim other that the failure to apply security patches and (maybe) use a simple firewall. Had he decided to spread his worm through more conventional means -- via Web links sent in instant message or as attachments in e-mail -- his botnet could probably have grown to twice its current size. In this snippet of our conversation, I asked Witlog how and why he got his botnet started: Witlog: why i did it? i've read an article on yahoo or smth like this Witlog: so when i've read that article, i thought "why not to make my own"? SecurityFix: so did you just download the source from some site and set it loose? Witlog: yes Witlog: changed settings, and started it Witlog: thats all Witlog: anyone could do that Witlog: you don't have to know many things to do a botnet like this Over the past month and a half, Witlog used freely available source code for SDBot and built his botnet to 45,000 PCs. That is, until botnet hunters like Shadowserver and others put enough pressure on Witlog's Internet service provider to shutter Witlog.com, the domain name he was using to control his bot herd. That was only a temporary setback for Witlog, however, who simply registered a new bot control channel at Witlog.net. So far his network is back up to about 65 percent of its original size and growing by several thousand newly infected machines per day. But again, Witlog says it's not about size, it's all about the fun of it. For guys like Witlog, building botnets can be akin to a kind of digital hide and seek. On Monday, he began using a new version of the code that runs his botnet (this is the sixth iteration). Less than 24 hours after he released it, the bot code was only detected as malicious by two out of more than a dozen or so of the major anti-virus scanners employed by the free virus-testing service over at VirusTotal.com; Two other anti-virus engines flagged it as "suspicious," but could not tell whether the file was overtly hostile. Witlog may in fact be the product of a new generation of "script kiddiez"; the chief distinguishing feature of this generation being that instead of using Web site flaws to deface as many Web sites as possible, these guys are breaking into thousands of home and work PCs and taking them for a virtual joyride, often times all the way to the bank. And it's not just hacked home PCs we're talking about either. According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor. From isn at c4i.org Fri Mar 10 01:19:09 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:19:09 -0600 (CST) Subject: [ISN] Porn Biller Says It Was Framed Message-ID: http://www.wired.com/news/technology/0,70380-0.html By Quinn Norton Mar, 09, 2006 Online payment company iBill on Thursday said a massive cache of stolen consumer data uncovered by security experts did not come from its database. "I'm the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes to say 'we screwed up,' if that were the case," said iBill President Gary Spaniak Jr. Two caches of stolen data were discovered separately by two security companies while conducting routine research into malicious software online. Both had file names that purportedly linked them to iBill. Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information. Secure Science found that data in February 2005, and reported it to the FBI's Miami field office, the company says. An additional list of slightly over 1 million individual entries was uncovered on a spamming website by Sunbelt Software last month, where it was labeled Ibill_1m.txt. That list appeared to date from 2003. The databases, examined by Wired News, include names, phone numbers, addresses, e-mail addresses and internet IP addresses of customers making online purchases. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. But Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two. Additionally, some entries in the stolen databases were identified as purchases on Diner's Club cards, which iBill says it has never accepted in its nine year history. Spaniak says iBill recently passed a security audit that found its databases well secured. SunBelt Software couldn't immediately be reached for comment Thursday. But Secure Science's Lance James backed away from his conclusion that iBill, which processes most of its transactions on behalf of adult services, was the source of the leak. He says pornography transaction databases may be considered especially desirable to spammers, and that a criminal may have deliberately mislabeled a database taken from another source "This might be part of a new hacker establishing their reputation," says James. "They could say, 'I hacked iBill.'" Wired News found that entries from the smaller cache of one million consumers are listed as mortgage leads on a spammer community site, specialham.com. A Google search turns up scores of offers on specialham.com for purported iBill databases, one of them advertising "20mill ibill list w/Full data from 2003" for $300. But in one message, a spammer slams an underground vendor for selling him a fake iBill list. Other offers on the site purport to sell data from competing internet billing firm CCBill, which says that it isn't aware of having been breached either. Spaniak has his own theory on why a data thief might falsely link a database to iBill. He believes it's an outgrowth of animosity in the adult website community dating from the time when the trouble-plagued company was forced to suspend payments to its webmaster customers. He says as long as iBill stays in business, it will try to repay those webmasters. "Over $20 million has been paid back, we have plans for paying back another $18 million." James says the actual source of the stolen data remains a mystery. An FBI spokeswoman says the bureau wouldn't investigate the breach unless the source of the leak comes forward to make a complaint. From isn at c4i.org Fri Mar 10 01:17:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:17:57 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-10 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-03-02 - 2006-03-09 This week : 82 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Apple has release the first security update for 2006, which fixes multiple vulnerabilities. Among the fixes are also a partial patch for the "Extremely Critical" vulnerability, which was released on the 21st of February 2006. You can test whether or not your system is affected by this vulnerability here: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ For additional details about the other vulnerabilities fixed please refer to the referenced Secunia advisories below. References: http://secunia.com/SA19064 http://secunia.com/SA18963 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 2. [SA19064] Mac OS X Security Update Fixes Multiple Vulnerabilities 3. [SA19083] Linux Kernel Local Denial of Service Vulnerabilities 4. [SA19105] Joomla! Multiple Vulnerabilities 5. [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability 6. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 7. [SA19108] Fedora update for kernel 8. [SA19087] Avaya CMS / IR Multiple Vulnerabilities 9. [SA19073] Sun Solaris Multiple Apache Vulnerabilities 10. [SA19040] SecureCRT / SecureFX Potential Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19119] RevilloC MailServer USER Command Buffer Overflow [SA19111] Sauerbraten Engine Multiple Vulnerabilities [SA19110] Cube Engine Buffer Overflow and Denial of Service [SA19079] Liero Xtreme Format String and Denial of Service Vulnerabilities [SA19157] Cilem Haber "haber_id" SQL Injection Vulnerability [SA19156] manas tungare Site Membership Script Cross-Site Scripting and SQL Injection [SA19112] Akarru Social BookMarking Engine SQL Injection Vulnerability [SA19103] Total Ecommerce "id" Parameter SQL Injection Vulnerability [SA19081] Microsoft Visual Studio ".dbp" File Handling Buffer Overflow [SA19163] Novell BorderManager Proxy Potential Denial of Service [SA19097] EMC Retrospect Client Denial of Service Vulnerability [SA19171] Symantec Ghost Multiple Vulnerabilities [SA19140] IM Lock 2006 Insecure Registry Permissions [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions [SA19082] NCP Secure Entry Client Two Vulnerabilities UNIX/Linux: [SA19130] SUSE Updates for Multiple Packages [SA19174] HP Tru64 UNIX IPSEC/ISAKMP Processing Denial of Service [SA19167] Red Hat update for mailman [SA19161] Red Hat update for squid [SA19152] Debian update for tar [SA19148] Gentoo update for zoo [SA19136] Lurker Multiple Vulnerabilities [SA19134] Tenes Empanadas Graciela Denial of Service Vulnerability [SA19133] Monopd String Parsing Denial of Service Vulnerability [SA19126] Ubuntu update for flex / gpc [SA19125] Gentoo update for teTeX / pTeX / CSTeX [SA19123] Gentoo update for wordpress [SA19114] Gentoo update for mplayer [SA19113] Gentoo update for up-imapproxy [SA19093] Red Hat update for tar [SA19092] Debian update for libtasn1-2 [SA19091] Debian update for xpdf [SA19086] Avaya PDS HP-UX TCP/IP "Rose Attack" Denial of Service [SA19080] Debian update for gnutls11 [SA19158] Red Hat update for spamassassin [SA19131] Fedora update for squirrelmail [SA19094] GNOME Evolution Email Handling Denial of Service [SA19090] Ubuntu irssi DCC ACCEPT Parameter Handling Denial of Service [SA19162] Red Hat update for initscripts [SA19160] Red Hat update for kernel [SA19087] Avaya CMS / IR Multiple Vulnerabilities [SA19159] Red Hat update for openssh [SA19128] Sun Solaris "/proc" Denial of Service Vulnerability [SA19108] Fedora update for kernel [SA19083] Linux Kernel Local Denial of Service Vulnerabilities [SA19078] Linux Kernel "die_if_kernel()" Potential Denial of Service Other: [SA19146] Xerox CopyCentre / WorkCentre Pro Multiple Denial of Service Vulnerabilities [SA19137] nCipher Products Multiple Vulnerabilities Cross Platform: [SA19154] Link Bank PHP Code Injection and Cross-Site Scripting [SA19142] Owl Intranet Engine "xrms_file_root" File Inclusion Vulnerability [SA19121] m-phorum "go" File Inclusion Vulnerability [SA19116] Php-Stats Multiple Vulnerabilities and Security Issue [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability [SA19106] LISTSERV WA CGI Script Buffer Overflow Vulnerabilities [SA19172] Loudblog Multiple Vulnerabilities [SA19151] sBlog Multiple Vulnerabilities [SA19147] bMail GBK Charsets SQL Injection Vulnerability [SA19144] Alien Arena 2006 Gold Edition Multiple Vulnerabilities [SA19141] Invision Power Board Cross-Site Scripting and SQL Injection Vulnerabilities [SA19135] Cyboards PHP Lite "parent" SQL Injection Vulnerability [SA19132] IPB D2-Shoutbox Module "load" SQL Injection [SA19127] phpBannerExchange "email" Directory Traversal [SA19120] Freeciv Packet Parsing Denial of Service Vulnerability [SA19117] NMDeluxe Script Insertion and SQL Injection [SA19115] Daverave Simplog File Inclusion Vulnerability [SA19109] Wordpress "User-Agent" Header SQL Injection Vulnerability [SA19104] Gallery Script Insertion and Session Handling Vulnerabilities [SA19102] Gregarius SQL Injection and Cross-Site Scripting Vulnerabilities [SA19101] bitweaver "title" Script Insertion Vulnerability [SA19100] vBulletin User Email Address Script Insertion Vulnerability [SA19096] Aztek Forum Message Body Script Insertion Vulnerability [SA19089] PluggedOut Nexus forgotten_password.php SQL Injection [SA19088] NZ Ecommerce Cross-Site Scripting and SQL Injection [SA19084] VUBB "pass" SQL Injection Vulnerability [SA19155] HitHost Cross-Site Scripting and Directory Deletion [SA19143] Game-Panel "message" Cross-Site Scripting Vulnerability [SA19124] phpArcadeScript Cross-Site Scripting Vulnerabilities [SA19105] Joomla! Multiple Vulnerabilities [SA19099] DVGuestbookV2.0 "page" Cross-Site Scripting Vulnerability [SA19098] DVguestbook "dv_gbook.php" Cross-Site Scripting Vulnerability [SA19085] SAP Web Application Server URL Handling Vulnerability [SA19095] Oreka RTP Handling Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19119] RevilloC MailServer USER Command Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 securma massine has discovered a vulnerability in RevilloC MailServer, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19119/ -- [SA19111] Sauerbraten Engine Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Luigi Auriemma has reported some vulnerabilities in Sauerbraten Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19111/ -- [SA19110] Cube Engine Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Luigi Auriemma has reported some vulnerabilities in Cube Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19110/ -- [SA19079] Liero Xtreme Format String and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Luigi Auriemma has reported two vulnerabilities in Liero Xtreme, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19079/ -- [SA19157] Cilem Haber "haber_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-08 Mustafa Can Bjorn has discovered a vulnerability in Cilem Haber, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19157/ -- [SA19156] manas tungare Site Membership Script Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-08 Syst3m_f4ult has discovered two vulnerabilities in manas tungare Site Membership Script, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19156/ -- [SA19112] Akarru Social BookMarking Engine SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 A vulnerability has been reported in Akarru Social BookMarking Engine, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19112/ -- [SA19103] Total Ecommerce "id" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Mustafa Can Bjorn has reported a vulnerability in Total Ecommerce, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19103/ -- [SA19081] Microsoft Visual Studio ".dbp" File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-07 ATmaCA has reported a vulnerability in Microsoft Visual Studio, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19081/ -- [SA19163] Novell BorderManager Proxy Potential Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-08 A vulnerability has been reported in BorderManager, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19163/ -- [SA19097] EMC Retrospect Client Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-03 A vulnerability has been reported in EMC Retrospect Client for Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19097/ -- [SA19171] Symantec Ghost Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2006-03-08 Three vulnerabilities have been reported in Symantec Ghost, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, modify certain data, and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/19171/ -- [SA19140] IM Lock 2006 Insecure Registry Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-07 fRoGGz has discovered a vulnerability in IM Lock 2006, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19140/ -- [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-06 RedXII1234 has discovered a security issue in AVG Anti-Virus, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19118/ -- [SA19082] NCP Secure Entry Client Two Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-02 Ramon 'ports' Kukla has reported two vulnerabilities in NCP Secure Entry Cilent, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19082/ UNIX/Linux:-- [SA19130] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS, System access Released: 2006-03-06 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), bypass certain security restrictions, to cause files to be extracted to arbitrary locations on a user's system, to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar, and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19130/ -- [SA19174] HP Tru64 UNIX IPSEC/ISAKMP Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 HP has acknowledged a vulnerability in HP Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19174/ -- [SA19167] Red Hat update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for mailman. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19167/ -- [SA19161] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19161/ -- [SA19152] Debian update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Debian has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19152/ -- [SA19148] Gentoo update for zoo Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Gentoo has issued an update for zoo. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19148/ -- [SA19136] Lurker Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, Cross Site Scripting Released: 2006-03-06 Some vulnerabilities have been reported in Lurker, which can be exploited by malicious people to conduct cross-site scripting attacks, and disclose and manipulate sensitive information. Full Advisory: http://secunia.com/advisories/19136/ -- [SA19134] Tenes Empanadas Graciela Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Tenes Empanadas Graciela (TEG), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19134/ -- [SA19133] Monopd String Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Monopd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19133/ -- [SA19126] Ubuntu update for flex / gpc Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-07 Ubuntu has issued an update for flex / gpc. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19126/ -- [SA19125] Gentoo update for teTeX / pTeX / CSTeX Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-06 Gentoo has issued updates for teTeX, pTeX, and CSTeX. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19125/ -- [SA19123] Gentoo update for wordpress Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Gentoo has issued an update for wordpress. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19123/ -- [SA19114] Gentoo update for mplayer Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-06 Gentoo has issued an update for mplayer. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19114/ -- [SA19113] Gentoo update for up-imapproxy Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-06 Gentoo has issued an update for up-imapproxy. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19113/ -- [SA19093] Red Hat update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-02 Red Hat has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/19093/ -- [SA19092] Debian update for libtasn1-2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Debian has issued an update for libtasn1-2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19092/ -- [SA19091] Debian update for xpdf Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-03-02 Full Advisory: http://secunia.com/advisories/19091/ -- [SA19086] Avaya PDS HP-UX TCP/IP "Rose Attack" Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Avaya has acknowledged a vulnerability in Avaya Predictive Dialing System (PDS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19086/ -- [SA19080] Debian update for gnutls11 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Debian has issued an update for gnutls11. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19080/ -- [SA19158] Red Hat update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19158/ -- [SA19131] Fedora update for squirrelmail Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-06 Fedora has issued an update for squirrelmail. This fixes multiple vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19131/ -- [SA19094] GNOME Evolution Email Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-02 Alan Cox has discovered a vulnerability in Evolution, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19094/ -- [SA19090] Ubuntu irssi DCC ACCEPT Parameter Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-02 Scott Sinclair has reported a vulnerability in irssi, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19090/ -- [SA19162] Red Hat update for initscripts Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-08 Red Hat has issued an update for initscripts. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19162/ -- [SA19160] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-08 Red Hat has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19160/ -- [SA19087] Avaya CMS / IR Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass, Privilege escalation Released: 2006-03-04 Avaya has acknowledged some vulnerabilities in CMS and IR, which can be exploited by malicious, local users to gain escalated privileges and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19087/ -- [SA19159] Red Hat update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-03-08 Red Hat has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/19159/ -- [SA19128] Sun Solaris "/proc" Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-06 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19128/ -- [SA19108] Fedora update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-03 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19108/ -- [SA19083] Linux Kernel Local Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-02 Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19083/ -- [SA19078] Linux Kernel "die_if_kernel()" Potential Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-07 A vulnerability has been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19078/ Other:-- [SA19146] Xerox CopyCentre / WorkCentre Pro Multiple Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2006-03-08 Some vulnerabilities have been reported in Xerox CopyCentre and Xerox WorkCentre Pro, where one has an unknown impact, and others can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19146/ -- [SA19137] nCipher Products Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-07 Some vulnerabilities have been reported in nCipher products, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19137/ Cross Platform:-- [SA19154] Link Bank PHP Code Injection and Cross-Site Scripting Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-08 retard has discovered two vulnerabilities in Link Bank, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19154/ -- [SA19142] Owl Intranet Engine "xrms_file_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 rgod has discovered a vulnerability in Owl Intranet Engine, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19142/ -- [SA19121] m-phorum "go" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 uid0 has discovered a vulnerability in m-phorum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19121/ -- [SA19116] Php-Stats Multiple Vulnerabilities and Security Issue Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2006-03-06 rgod has reported some vulnerabilities and a security issue in Php-Stats, which can be exploited by malicious people to conduct SQL injection attacks, disclose system and sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19116/ -- [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-03 Liz0ziM has reported a vulnerability in PHP Upload Center, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19107/ -- [SA19106] LISTSERV WA CGI Script Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-06 Peter Winter-Smith of NGSSoftware has reported some vulnerabilities in LISTSERV, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19106/ -- [SA19172] Loudblog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-03-08 kuze has reported some vulnerabilities in Loudblog, which can be exploited by malicious people to disclose sensitive information and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19172/ -- [SA19151] sBlog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-08 Kiki has discovered multiple vulnerabilities in sBlog, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19151/ -- [SA19147] bMail GBK Charsets SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-07 A vulnerability has been reported in bMail, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19147/ -- [SA19144] Alien Arena 2006 Gold Edition Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Luigi Auriemma has reported some vulnerabilities in Alien Arena 2006 Gold Edition, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19144/ -- [SA19141] Invision Power Board Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-07 Two vulnerabilities have been reported in Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19141/ -- [SA19135] Cyboards PHP Lite "parent" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Aliaksandr Hartsuyeu has discovered a vulnerability in Cyboards PHP Lite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19135/ -- [SA19132] IPB D2-Shoutbox Module "load" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-07 SkOd has reported a vulnerability in the D2-Shoutbox module for IPB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19132/ -- [SA19127] phpBannerExchange "email" Directory Traversal Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-03-08 Tix has discovered a vulnerability in phpBannerExchange, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19127/ -- [SA19120] Freeciv Packet Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19120/ -- [SA19117] NMDeluxe Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-07 Aliaksandr Hartsuyeu has reported two vulnerabilities in NMDeluxe, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19117/ -- [SA19115] Daverave Simplog File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-06 retard and jim has discovered a vulnerability in Davrave Simplog, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19115/ -- [SA19109] Wordpress "User-Agent" Header SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Patrik Karlsson has reported a vulnerability in Wordpress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19109/ -- [SA19104] Gallery Script Insertion and Session Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-03-03 James Bercegay has reported some vulnerabilities in Gallery, which can be exploited by malicious people to conduct script insertion attacks and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19104/ -- [SA19102] Gregarius SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-06 tzitaroth has reported a vulnerability in Gregarius, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19102/ -- [SA19101] bitweaver "title" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Kiki has discovered a vulnerability in bitweaver, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19101/ -- [SA19100] vBulletin User Email Address Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 imei addmimistrator has reported a vulnerability in vBulletin, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19100/ -- [SA19096] Aztek Forum Message Body Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 lorenzo has discovered a vulnerability in Aztek Forum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19096/ -- [SA19089] PluggedOut Nexus forgotten_password.php SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-03 Hamid Ebadi has discovered a vulnerability in PluggedOut Nexus, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19089/ -- [SA19088] NZ Ecommerce Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-02 r0t has reported some vulnerabilities in NZ Ecommerce, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19088/ -- [SA19084] VUBB "pass" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-02 KingOfSKa has discovered a vulnerability in VUBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19084/ -- [SA19155] HitHost Cross-Site Scripting and Directory Deletion Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-08 retard has discovered two vulnerabilities in HitHost, which can be exploited by malicious people to delete empty directories and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19155/ -- [SA19143] Game-Panel "message" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-07 A vulnerability has been reported in Game-Panel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19143/ -- [SA19124] phpArcadeScript Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 retard and jim have reported some vulnerabilities in phpArcadeScript, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19124/ -- [SA19105] Joomla! Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Unknown, Security Bypass, Manipulation of data, Exposure of system information Released: 2006-03-03 Multiple vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose system information and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19105/ -- [SA19099] DVGuestbookV2.0 "page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Liz0ziM has discovered a vulnerability in DVGuestbookV2.0, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19099/ -- [SA19098] DVguestbook "dv_gbook.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Liz0ziM has discovered a vulnerability in DVguestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19098/ -- [SA19085] SAP Web Application Server URL Handling Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 Arnold Grossmann has reported a vulnerability in SAP Web Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19085/ -- [SA19095] Oreka RTP Handling Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-03 A vulnerability has been reported in Oreka, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19095/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 10 01:18:27 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:27 -0600 (CST) Subject: [ISN] Microsoft Plans Two Patches Next Week Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=181502557 By Gregg Keizer Mar 9, 2006 Microsoft on Thursday said it would release just two security patches next week, five fewer than last month. A fix for Microsoft Office, the Redmond, Wash.-based company's business productivity suite, is on the calendar, as is a separate patch for Windows. The former will be labeled "critical," Microsoft's most serious warning, while the latter will be tagged as "important." Microsoft assigns "critical" to security bulletins when it believes an exploit of the vulnerability could be used to create a worm able to spread without any user interaction [1]. As is its practice, Microsoft gave no additional details. Its advance notifications [2] are meant only to "help customers plan for the deployment of these security updates more effectively," the company said in the alert. Although the warning didn't offer clues on the problems to be patched, eEye Digital Security [3] knows about one unfixed critical vulnerability in Windows, while Danish vulnerability tracker Secunia lists several unpatched Office problems. Because the latter, however, hark back to 2003 and 2004, it's likely the Office issue has either not yet been disclosed or has been kept quiet by its discoverer(s). A single non-security, high-priority update will also be released via Microsoft Update, said the alert, and the Windows Malicious Software Removal Tool will, as usual, be refreshed. Last month, Microsoft unveiled seven bulletins [4] for Windows, Internet Explorer, Media Player, and PowerPoint. Two of the seven were deemed critical. March's security bulletins, patches, and updates will be issued Tuesday, March 14. [1] http://www.microsoft.com/technet/security/bulletin/rating.mspx [2] http://www.microsoft.com/technet/security/bulletin/advance.mspx [3] http://www.eeye.com/html/research/upcoming/20051011.html [4] http://www.techweb.com/wire/security/180201607 From isn at c4i.org Fri Mar 10 01:18:42 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:42 -0600 (CST) Subject: [ISN] Corporate IT needs to make bird-flu plans now Message-ID: http://www.networkworld.com/news/2006/031306-avian-flu-it-plans.html By Denise Dubie and Tim Greene NetworkWorld.com 03/09/06 If the avian flu hits the United States big time, the IS department for the Bloomberg School of Public Health at Johns Hopkins University in Baltimore could have a big-time problem. It sits across the street from the Johns Hopkins Hospital where a high number of infected patients could be treated and where a large percentage of the staff travel widely as part of their jobs, increasing the likelihood they could come back infected. "Our biggest fear is that we won't be able to get back to our data center for an extended amount of time, so we set up systems that would make it accessible remotely," says Ross McKenzie, the IS director for the school of public health. The school could have the problem covered, though, considering it has addressed remote control capabilities for PCs and server by buying 550 GoToMyPC licenses that lets network administrators log in via Web-based clients. "Every IT function, except maybe for the physical help desk, can be performed remotely at this point." Preparing corporate data center operations for an outbreak of the avian flu requires long-term planning, but not enough IT executives are planning far enough ahead, according to surveys. For instance, of 167 government workers across eight federal departments 44% don't know how they should react to a flu emergency, according to a poll by Telework Exchange, an online forum trying to quantify how much teleworking goes on in the federal government. A survey last month of 300 Minnesota business officials found most thought a flu pandemic would significantly affect their business, but only 18% had preparedness plans in place. The poll sponsored by the University of Minnesota Center for Infectious Disease Research and Policy found that close to two thirds said they were already prepared or somewhat prepared to move employees to remote locations or let them work at home, while 29% said they were not prepared. The H5N1 influenza virus, which originated in Asia, could hit the U.S. this fall, potentially causing an epidemic, the nation's chief avian flu coordinator warned. It can be transmitted from birds to humans via close contact, but not from human to human - yet. Flu experts say mutations are almost certain to create a strain that supports human-to-human transmission. The resultant pandemic will make 75 million and 90 million people sick in the U.S. with up to 2 million deaths, according to the U.S. Congressional Budget Office. Some businesses have the basics of plans in place, such as White Electronic Designs in Phoenix. "We've given consideration to the avian flu situation as part of our enterprise risk management program," says Jim Kritcher, vice president of corporate information technology for the firm. He says plans call for asking workers returning from areas where flu has struck to work from home for a period afterward to avoid infecting others at corporate sites. And the company would conduct as much work in general remotely. "We would certainly be susceptible, especially since we have employees traveling to Asia on a regular basis. We do a significant amount of manufacturing in China," he says. For many companies, VPNs are the mainstay for their disaster plans. "It's the lynchpin of our remote access," says Paul Beaudry, director of technical services for JRI, the largest agribusiness company in Canada based in Winnipeg, Manitoba. The company has dual Aventail SSL VPN gateways installed at its headquarters site that support 800 employees for accessing e-mail and about 25 work-at-home employees. But in the event of flu, that number would rise drastically, and the company would buy more VPN licenses and turn up more applications. The entire IT staff of 15 has been trained to increase the number of applications available through the gateway and to increase the resources employees are authorized to reach over the VPN, he says. So even if some of the IT staff is out of commission, someone will be able to set up the VPN for those able to work from home, Beaudry says. Similarly, Kritcher says White Electronic Designs will use its Cisco VPN concentrators to support remote access as well as thin clients to access applications remotely. The concentrators can scale to handle extra concurrent users, he says, but during an emergency, the number of people trying to connect via the VPN could strain WAN connections and result in slow response time or failure to connect altogether. "So we are testing procedures to reconfigure the WAN links such as wireless IP currently used for failover and redeploy them to support additional VPN traffic," Kritcher says. In the case of the Johns Hopkins health school, VPNs were too expensive for the needs, says McKenzie. "We didn't want something that could be open to everyone when we weren't entirely sure, considering the situation, who or how many would need to use it," he says. Such planning is essential, according to Gartner, which has published a report called Prepare Now for a Coming Avian Influenza Pandemic. "Enterprises should take the widespread agreement on the strong likelihood of a pandemic as a signal to take immediate action," says Ken McGee, the Gartner analyst who wrote the report. "By mid-2006, have in place completed pandemic/IT response plans." He recommends preparing lists of the most important knowledge workers on staff and figuring out how they can work from home for extended period. In addition to network access, they'll need the ability to conference with co-workers, customers and business partners, McGee says. Still, with all the planning in the world, there is only so much IT executives can do, Beaudry notes. "You've got a human fear factor, and you may have people reacting in a way you couldn't predict," he says. "You've may have a quarantine situation and business can be impacted - there's no question. But you have to keep the business running." All contents copyright 1995-2005 Network World, Inc. From isn at c4i.org Mon Mar 13 02:28:45 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Mar 2006 01:28:45 -0600 (CST) Subject: [ISN] Chinese Bank's Server Used in Phishing Attacks on US Banks Message-ID: http://news.netcraft.com/archives/2006/03/12/chinese_banks_server_used_in_phishing_attacks_on_us_banks.html By Rich Miller March 12, 2006 A web server belonging to a state-operated Chinese bank is hosting phishing sites targeting U.S. banks and financial institutions. Phishing e-mails sent on Saturday (March 11) targeting customers of Chase Bank and eBay were directed to sites hosted on ip addresses assigned to The China Construction Bank (CCB) Shanghai Branch. The phishing pages are located in hidden directories with the server's main page displaying a configuration error. This is the first instance we have seen of one bank's infrastructure being used to attack another institution. The attack on Chase offers recipients the chance to earn $20 by filling out a user survey which presents a series of questions about the usability of the Chase online banking site, followed by a request for user ID and password, so the $20 "reward" can be deposited to the proper account. The form also requests the victim's bankcard number, PIN number, card verification number, mother's maiden name and Social Security number. Any data submitted is then sent to a free form processing service on a server in India. The URL in the phishing email uses an IP address rather than a domain, typically a strong indicator of a phishing site. As a result, the Netcraft Toolbar assigns the site a high risk rating. The spoof site, a template of which has been in use since September, pulls images and style sheets from the chaseonline.chase.com web site. Many bank sites are configured to prevent logos and other images on their server from being displayed on other web sites - a practice known as "hot-linking" or "bandwidth leeching" - to prevent phishing sites from using the institution's own images and bandwidth to scam customers. Any third-party sites appropriating logos can be detected through web site referrer statistics. The same IP address at CCB Shanghai was used Saturday to host a page spoofing the eBay login screen. The China Construction Bank is a state-owned commercial bank with more than 14,000 branches across China. Last October CCB became the first of China's "Big Four" state-owned banks to be listed on the Hong Kong Stock Exchange. Both attacks have been blocked by the Netcraft Toolbar, a free phishing protection tool for Internet Explorer and Firefox users. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL. From isn at c4i.org Mon Mar 13 02:29:00 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Mar 2006 01:29:00 -0600 (CST) Subject: [ISN] Program Teaches Students About Cyber Security Message-ID: http://www.forbes.com/home/feeds/ap/2006/03/10/ap2587230.html By WILLIAM KATES 03.10.2006 A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country. The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security. Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security. "It's a great course. It's a littler harder than I expected," said Catherine Gudaitis, a junior interested in theater. "But I know in the world I'm going to live in, this will be necessary information, even common knowledge." President Bush made cyber security a focal point in February 2003 in his National Strategy to Secure Cyberspace, citing the importance of safeguarding America from crippling Internet-based attacks by terrorists against U.S. power grids, airports and other targets. The pilot program was developed with help from computer experts at the U.S. Air Force's Research Lab in Rome, who four years ago created a 10-week long Advanced Course in Engineering Cyber Security Boot Camp for the military's Reserve Officers Training Corps, said Kamal Jabbour, the lab's principal computer engineer. "Besides teaching teenagers to protect their digital assets, the course opens their imagination to the challenges in cyberspace, and seeks to excite them into a college education in computer engineering and a professional career in cyber security," Jabbour said. While computer courses are commonplace in American schools, the Rome program "is not just a little different. This is a step change," said Eric Spina, dean of Syracuse University's engineering and computer science programs, which also helped with the pilot's development. Spina said the material covered in the course is subject matter that college students - even engineering and computer science majors - typically don't receive until their junior year. "A high school student with this kind of background would be an asset anywhere they went," Spina said. Although young people are more technologically savvy than ever, they too frequently dabble in high-tech mischief. Rome's program is an effort to rechannel that native interest, said Principal Christopher Mominey. Thirteen students are enrolled in the 20-week elective course, which began with the start of the current semester Jan. 31. The class meets for 45 minutes after school four days a week, with two of the sessions devoted to lab time, said Ed Nickerson, one of three teachers who designed the curriculum. With financial support from Rome Lab and Syracuse University, the school transformed a one-time home economics classroom into a 12-station wireless computer lab. Nickerson said the students - sophomores, juniors and seniors - represent a wide spectrum of both academic ability and computer know-how. The school has approximately 400 students grades kindergarten through 12th, and a senior class this year of 18. The curriculum will be offered statewide beginning next year. On Friday, several dozen administrators and educators attended a workshop at the Rome school as an introduction. A weeklong course will be offered in August to prepare high school teachers to teach cyber security. If successful, the program could be offered nationwide in 2008, Jabbour said. The program was developed through a congressional grant obtained by U.S. Rep. Sherwood Boehlert, chairman of the House Science Committee. Boehlert said U.S. Air Force Secretary Michael Wynne offered assurances during his recent visit to Rome Lab that if the program is successful, it will be included in the budget as a permanent item. Copyright 2005 Associated Press. All rights reserved. From isn at c4i.org Mon Mar 13 02:29:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Mar 2006 01:29:11 -0600 (CST) Subject: [ISN] Meet on creating computer security response team Message-ID: http://www.gulf-times.com/site/topics/article.asp?cu_no=2&item_no=76519&version=1&template_id=36&parent_id=16 Staff Reporter 12 March, 2006 THE Qatar Computer Emergency Response Team (Q-CERT) will host a workshop on Creating a Computer Security Incident Response Team (CSIRT) on March 26. The CSIRT is a team of information security personnel within an organisation. Establishing a CSIRT is essential to developing an awareness of the importance of information security to the normal stream of business and to developing the capability to respond to and resolve information security incidents in a timely manner. This workshop is designed for managers and project leaders who are considering implementing a CSIRT in their own organisations. It will provide a high-level overview of the key issues and decisions that must be addressed to establish a CSIRT. As part of the workshop, attendees will develop an action plan as a starting point in planning and implementing their CSIRT. The creation of a CSIRT is often the preliminary step to evolving an information security strategy that considers the business needs of the organisation. The capacity of this first Q-CERT offering will be limited. Those interested should contact the Q-CERT at register at qcert.org for additional information and registration. From isn at c4i.org Tue Mar 14 03:12:29 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:29 -0600 (CST) Subject: [ISN] Cryzip Trojan Encrypts Files, Demands Ransom Message-ID: http://www.eweek.com/article2/0,1895,1937408,00.asp By Ryan Naraine March 13, 2006 Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password. The Trojan, identified as Cryzip, uses a commercial zip library to store the victim's documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files. It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar. While this type of attack, known as "ransomware," is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware, said Shane Coursen, senior technical consultant at Moscow-based anti-virus vendor Kaspersky Lab. The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom. According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images. Once commandeered, the files are zipped and overwritten the text: "Erased by Zippo! GO OUT!!!" The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the "_CRYPT.ZIP" extension. A new directory named "AUTO_ZIP_REPORT.TXT" is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments. The instructions, which are marked by misspellings and poor grammar, contain the following text: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations)." The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesn't exist on the hard drive. "If you really care about documents and information in encrypted files you can pay using electonic currency $300," the note says. "Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back." The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in the advisory. Officials from E-Gold, which operates out of the Caribbean island of Nevis, were not available for comment. "Infection reports are not widespread, so it is not believed this is a mass threat by any means," LURHQ said. However, the company said social engineering malware is typically more successful when it is delivered in low volume to get around anti-virus detections. "[M]ore attention means the likely closing of the accounts used for the anonymous money transfer," LURHQ said. From isn at c4i.org Tue Mar 14 03:12:40 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:40 -0600 (CST) Subject: [ISN] ISO rejects China's WAPI wireless security protocol Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109519,00.html By Stephen Lawson MARCH 13, 2006 IDG NEWS SERVICE The International Standards Organization (ISO) last week rejected a security protocol that was backed by some Chinese representatives as an amendment to the group's wireless LAN standard. The ISO turned down the Chinese technology, called the WLAN Authentication and Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i security specification that was developed by the Institute of Electrical and Electronics Engineers Inc., according to a member of the IEEE 802.11 Working Group who asked not to be named because of working group rules. The ISO, a network of standards institutes that overlooks specifications in a wide variety of fields, routinely adopts IEEE 802.11 standards and incorporates them into its body of specifications, the IEEE working group member said. The Chinese government said that it would continue to support WAPI and that the rejection by the ISO would not affect use of WAPI in China, according to an online article by China's official Xinhua news service. Votes at the ISO on adopting amendments to IEEE 802.11 standards normally aren't controversial, the working group member said. "At least in 802.11, there's never been anyone who's brought in a proposal that wasn't developed in 802.11," he said. The IEEE approved 802.11i in 2004. China's government at one time proposed forcing foreign companies to license WAPI but later dropped those plans. A document from the IEEE 802.11 Working Group indicates that resistance to incorporating WAPI into an international wireless LAN standard has grown amid concerns about secrecy, namely the use of an undisclosed algorithm in the protocol. Last week, 22 Chinese companies announced the formation of a group called the WAPI Industrial Union to promote adoption of WAPI. The group claimed its protocol offers better security than 802.11i. From isn at c4i.org Tue Mar 14 03:12:15 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:15 -0600 (CST) Subject: [ISN] How to legislate against hackers Message-ID: http://news.bbc.co.uk/1/hi/technology/4799338.stm 13 March 2006 Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act. It makes many changes to the criminal law, but anyone considering writing a virus, hacking a bank system, launching a phishing or denial of service attack or installing some of the dodgier tools that can be used to 'test' network security should pay particular attention to clauses 33 to 36. These amend the 1990 Computer Misuse Act in line with recommendations made last year by the All Party Internet Group of MPs, and take on board Tom Harris MP's proposals from his recent private member's bill. If they go through then the maximum penalty for hacking will become 10 years for the most serious offences. The new act will also make it an offence to supply the software used to break into systems, and make it clear that denial of service attacks, where large numbers of requests are sent to a server, count as hacking. MPs from all parties have welcomed the changes, even though they do not much like the rest of the bill, and overall they seem an acceptable update of the original act. The All Party Internet Group has a reputation for being sensible when it comes to negotiating the interface between law and technology. In this case they refused to be bounced into proposing the sort of illiberal measures that often emerge when computer security and critical information infrastructure are being discussed. Lack of clarity I have been around long enough to remember the original Computer Misuse Bill back in 1990. It was proposed by a conservative backbench MP, Michael Colvin, and supported by the government at a time when viruses were spread by floppy disk and hackers used university systems to break into government and military installations. Mr Colvin knew little about computers or computing, and had proposed the bill as a result of lobbying after he came near the top in the ballot for private member's bills. Although it concerned computers and hacking, using a computer system without the owner's consent, it famously failed to define what a computer was. I pointed out to him that this would mean I was committing a criminal offence if I reprogrammed a video recorder at a friend's house without asking first, and he was happy to accept this. His argument was that the courts would not allow anything so foolish to proceed. He was right in his belief that the courts would be cautious about allowing prosecutions. However the lack of clarity in the act was almost certainly the reason why it was used so rarely in the last 15 years, since the chances of a defendant being able to wriggle out of a conviction are too high for it to be worth prosecuting. On the occasions when it has been applied rigidly it has sometimes produced results as bad as we feared it would. Law and knowledge Last October, Londoner Daniel Cuthbert was fined for probing a website set up to raise funds for victims of the Asian tsunami with a range of security tools after he failed to get a confirmation that his donation had been registered. The proposals in the new bill that deal with the possession of security software could easily be abused to make life difficult for researchers or those, like me, who want to understand what these tools do. Understanding the difference between a security tool, used to probe networks looking for holes that can be patched, and a hacker toolkit, used to probe networks looking for holes that can be exploited, is as much one of intention as implementation. We should be wary of laws which require judges to look into the mind of the accused, and not only because every philosopher of mind tells us that such access is impossible. Too few MPs really understand the issues at stake here. None on the front benches, apart perhaps from former computer consultant Stephen Timms, could describe why a port scan might be a legitimate activity or even, I suspect, what a network port is in the first place. And with the departure of Richard Allan from the House of Commons at the last election, Parliament lost its only serious programmer. This is a matter of growing concern. It is clear that the debate about the implementation of ID cards hinged on an assessment by MPs and peers of the technical arguments put forward on both sides, but few of those arguing were really competent to judge the issue. Complex issues This week I will be speaking at a seminar in London, organised by the Westminster eForum. We are talking about copyright and digital rights management and other issues which may well take up some serious parliamentary time in the next few years, especially when Andrew Gowers finishes his review of intellectual property law for the Treasury. Although it is reassuring that Derek Wyatt, one of the few MPs who does embrace the internet, is chairing, I suspect we will see few of his fellow members there even though this is another issue where technology and law are inextricably linked. MPs will argue that they are perfectly capable of being briefed on the most complex issues, but this assumes that they can get unbiased and comprehensible briefings. Some of the technical issues underlying ID cards, and DRM and computer crime may well not be amenable to this approach. So what are we to do? Do we let generalist MPs with no real comprehension of what they are doing make law based on the last piece of lobbying they received? We could call this the e-Lothian question, after the long-standing concern over letting MPs for Scottish constituencies vote on purely English matters even after the Scottish Parliament was set up. Perhaps we should limit voting on clauses 33 to 36 of the Police and Justice Bill to those MPs who can demonstrate that they have at least two e-mail addresses, know how to use an RSS reader and can download and install their own web browser. Somehow, I do not think they will go for it. Unless we recognise that MPs need a better understanding of technology we will continue to get bad law, just like we did in 1990. ----------------------------------------------------------------- Bill Thompson is a regular commentator on the BBC World Service programme Go Digital From isn at c4i.org Tue Mar 14 03:12:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:51 -0600 (CST) Subject: [ISN] Citibank ATM fraud 'just tip of iceberg' - analyst Message-ID: http://www.theregister.co.uk/2006/03/13/citibank_fraud_follow-up/ By John Leyden 13th March 2006 An ongoing ATM fraud problem that forced Citibank into reissuing an unspecified number of US credit and debit cards is only part of a larger ongoing threat, a leading analyst warns. Avivah Litan, a research director at Gartner, said that Citibank is only one of a number of victims and that the banking industry is "less than halfway through this latest scam, which will continue to affect large numbers of cardholders". Citibank said it blocked PIN-based transactions of Citi-branded MasterCard cards in the UK, Russia and Canada to protect US customer accounts. It blamed the problem on a security breach involving an unspecified US retailer. Litan, by contrast, suggests the theft of PIN data is the more likely cause of the security flap. She adds that other US banks have been forced to reissue ATM cards after customers' details were compromised. "Gartner believes that these combined bank actions reflect the largest PIN theft to date ? and point to a new wave of 'PIN block' card fraud," Litan writes. If hackers broke into retailer servers and steal PIN blocks that represent encrypted PIN data as well as terminal encryption keys (typically stored on retailers' terminal controllers), they might be able to determine a cardholder's PIN and create counterfeit cards that enable them to withdraw cash at ATM machines. Litan reckons that this - rather than a simple retailer breach - accounts for a recent rise in ATM fraud affecting US banks. "In this particular scam, the thieves probably also stole (likely from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate," she adds. The Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations. Gartner advises card issuers to follow this guidance. The analyst firm also has advice for enterprises, payment vendors and regulators which can be reviewed here [1]. ? [1] http://www.gartner.com/DisplayDocument?doc_cd=138479 From isn at c4i.org Tue Mar 14 03:13:04 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:13:04 -0600 (CST) Subject: [ISN] The enemy within the firewall Message-ID: http://www.theage.com.au/news/breaking/the-enemy-within-the-firewall/2006/03/13/1142098393208.html By Louisa Hearn March 14, 2006 Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey. With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing. "People are becoming the weakest link. A fluid work force with diminished loyalty to organisations is being exacerbated by the fact that people do not always realise the value of information that they deal with," said Claudia Warwar, managing consultant at IBM BCS Security and Privacy Practice. Ms Warwar believes that the rise in internal security attacks has come about because outside criminal gangs realise that recruiting or tricking employees to hand over insider knowledge is less expensive and traceable than other forms of cybercrime. And it seems the perception of this phenomenon is even worse in Australia than elsewhere in the world, with 11 per cent more respondents here identifying internal staff as their greatest threat. Ms Warwar explained that one reason for this could be that in a larger country, where you might normally have ten staff working in team, here you might only have one, granting closer access to important information. "Employees here get to see more of the big picture and are closer to the whole business loop," she said. But in spite of the threat, companies still allocate more of their security budgets to external threats. While 32 per cent of survey respondents were intent on upgrading firewalls, only 15 per cent planned to invest in awareness and education training for employees and only 10 per cent restricted the use of mobile devices such as wireless handheld computers not specifically sanctioned by the IT staff. "Organisations need to understand what are the key pieces of information that need to be protected and be able to track who has had access to them," she said. Looking more broadly at the issue of cyber crime, the survey also found that regardless of who had caused it, 49 per cent of local businesses believed it represented a larger threat than physical crime. The three most common types of cyber crimes are hacking, denial of service attacks, and viruses and malware, which target different types of organisations. "One of our clients had a virus bouncing around network for quite a few days which did quite a bit of damage, whereas a denial of service attack is more likely to target those transacting and doing a lot of business online. If a hacker really knows where they are going within say a large financial company then they can also really hit the jackpot," said Ms Warwar. A recent security report from antivirus company Symantec said cybercrime represented today's greatest threat to consumers' digital lifestyle and to online businesses in general. "While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence," the company said. From isn at c4i.org Tue Mar 14 03:13:16 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:13:16 -0600 (CST) Subject: [ISN] CFP - 22nd Annual Computer Security Applications Conference Message-ID: Forwarded from: ACSAC Distribution Manager PDF versions at http://www.acsac.org/2006/cfp_2006.pdf http://www.acsac.org/2006/cfp_2006-a4.pdf --------------------------- Call For Participation --------------------------- 22nd Annual Computer Security Applications Conference December 11-15, 2006 Miami Beach, Florida http://www.acsac.org Submission Acceptance Deadline Notification Technical Track June 4, 2006 Aug. 13, 2006 Panels June 4, 2006 Aug. 13, 2006 Tutorials June 4, 2006 Jul. 20, 2006 Workshop June 4, 2006 Jul. 20, 2006 Case Studies June 4, 2006 Aug. 15, 2006 Works in Progress Sep. 8, 2006 Oct. 1, 2006 See http://www.acsac.org/cfp for detailed submission information! -------------------------------------------o------------------------------------------------ ACSAC is presented by a group of professionals who are working to facilitate information sharing among colleagues. We're an all-volunteer not-for-profit organization. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at http://www.acsac.org/list. We have moved to a new web host and are trying to remove duplicates from our mailing lists. If you receive duplicate messages, or simple want to be removed from our list, please reply with the word REMOVE in the subject. From isn at c4i.org Tue Mar 14 03:13:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:13:28 -0600 (CST) Subject: [ISN] Free CDs highlight security weaknesses Message-ID: http://www.networkworld.com/news/2006/031306-free-cds-security-weakness.html By Jeremy Kirk IDG News Service 03/13/06 To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. Like flies to garbage, dozens of victims took the CD, unable to control the irresistible attraction of "free." Secret agents behind enemy lines, the CDs piggybacked through companies' physical security systems tucked in the bags and pockets of their couriers. The office workers dutifully took the CDs to their desks and plopped them in their employers' computers. The mission was complete. In the process, the CDs likely skirted an array of IT security systems in place to prevent malicious code from being installed. Although the CDs did not contain malicious code, the exercise accomplished the point Robert Chapman wanted to make: People are misinformed about what actions could damage their computers or expose them to malware, adware and viruses. "All these things are bypassed by human nature and curiosity and a level of ignorance and naivet?," says Chapman, director of The Training Camp Ltd., a computer training and consulting firm based in London, who came up with the idea. "The lure of a free holiday entices them more than the potential damage that they may make to their corporate network."c When a user ran the CD, the code on it prompted a browser window that opened a Web site, Chapman says. The site then tried to load an image from another Web site, Chapman says. The number of people who opened the CD could be tracked by the number of times the image was accessed, he says. Users saw only an error message saying the page could not be loaded, he says. "There is nothing clever about it or illegal," Chapman said of the CD's code. Although the front of the CD contained a written warning to users to check their company's internal security guidelines before running it, as many as 75 of the 100 CDs were played. Chapman says he was able to trace the IP addresses of those computers that tried to access the image and found that employees at two well-known insurance companies and a retail bank were among the duped. Chapman declines, however, to identify the names of those companies. The experiment underscores what experts say is the weakest point for IT security: people. Many companies have policies and make their employees sign legally binding documents containing the rules for using company computers, but it's doubtful users get specific training on why those rules are in place, Chapman says. Firewalls can block incoming hacking attempts, but most default firewall settings allow outbound traffic, Chapman says. If malicious code was already in the system, it might not be blocked by the firewall, allowing for the transmission of data from inside the computer, he says. Chapman says he surprisingly didn't get any angry calls from rankled systems administrators. "I was half-expecting something like that to happen, but I hope people realize that this is being done with a good heart," he says. From isn at c4i.org Wed Mar 15 03:21:22 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:21:22 -0600 (CST) Subject: [ISN] Man charged with hacking into GM database Message-ID: http://seattlepi.nwsource.com/business/1700AP_GM_Security_Breach.html By TOM KRISHER ASSOCIATED PRESS WRITER March 14, 2006 DETROIT -- A former security guard at General Motors Corp.'s Warren technical center is accused of taking employee Social Security numbers and using them to hack into the company's employee vehicle database. James S. Green II, 35, of Washington Township, found out what company cars the employees drove and sent them bogus e-mails asking them their thoughts on the vehicles, Macomb County sheriff's Capt. Anthony Wickersham said Tuesday. Green was arraigned Monday on eight counts of obtaining, possessing or transferring personal identity information, one count of using a computer to commit a crime and one count of stalking that was unrelated to the GM cases. He was released after posting 10 percent of a $50,000 bond. Wickersham said Green obtained the Social Security numbers of about 100 GM employees from the Detroit area and sent them e-mails posing as a representative of GM's company vehicle evaluation program. "It's frightening to know that this individual had all this personal information on a lot of people," Wickersham said. There was no telephone listing for Green. Employees became suspicious because the e-mails came from a Yahoo address. They notified a GM security firm, which in turn told Macomb County deputies, GM spokeswoman Geri Lama said. The security firm identified Green as a suspect, but deputies couldn't find him at his home, Wickersham said. They determined that the e-mails were sent from a library in Washington Township and found Green there, at a computer with the employee information, Wickersham said. Green apparently got the Social Security numbers while working for a private security firm at the tech center, although officials weren't sure exactly how. All affected workers have been notified. Although there's no evidence Green did anything else with the information, Wickersham said employees should check their credit reports and notify credit card companies to monitor for fraud. He said officials don't know why Green sent the e-mails. From isn at c4i.org Wed Mar 15 03:21:55 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:21:55 -0600 (CST) Subject: [ISN] Interview: Elonka Dunin Message-ID: http://www.whitedust.net/article/51/Interview:_Elonka_Dunin/ By Mark Hinge & Peter Prickett 14 Mar 2006 WD> So, tell us, how did you first get into the world of computing? Oh, I got involved with computers at a very young age, in the 1960s. My father was an early computer programmer, teaching mathematics and engineering at UCLA, and then later worked on a NASA project, on the team that launched the very first geosynchronous communications satellite, Syncom. Sometimes when he worked weekends, he'd take me in to his office with him, and as a kid I'd literally play with the big mainframe computers, like an IBM 360. It started off with him programming it to play simple number games with me, and then as I got older, I started doing some programming myself. My first language was Fortran. In my junior high school, one of my math teachers also gave an extra credit programming class, but it was kind of difficult since we didn't have any computers! What the school did was to give us paper punchcards, and we'd use #2 pencils to fill in the dots where the holes were supposed to be punched, then the cards would be shipped downtown to where the holes would be punched and the cards were processed, and our programs would be run. The output would be printed out, and they'd ship that back to us at the school so we could debug. It took days for a single roundtrip, so talk about lagged compile time! In high school (early 1970s), things were a tiny bit better, since the school had a teletype with real-time (ooh!) communication, even though it was all on hardcopy, and the thing was incredibly loud. If you've ever seen the movie 'Andromeda Strain' and remember the teletype machine in that one, that's what our system looked like. Then as I got older, I ran into the other early systems: A co-worker of mine in the USAF got a TRS-80, and then I had my own Osborne 1, and then I got a Mac Classic, and steadily upgraded to faster systems as computers became more and more powerful. I played pretty much every computer game that I could get my hands on, and in the 1980s I started getting involved with BBSes, logging on to systems in Colorado and California where I was working. In 1989, I started getting involved with online multiplayer games, like on the GEnie service, and a new career followed shortly thereafter. WD> Simutronics was founded in 1987. Where does the name come from? The company was founded by David Whatley, a teenager working out of his bedroom in his parents' home (he continues to be President and CEO today), and Tom & Susan Zelinski, a husband & wife team. David had earlier written some BBS software under a different company name, and when it came time to form a company with the Zelinskis, he just chose the name 'Simutronics' because he liked it. WD> How has the company evolved since 1987? I started getting involved with the company as a customer in 1989, and then moved to St. Louis in 1990 which is when I started working for Simutronics. We moved the base of operations out of the David's bedroom into an apartment loft in another part of town, and managed the games from there. We had the top products on the GEnie online service, like our text games GemStone III and DragonRealms. Then in 1993 our 3D graphical game CyberStrike won the very first 'Online Game of the Year' award from 'Computer Gaming World' magazine (they created the category so they could give us the award, the game was so ahead of its time), and the award started getting us more attention and more contracts. We moved into our own office, and opened up portals to our games from Prodigy, America Online, and CompuServe. In 1997, we launched our own website, play.net. Games that we've created over the years have included Orb Wars, GemStone II-IV, DragonRealms, Modus Operandi, and Alliance of Heroes (originally Hercules & Xena: Alliance of Heroes). Our next big game is going to be Hero's Journey, a graphical MMORPG. We showed a preliminary version at E-3 in 2005 and got a lot of attention -- for example, mmorpg.com listed us as 'Best of Show'. Our office right now is a 10,000 sq. foot location in St. Charles (a suburb of St. Louis), and we have another office in Maryland. WD> Like many of the people we have interviewed you worked in the military before computing. Why do you think that is? I can't speak for other people, but for me, being in the military definitely changed my work habits and made me much more disciplined in terms of complex projects. It also gave me a lot more confidence in my own abilities. Those factors may be an edge which helps entrepreneurs to marshal the focus and drive that's necessary to become personally successful, whereas some other people may have ideas that are just as good, but not be able to pull together the discipline, confidence, and persistence to make their ideas happen. WD> How long did you work for the US Air Force? Why did you leave? I first enlisted for 4 years in 1977, but without making a clear choice on which career I wanted. So they kind of put me where they needed me, and I ended up doing avionics repair, troubleshooting aircraft instrumentation on cargo and reconnaissance aircraft. I did okay at it, but I wasn't really stellar -- what I really wanted to do was something with computers. But every time I applied to cross-train, I was told that my job, 'Instrumentation,' was a 'shortage' career field, meaning that they didn't have enough people to fill it, and so I wasn't allowed to cross-train out unless it was into something that had even more of a shortage, like air traffic controller. I extended my enlistment for two years to try and push the paperwork through, but kept getting rejected, so when my final enlistment was up, I 'got out'. Oh well, their loss! WD> In what capacity where you involved with the SR-71 and U-2 reconaissance aircraft? Instrumentation repair. Testing, troubleshooting, and replacing the sensors that detected the altitude, engine pressure, fuel status, and other this?es and thats?es that the pilot needs to know about. Basically, picture all the dials that a pilot looks at when he (or she) is sitting in the cockpit. I maintained those instruments, the transmitters that sent signals to them, and the wiring in between. WD> What drew you into cryptography? I'd been interested in puzzles for as long as I could remember. My mother used to talk about when I was a toddler, she'd just put me down on the doorstep with a puzzle, and I'd be happy for hours. Then when I was a little older, a neighborhood boy was studying codes for some project (I think a Boy Scout merit badge or something), and I was constantly over at his house asking questions. He finally just gave me all of his books and notes on the subject. Most of my early involvement with cryptography was just as a hobbyist though. I didn't start getting involved with the public scene until I ran into the PhreakNIC v3.0 Code, while I was giving a talk on gaming at Dragon*Con in 2000. WD> You were the first person to crack the infamous PhreakNIC Code. Could you explain what said code is, and how you cracked it (without giving away the ending)? What was the prize you won for beating the code? It was a challenge created by JonnyX, the organizer of the PhreakNIC hacker convention in Nashville in 1999. He'd also done an easier code for PhreakNIC v2.0 in 1998, but he made something a lot harder for the next version. It was intended to be solved by the attendees at the conference, but no one could figure it out! He kept handing out flyers about it though, and used it to promote the upcoming 2001 convention. He said that the first person to figure it out, would get an all expenses paid trip to the con. I picked the code up with a bunch of other flyers at Dragon*Con 2000. Then, one weekend a bit after the convention, I was stuck at home, sick with the flu or something, and bummed out that I couldn't go to Def Con because I had a scheduling conflict (I'm friends with the lead singer of Blue Oyster Cult, who was playing in St. Louis that same weekend). So I channeled my energies into the Code, playing around with it to see what I could learn, and reading everything in the year's worth of discussion archives about it. I got pretty obsessed with it, and completely anti-social for awhile. Any of my friends who tried to talk to me, all I wanted to talk about was that Code. And, well, it paid off, because I cracked it! I had to completely come up to speed from scratch on several cryptographic techniques, but I learned them all and got to the center, and made the cryptic announcement that it requested (I had to post a certain kind of haiku message to a hacker mailing list), and I won the prize. Then I wrote a tutorial to the mailing list about how I'd cracked it, and included a bunch of cyberpunk humor and in-jokes. That tutorial is now on my website, if anyone wants to read it. It's a fun read, and teaches a lot about cryptography, from simple binary all the way up to some state-of-the-art stuff. WD> What other public recognition have you received for cryptography? Aside from the PhreakNIC Code, the next biggest event was probably the cracking of the Cyrillic Projector cipher. It was a 10-year-old challenge that was on a sculpture in the middle of the University of North Carolina at Charlotte, and it turned out to be extracts from classified KGB documents! I definitely didn't do that one alone -- it was a team effort that involved several different people, some of whom knew each other, and others who didn't. I've also gotten some recognition for a new method I came up with for solving Part 3 of Kryptos, as well as just the websites that I have, on both Kryptos and other of the world's most famous unsolved codes. It's a topic that people are fascinated with, and the webcounter just keeps climbing. This month it rolled over to more than 1.5 million page views, with several hundred thousand unique visitors. I've been invited to speak at several major universities on the subject of cryptography, and in mid-2005, a British book publisher, Constable & Robinson, contacted me and asked if I would write a book about codes. WD> What is your involvement with the CIA's Kryptos sculpture? How is it that you were able to see it in person? I first heard about Kryptos while I was working on the PhreakNIC v3.0 Code, since JonnyX had built some dead-ends into it, and one of them led to Kryptos. But I didn't really give Kryptos much thought at the time other than reading a few articles about it. Then in 2001 I was visiting my cousin in Washington DC (he'd had a really close call on September 11th), and after we visited the memorial at the Pentagon, he asked me if there was anything else that I wanted to see in town. I decided on Kryptos, but we couldn't figure out a way in to CIA (we were turned away by large men with guns, who kept saying, 'Official Business Only'). But then a few months later I was giving talks on steganography, and one of those talks got me an invitation to speak at CIA, so I was able to examine the sculpture up close. I also made some rubbings, and when I got back to St. Louis, I made a single webpage to post scans of the rubbings online -- little did I know that that webpage was going to change my life! WD> The Kryptos Group is working on the sculpture in the CIA headquarters courtyard in Langley, Virgina, attempting to decode the remaining characters. However, according to Time Magazine in May 1991, former CIA Director William Webster knows what the phrase is. Is the goal to actually crack the code or to develop further code breaking methodologies? The goal is to decrypt those last 97 or 98 characters at the bottom of the sculpture. We know what the top three sections say, but not that last fourth part yet. As for Webster, he was given a sealed enveloped by sculptor Sanborn at the sculpture's dedication in 1990, which supposedly contained the answers. But in a Wired interview in January 2005, Sanborn said that he didn't give Webster the full story. WD> You have also been working in conjunction with the FBI on Al Qaeda codes, and they requested you give a talk on steganography. What did you advise within that talk and to whom? The original request was that I put together a talk on steganography for the local St. Louis task force. We knew that there were agents in the main DC office who understood about steganography, but in the St. Louis field offices, they had a different mission and weren't crypto experts. So they were agreeing to let people from the private sector come in and help them get up to speed. I put together a 70-slide PowerPoint presentation that explained what steganography was, how it was used, and what the current rumors were about whether or not Al Qaeda had been using steganography to play the September 11th attack. I don't believe that they were, and I went into the detailed reasons why not. There was no proof anywhere that they were using steganography -- instead, they tended to use very simplistic codes, like if they were talking on a cellphone and needed to say 'FBI', they might instead say 'Food & Beverage Industry'. Or if they were referring to gas cutters, they were supposed to instead say 'gas stations.' And there was an extensive scan of images done by a team from the University of Michigan, looking through millions of internet locations, and then clustering computers together and running password dictionary attacks on anything that looked suspicious, but they never found a single thing. WD> Did the CIA pay you for this? You say that you will give your talk for free if we see you 'passing by with laptop in hand'? Yes, I made a bit of money from the CIA (even though I insisted I didn't want to be paid!). My main goal was just to get onsite so that I could see Kryptos. As for other locations, if they're nearby, I'll give the talk for free, but if they want me to fly to a different location, I normally ask for something nominal to cover expenses. WD> What do you consider your greatest code-cracking achievement? That's hard to answer. For emotional satisfaction, it has been helping out with the war on terrorism, and educating government agents about steganography and what types of codes that Al Qaeda might (or might not) be using. It gave me a deep sense of contributing my skills to a greater good, and helping to squash some of the rumors out there. Other things I'm particularly proud of would be my Kryptos website -- all the research I've done, people I've tracked down to interview, and the networking I've engaged in, in order to pull together so many disparate bits of information into one place. In terms of sheer personal code-cracking, the whole Cyrillic Projector project was a lot of fun, plus of course there's the PhreakNIC v3.0 Code that started the whole thing - I also enjoyed writing the tutorial for that one, as well as cracking some of the other hacker-con codes, like the Atlantacon ones. Plus it was quite an honor when a British publishing house asked me to write a book! WD> Which is more important to you, cryptography or Simutronics? Simutronics, definitely. It's my day job, and what pays the bills. I've poured my heart and soul into the company over the years, and I am very dedicated to our customers. But cryptography is definitely a hobby of mine that's taken on a life of its own! WD> What other projects are you working on right now? At Simutronics, we're working on a new 3D graphical MMORPG, Hero's Journey, which we'll be demoing at E-3 in May. We also have a related product called HeroEngine: It's a new way that we've come up with which would allow other people to license our technology and utilities and engine to have everything they need to create their own MMORPG, and we'll be demoing that one at the Game Developers Conference in March. Parallel with all of that, I've been spending some time on various MediaWiki databases, such as Wikipedia, and a new wiki we set up this year for the IGDA. I'm also still doing a lot of public speaking, with my next crypto talk being at NOTACON in Cleveland in April. And of course I have a book coming out soon! It's 'The Mammoth Book of Codes and Cryptograms' (in the U.S.), and 'The Mammoth Book of Secret Code Puzzles' in the UK. I've never written a book before, so it's been an interesting learning experience, navigating the world of publishers and bookstores and 'mainstream' marketing. The book has a very impressive list of contributors, as puzzles were submitted from cryptographers all over the world -- of most interest to your own audience, there's even a section by Scott Kim which presents a pencil and paper method of doing asymmetric key encryption. WD> Finally, which of your games do you play the most? Now *that* is a closely-guarded secret. When I'm playing a multiplayer game, I just want to play, and not let anyone know who I am -- I try to stay as incognito as possible! All Right Reserved, Copyright 2005 Whitedust.net From isn at c4i.org Wed Mar 15 03:22:12 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:22:12 -0600 (CST) Subject: [ISN] OfficeMax: No evidence of security breach Message-ID: http://news.com.com/OfficeMax+No+evidence+of+security+breach/2100-1029_3-6049758.html By Greg Sandoval Staff Writer, CNET News.com March 14, 2006 Following an extensive review of its security systems, OfficeMax says it has no reason to believe it was the company that suffered the data breach that resulted in thousands of cases of debit card fraud. On Tuesday, the office-supply chain said that an independent study by a security expert found no indication that the company's customer information was lost. An internal investigation came to the same conclusion. "OfficeMax takes the security of our customers' information with the utmost seriousness and is committed to protecting private customer information," the company said in a statement. "As we have stated consistently, we have no knowledge of a security breach at OfficeMax." But the company wouldn't explain why it was still involved in the investigation into the debit card thefts. "OfficeMax continues to work with the United States Secret Service and other federal law enforcement agencies in their investigation of ATM fraud," the company said. Debit card holders from San Francisco to Pittsburgh to Boston have reported cash was seized from their accounts via fraudulent withdrawals. Visa and MasterCard have said a merchant had suffered a data theft but wouldn't identify the company. During the past two weeks, law enforcement officials have noted that their investigations revealed that many of the fraud victims were OfficeMax shoppers. On Monday, Hudson County Prosecutor Edward DeFazio said his office had arrested 14 people in connection with the nationwide crime wave involving debit cards. In an interview with CNET News.com, DeFazio identified OfficeMax as among the victims of data theft. He said other companies were also ripped off. OfficeMax has said it has "not received information from any third party concluding" that it suffered a breach. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed Mar 15 03:22:36 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:22:36 -0600 (CST) Subject: [ISN] US Government Studies Open Source Quality Message-ID: http://www.osvdb.org/blog/?p=104 US Government Studies Open Source Quality "US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under Library, there is a link titled "NEW >> Open Source Quality Report". Clicking that, you are faced with "request information", checking the Open Source Quality Report box (one of seven boxes including Request Sales Call as the first option, and Linux Security Report is the default checked box), and then filling out 14 fields of personal information, 10 of which are required. So, let me get this straight. My tax dollars fund the Department of Homeland Security. The DHS opts to spend $1.24 million dollars on security research, by funding a university and two commercial companies. One of the commercial companies does research into open source software, and creates a report detailing their findings. To get a copy of this report, you must give the private/commercial company your first name, last name, company name, city, state, telephone, how you heard about them, email address, and a password for their site (you can optionally give them your title, and describe your project). Excuse me, but it should be a CRIME for them to require that kind of personal information for a study that I helped fund via my tax dollars. Given this is a study of open source software, requiring registration and giving up that kind of personal information is doubly insulting. Coverity, you should be ashamed at using extortion to share information/research that should be free. Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my "no plus" web page for not even understanding and following 24 year old RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?! Oh, if you dont want to go through all of that hassle, you can grab a copy of the PDF report anyway. http://osvdb.org/ref/blog/open_source_quality_report.pdf From isn at c4i.org Wed Mar 15 03:22:50 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:22:50 -0600 (CST) Subject: [ISN] Computer hacker pleads guilty Message-ID: http://www.nctimes.com/articles/2006/03/14/news/sandiego/19_49_343_13_06.txt By: North County Times News Service March 13, 2006 SAN DIEGO - A young man who was 17 when he hacked into the computer network at San Diego State University and compromised operations pleaded guilty Monday to federal charges. The defendant, who was not identified because he was a juvenile at the time of the offense, was immediately sentenced by U.S. District Judge Napoleon Jones Jr. to three years probation and ordered to pay $20,735 in restitution. "This young man has now learned the hard way that the Internet does not give anyone immunity from criminal prosecution and conviction," said U.S. Attorney Carol Lam. The defendant admitted knowingly and intentionally accessing various legally protected computers in the SDSU network and recklessly causing damage to those computers. Assistant U.S. Attorney Mitch Dembin said the defendant admitted that on Dec. 24, 2003, he scanned the university network looking for vulnerable computers and happened upon one in the Drama Department. He uploaded a variety of software tools and utilities to that computer for use in ferreting out other vulnerable computers within the SDSU network, cracking passwords and obtaining administrative privileges, Dembin said. Over the next several hours, the defendant located and compromised at least seven additional computers, including the Financial Services and Housing Department systems, according to Dembin. In mid-January 2004, the defendant uploaded a program to the Financial Services and Housing Department computers that would allow him to store, share and distribute music and software, including pirated video games, Dembin said. He said the computer breach was discovered on Feb. 24, 2004, when complaints were received from individuals who were getting unsolicited electronic mail originating from the Financial Services computer. That led to a full investigation by SDSU that revealed the larger scope of the hacker's work, according to Dembin. He said SDSU spent more than $20,000 investigating the extent of the compromise and repairing and restoring the damaged computers. The university also had to notify individuals whose personal information was located on the Financial Services computer that their data may have been accessed. The prosecutor said there is no evidence, however, that any data stored on the Financial Services computer was downloaded or used for identity theft. Steve Harshaw, an SDSU police detective, was involved in the case. "Without the assistance from San Diego State's Information Security Office, it would have been extremely difficult to track down this criminal," he said. "We're very happy that an arrest was made, especially in light of how difficult investigations into this type of crime can be." From isn at c4i.org Wed Mar 15 03:23:02 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:23:02 -0600 (CST) Subject: [ISN] Hacker gains access to Bisons fans' Web data Message-ID: http://www.buffalonews.com/editorial/20060314/1033934.asp By STEPHEN T. WATSON News Staff Reporter 3/14/2006 A computer hacker recently gained access to sensitive financial information - including credit card numbers - on the Buffalo Bisons' Web site, the team is warning its customers. The Secret Service, with the assistance of the FBI, is investigating the security breach, which occurred last month. So far, the Bisons say they have no indication that the intruder has misused any of the ill-gotten data. The team has set up a toll-free number for people to call for more information and has notified the four credit card companies that are involved. "We apologize for any inconvenience this situation has caused any of our fans," the team said in a statement. Choice One Online, which hosted the Bisons' Web site at the time of the breach, said that it has hired the VeriSign global Internet security firm to conduct its own investigation into the security breach. "VeriSign did confirm that we caught it early enough that damage, if any, will be next to nothing," said Keith Radford Jr., director of Choice One Online. Employees of the Bisons and Choice One noticed the breach about Feb. 13, according to the team and Radford. An intruder got into the Choice One system and uploaded a program that gave this person access to names, passwords, financial data and other information collected from customers who ordered items through Bisons.com, the Bisons said in a letter to customers. The intruder accessed the information on the Bisons' Web site, the Bisons said, but so far, there is no evidence that this information was misused in any way. The Bisons are cooperating in the investigation by the federal agencies and by VeriSign, according to the team's statement. The Bisons mailed out the letters to any potentially affected Web customers shortly after learning of the breach, said Mike Buczkowski, the team's general manager. He would not say how many customers might have been affected. The Bisons and Choice One changed their passwords and shut down the computer servers that were infiltrated, and the team notified American Express, Discover, MasterCard and Visa about the breach. The Bisons are warning their Internet customers to monitor statements from their financial institutions and notify their credit card or debit card companies that their accounts might have been compromised. The toll-free number the team set up for customers is (800) 380-1447. Choice One, a Buffalo Internet services company, said the VeriSign investigation will show the full extent of the damage caused by the breach, which Radford described as "minimal." The company is beefing up its security measures in response to the incident, he said. Choice One and the Bisons no longer are working together, a move that Buczkowski said is not related to the security breach. The team last July began talking with Major League Baseball Advanced Media about hosting the Bisons' Web site, he said, and the switch went into effect last month. From isn at c4i.org Wed Mar 15 03:23:41 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:23:41 -0600 (CST) Subject: [ISN] REVIEW: "The CISM Prep Guide", Ronald L. Krutz/Russell Dean Vines Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCISMPG.RVW 20051204 "The CISM Prep Guide", Ronald L. Krutz/Russell Dean Vines, 2003, 0-471-45598-9, U$60.00/C$92.95/UK#41,95 %A Ronald L. Krutz %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-45598-9 %I John Wiley & Sons, Inc. %O U$60.00/C$92.95/UK#41,95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471455989/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471455989/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471455989/robsladesin03-20 %O Audience i Tech 1 Writing 1 (see revfaq.htm for explanation) %P 433 p. + CD-ROM %T "The CISM Prep Guide" The CISM (Certified Information Systems Manager) is ISACA's (Information Systems Audit and Control Association) extension to its more widely known CISA (Certified Information Systems Auditor) (cf. BKCISAPG.RVW) designation. It basically covers the material addressed in the CISSP (Certified Information Systems Security Professional) security management domain, with additional material on incident response. The chapters in this book follow the five domains of the CISM. Chapter one deals with information security governance, also passing quickly over some of the areas of technical security controls. Risk management is addressed in chapter two, with a concentration on the NIST (US National Institute of Standards and Technology) risk assessment framework: an indication of the concentration on US standards in this work and certification. Information security program management, in chapter three, includes topics such as formal models, project management, and the system development life cycle. (There is a lack of clarity in some of the explanations of specific models that may lead readers into error.) Information security management, in chapter four, is even more of a grab bag, looking at US regulations, contracts, auditing, and security reviews. Chapter five covers incident response, disaster recovery, and forensics. The book also contains a set of questions. They are quite vague, and, if representative of the CISM itself, that certification is only looking for familiarity with topics. copyright Robert M. Slade, 2005 BKCISMPG.RVW 20051204 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu In a real dark night of the soul it is always three o'clock in the morning, day after day. - F. Scott Fitzgerald http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Thu Mar 16 05:03:04 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:03:04 -0600 (CST) Subject: [ISN] NIST sets FISMA standards for federal IT systems Message-ID: http://www.gcn.com/online/vol1_no1/40127-1.html By William Jackson GCN Staff 03/15/06 The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. Federal Information Processing Standard 200 [1] sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls. FIPS 199 [2], released two years ago, establishes standards for categorizing IT systems as low, moderate or high-impact, depending on the effect of a breach of confidentiality, integrity or availability of the system. Special Publication 800-53 [3] - "Recommended Security Controls for Federal Information Systems", lays out the tools to be used under FIPS 200 to secure IT systems. Agencies must be in compliance with FIPS 200 by March 2007. Requirements are spelled out for: * Access control * Awareness and training * Audit and accountability * Certification, accreditation and security assessments * Configuration management * Contingency planning * Identification and authentication * Incident response * Maintenance * Media protection * Physical and environmental protection planning * Personnel security * Risk assessment * System and services acquisition * System and communications protection * System and information integrity. Agencies must employ on each system the proper security controls in each of these areas depending on whether it is a low, moderate or high-impact system. NIST also is updating its standards for digital signatures. A draft of FIPS 186-3 [4], which would replace the current FIPS 186-2, has been released for comment. The original digital signature standard was released in 1994 and has been updated twice, in 1998 and 1999. The current version authorizes the use of key sizes of 512 and 1024 bits with approved algorithms. Key sizes of 1024 now are considered the minimum acceptable level for security of digital signatures. "With advances in technology, it is prudent to consider larger key sizes," NIST said. "Draft FIPS 186-3 allows the use of 1024, 2048 and 3072-bit keys." Comments on the proposed standard should be made by June 12 to elaine.barker at nist.gov, or mailed to the Chief, Computer Security Division, Information Technology Laboratory, Attention: Comments on Draft FIPS 186-3, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. [1] http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf [2] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf [3] http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf [4] http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3%20_March2006.pdf From isn at c4i.org Thu Mar 16 05:03:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:03:20 -0600 (CST) Subject: [ISN] FrSIRT Puts Exploits up for Sale Message-ID: http://www.eweek.com/article2/0,1895,1938511,00.asp By Ryan Naraine March 15, 2006 Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service). The 3-year-old company, which operates out of Montpellier, France, is considered the go-to place for finding exploit code for known software vulnerabilities and has been a thorn in the side of many vendors, including Microsoft. FrSIRT describes itself as the trusted center for the collection and dissemination of information related to network threats, vulnerabilities, exploits and incidents, but critics say the company's open approach to releasing harmful exploit code borders on "irresponsible disclosure." The new FrSIRT VNS offers round-the-clock monitoring of new vulnerabilities and threats, and promises real-time access to a Web-based security alerting service. The alerts are delivered through a Web portal, XML feeds and e-mail subscriptions. Subscribers will also get an online vulnerability scanner and scheduler with which to run security scans on a regular basis to check for security vulnerabilities. FrSIRT said pricing for the service will vary based on the number of users that will be licensed to receive the alerts and access the exploit code samples. The new service is part of a growing trend among third-party researchers to profit from code auditing work. Companies like iDefense and Tipping Point have found a lucrative business in purchasing the rights to information on vulnerabilities. Dutch security firm Frame4 Security Systems is also getting into the malware-for-sale market, launching a project called MD:Pro that offers access to thousands of downloadable malware samples. From isn at c4i.org Thu Mar 16 05:03:53 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:03:53 -0600 (CST) Subject: [ISN] Trojan spy couple are expected to be jailed Message-ID: http://www.computerweekly.com/Articles/2006/03/15/214829/Trojanspycoupleareexpectedtobejailed.htm By Antony Savvas 15 March 2006 A British-based Israeli couple are expected to be jailed in Israel for their part in an industrial espionage scandal involving the use of a Trojan data-tracking bug. Ruth Brier-Haephrati, 28, and her 44-year-old husband Michael Haephrati, have entered a plea bargain to be sentenced to four and two years in jail respectively, after confessing their involvement in the Trojan horse case. The plea, entered in a Tel Aviv court, also proposes that they should each have to pay one million New Israeli Shekels (?121,400) in compensation. The couple were extradited to Israel from Britain earlier this year. According to the court, the couple were managers of the firm Target-Eya. Michael Haephrati is said to have developed the spyware Trojan horse, while his wife, Ruth, marketed it to several private investigators who bought the code and installed it onto the computers of their clients' rivals. Graham Cluley, senior technology consultant at internet security software firm Sophos, said, "The Israeli authorities should be congratulated for bringing these cyber-criminals to justice - it sends a strong message that this kind of activity will not be tolerated." He added, "It remains to be seen however if the private investigators who deployed the Trojan horses on the computers of innocent businesses, and potentially made more money than this couple in the process, will also be officially held to account." The Haephrati's Trojan horse is said to have been used by private investigators to spy on both a PR agency, whose clients include Israel's second biggest mobile phone operator, Partner Communication, and a cable television station. Another alleged victim was Champion Motors, which imports Audi and Volkswagen motor vehicles. The Tel Aviv court will announce whether it accepts the Haephrati's plea bargain on 27 March. ? 2006 Reed Business Information Limited. All Rights Reserved. From isn at c4i.org Thu Mar 16 05:02:49 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:02:49 -0600 (CST) Subject: [ISN] Stop blaming Winny, fix the real problem Message-ID: http://www.yomiuri.co.jp/dy/editorial/20060315TDY04006.htm The Yomiuri Shimbun Mar. 15, 2006 Should all the blame fall on the Winny file-sharing software? Not quite. Anyone dealing with sensitive information has an extremely heavy obligation in this regard. A number of cases of large amounts of government secrets and personal information being accidentally disclosed on the Internet have come to light in recent weeks, and Winny has been singled out for criticism in all these incidents. Winny was created to enable computer users to exchange music and video files over the Internet. However, the development of the software has been followed by the emergence of computer viruses that can infect Winny, making it act in ways not intended. If infected, Winny can upload data from computers on which it is installed onto the Internet without the knowledge of users. In all the information disclosures reported, the victims had stored important data on personal computers that were running copies of Winny that had been infected with viruses. This has prompted many people to point a finger at the file-sharing software. The recent spate of Winny-related incidents includes the disclosure of information about investigations by the Okayama and Ehime prefectural police. The tendency to single Winny out for criticism can be seen in remarks made by senior officials at the National Police Agency, an organ charged with supervising prefectural police authorities. "Police personnel who use Winny on their personal computers have no awareness of their professional duties," NPA Commissioner General Iwao Uruma said. === Lax security true culprit But blaming Winny alone means blinkering oneself to the true culprit, and one needs to look further. It is disturbing to see that the organizations affected by the incidents were extremely lackadaisical in protecting information and secrets. Questions should be raised about why those responsible for the disclosures were able to copy sensitive information from their office computers onto their own computers, and take it home without permission from their superiors. The ease with which this was done means no measures had been taken to protect the confidentiality of information held by these offices. What if such massive amounts of information had been stored on paper, not computers, and disclosed? The spate of disclosures would be considered highly abnormal. We all have good reason to raise questions about how the organizations affected by the disclosures protect their secrets and data. Are personnel at their offices allowed to duplicate important documents and take them outside? Are they permitted to take such documents home? Are the central and local governments properly equipped to manage the many secrets and personal information entrusted to them? The government and other pertinent organizations must thoroughly reexamine their information-control systems. === Govt must accept responsibility The Defense Agency intends to buy all its personnel new computers to help them carry out their duties. The decision came after the agency had second thoughts about its standing practice of allowing employees to use their own computers for work. But this purchase must be complemented by efforts to ensure information stored on these computers is properly controlled. If agency officials are allowed to copy data from their office computers onto their personal computers and take them out, the agency will remain susceptible to the disclosure of secrets and data. Winny is not the only software that can be perverted to disclose data stored on computers, there are others. The Defense Agency must ban personnel from using the newly supplied computers for personal use. No government employee should be allowed to take data outside the workplace. Government information and data must be encoded if taken out from the office. Doing so would prevent the data from being understood if disclosed to an outsider. Thorough measures should be implemented to educate government employees about how to properly control data they handle. Furthermore, periodic inspection are needed to ensure these safeguards are being followed. Any organization that has a bitter experience of having secrets and data disclosed has already taken such measures. Government organizations must learn what it means to protect the confidentiality of their information and data. (From The Yomiuri Shimbun, March 15) From isn at c4i.org Thu Mar 16 05:04:11 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:04:11 -0600 (CST) Subject: [ISN] DHS Gets Another F in Computer Security Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589.html By Brian Krebs washingtonpost.com Staff Writer March 15, 2006 Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday. The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs. The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004. Several agencies saw a considerable drop in their scores. The Department of Justice went from a B-minus in 2004 to a "D" in 2005, while Interior earned failing marks after getting a C-plus in 2004. The scores are "unacceptably low," committee Chairman Tom Davis (R-Va.) said in a statement. "DHS must have its house in order and should become a security leader among agencies. What's holding them up?" The annual report bases the grades on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements set out in the Federal Information Security Management Act (FISMA). FISMA requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems. As online attacks against consumers and businesses have skyrocketed, so have assaults against government information systems. Alan Paller, director of research for the SANS Institute, a group in Bethesda, Md., that trains and certifies computer security professionals, said a number of federal computer systems have been badly penetrated by hackers and viruses over the past several years, in part because many agencies do not adequately monitor their systems or apply software security updates in a timely manner. But Paller argues that the yearly FISMA grades force agencies to apply scarce funding and employee time toward the wrong priorities. "It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified." Davis said he is interested in examining ways to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law. "We don't want them filling out forms to simply fill out forms, but in my experience, when it comes to information security, it is still difficult to get people -- even members of Congress -- engaged in the issue," Davis said. "An attack could originate anywhere at any time, and FISMA is the best tool we have to ensure that agencies are proactively securing themselves." While a number of agencies performed worse last year than in 2004, many showed marked improvement in meeting federal computer security requirements. The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively. ? 2006 Washingtonpost.Newsweek Interactive From isn at c4i.org Thu Mar 16 05:04:34 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:04:34 -0600 (CST) Subject: [ISN] Study Says Chips in ID Tags Are Vulnerable to Viruses Message-ID: http://www.nytimes.com/2006/03/15/technology/15tag.html By JOHN MARKOFF March 15, 2006 A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications. In a paper to be presented today at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chip, which can hold as little as 128 characters of information. Until now, most computer security experts have discounted the possibility of using such tags, known as RFID chips, to spread a computer virus because of the tiny amount of memory on the chips. The tracking systems are intended to improve the accuracy and lower the cost of tracking goods in supply chains, warehouses and stores. Radio tags store far more data about a product than bar codes and can be read more quickly. They have even been injected into pets and livestock for identification. The chips have already prompted debate over privacy and surveillance, given their tracking ability. Now the researchers have added a series of worrisome prospects, including the ability of terrorists and smugglers to evade airport luggage scanning systems that will use RFID tags in the future. In the researchers' paper, "Is Your Cat Infected With a Computer Virus?," the group, affiliated with the computer science department at Vrije Universiteit in Amsterdam, also describes how the vulnerability could be used to undermine a variety of tracking systems. The researchers said they realized that there are risks associated with publishing security vulnerabilities in computerized systems. To head off some of the possible attacks they described, they have also published a set of steps to help protect RFID chips from such attacks. The group, led by Andrew S. Tanenbaum, an American computer scientist, will make the presentation at the annual Pervasive Computing and Communications Conference sponsored by the Institute of Electrical and Electronic Engineers. The researchers asserted that the RFID demonstration had not used the commercial software that collects and organizes information from RFID readers. Rather, it used software that they designed to replicate those systems. "We have not found specific flaws" in the commercial RFID software, Mr. Tanenbaum said, but "experience shows that software written by large companies has errors in it." The researchers have posted their paper and related materials on security issues related to RFID systems at www.rfidvirus.org. The researchers acknowledged that inside information would be required in many cases to plant a hostile program. But they asserted that the commercial software developed for RFID applications had the same potential vulnerabilities that have been exploited by viruses and other malicious software, or malware, in the rest of the computer industry. One such standard industry problem is a software coding error referred to as a buffer overflow. Such errors occur when programmers set aside memory to receive data temporarily, but fail to require a check on the size of the value that is moved to the allocated space. A larger-than-expected value can cause the program to break and trick the computer operating system into executing a malicious program. "You should check all of your input all of the time, but experience shows this isn't the case," Mr. Tanenbaum said. Independent computer security specialists also said RFID systems were potential problem areas. "It shouldn't surprise you that a system that is designed to be manufactured as cheaply as possible is designed with no security constraints whatsoever," said Peter Neumann, a computer scientist at SRI International, a research firm in Menlo Park, Calif. Mr. Neumann is the co-author of an article to be published in the May issue of the Communications of the Association for Computing Machinery on the risks of RFID systems. He said existing RFID systems were a computer security disaster waiting to happen. He cited inadequate identification for users, the potential for counterfeiting or disabling tags, and the problem of weak encryption in a passport-tracking system being developed in the United States. But he said he had not previously considered the possibility of viruses and other malicious software programs. An industry executive acknowledged that the companies that make computerized tracking systems faced potential security problems. "We are very actively looking at the different way the technology is used," said the executive, Daniel P. Mullen, president of the Association for Automatic Identification and Mobility, an industry trade group. "It's an ongoing dialogue about protecting information on the tag and in the database." The association has a working group of experts assessing both security and privacy challenges, he said. There are many types of RFID tag, and some of the sophisticated versions include security features like encryption of the identifying number carried by the chip. But the Dutch research group warned that in a variety of situations it is possible for attackers to alter the information in an RFID tag to subvert its purpose. "RFID malware is a Pandora's box that has been gathering dust in the corners of our 'smart' warehouses and homes," they write in their paper. In one example they offered, a virus from an infected tag on luggage passing through an airport could be picked up when it is scanned by the luggage-handling control systems and then spread to tags attached to other pieces of luggage. Such an attack, they suggest, might spread luggage contamination to other airports. It might also be used by a smuggler to cause a piece of luggage to avoid security systems. They also described situations of counterfeit RFID tags possibly being be used to subvert pricing and other aspects of commercial sales systems, or a virus could be inserted into RFID tags used to identify pets. Copyright 2006 The New York Times Company From isn at c4i.org Thu Mar 16 05:05:06 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:05:06 -0600 (CST) Subject: [ISN] Handheld Security Admin Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. GuardianEdge Technologies http://list.windowsitpro.com/t?ctl=23D89:4FB69 Scalable Software http://list.windowsitpro.com/t?ctl=23D87:4FB69 ==================== 1. In Focus: Handheld Security Admin 2. Security News and Features - Recent Security Vulnerabilities - Cisco Moving into Physical Security Arena - Firefox 2.0 to Gain Security Improvements - Crank Up Security with MBSA 2.0 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Better Security Event Reporting ==================== ==== Sponsor: GuardianEdge Technologies ==== Encrypt and Manage Data on Any Platform Sensitive data is everywhere: in email and on hard drives, removable storage devices, and PDAs. Encryption is the only way to protect that data from criminals and competitors while complying with regulators. But encrypting data on all those devices and managing them efficiently is a major challenge. Encryption Anywhere solves the problem with a single management tool that plugs directly into Microsoft Active Directory letting you distribute and manage encrypted Microsoft clients without changing your current processes. Click here to find out how you can protect corporate data and prevent identity theft. http://list.windowsitpro.com/t?ctl=23D89:4FB69 ==================== ==== 1. In Focus: Handheld Security Admin ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Laptops are great tools. They've allowed security administrators to take their tools on the road and freed them from relying on access to a storage server. For some security consultants, it might be nearly impossible to get any work done without a laptop. One downside of laptops is that sometimes they can be bulky to carry around. Plus when you need to use a laptop, you must take it out of the bag, find a place to set it (on your lap if necessary), and start it up. Then when you're done, you must reverse the whole process. A task that will take you 5 minutes on the computer winds up taking 10 minutes overall. Now, new mobile devices are poised to improve our situation once again. New handheld devices are powerful, flexible, and relatively easy to use. They can run a full-blown OS (as opposed to a scaled down, limited version), provide plenty of storage, are lightweight, and are ready to use almost instantly nearly any time and any place. New devices are coming to market. One that you might have already heard about is Microsoft's Ultra-Mobile PC (UMPC), code-named The Origami Project. UMPC runs Windows XP Tablet PC Edition, has a 7-inch display with a minimum of 800 x 480 dpi resolution, includes network connectivity, has a 40GB hard drive, and weighs about 2 pounds. UMPC won't fit in your pocket, but it would fit in some purses, and you'll be able to hold it in your hand to get work done when necessary. Microsoft's UMPC will cost under $1000. http://list.windowsitpro.com/t?ctl=23D99:4FB69 Some might think that UMPC is just another tablet PC. While that might be true in the most basic sense, tablet PCs have significant advantages over laptops, most notably the ease of use. One thing missing from UMPC is a keyboard. I must have a keyboard, even though I like handhelds' touch screens. A demo at Intel's site (first URL below) shows an ultra- mobile device that does have a keyboard (second URL below). I want this one! http://list.windowsitpro.com/t?ctl=23D8C:4FB69 http://list.windowsitpro.com/t?ctl=23D91:4FB69 Another new device is the DualCor cPC. This device weighs only 1.1 pounds and features two processors and two OSs: Windows XP Tablet PC Edition and Windows Mobile. The device also has a 40GB hard drive and 5-inch display with 800 x 480 dpi resolution. The price is $1500 retail, with discounts for volume purchases. http://list.windowsitpro.com/t?ctl=23D9E:4FB69 Another handheld computer comes from OQO. The OQO model 01+ has a 30GB drive, weighs only 14 ounces, and is small enough to put in your pocket. The screen size is 5 inches. The model 01+ has a mini-keyboard that slides out from under the display. Hold on to your hats for the price: the Windows Tablet PC Edition sells for $2099 retail! http://list.windowsitpro.com/t?ctl=23D9C:4FB69 For a decent comparison of several handheld computers, including some that I didn't have room to mention here and some that don't run Windows Tablet PC Edition, visit the handtops.com Web site at the URL below. http://list.windowsitpro.com/t?ctl=23D9A:4FB69 ==================== ==== Sponsor: Scalable Software ==== How much are you spending on IT compliance? Streamline and automate the compliance life cycle with this FREE white paper, and reduce your costs today! http://list.windowsitpro.com/t?ctl=23D87:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=23D8B:4FB69 Cisco Moving into Physical Security Arena With its latest acquisition, Cisco aims to bring its customers IP- enabled physical security. The company announced an agreement to acquire privately held SyPixx Networks, a company founded in 2002 to deliver video surveillance systems. http://list.windowsitpro.com/t?ctl=23D92:4FB69 Firefox 2.0 to Gain Security Improvements An alpha release of Firefox 2.0 is due out in the next few days, according to meeting minutes posted at Mozilla Foundation. A few important new security features will be included in the 2.0 version. Read about them in this news story. http://list.windowsitpro.com/t?ctl=23D93:4FB69 Crank Up Security with MBSA 2.0 The latest version of Microsoft's popular no-cost MBSA tool is more than a simple update; it includes new features and has been designed to integrate seamlessly with other update tools such as Windows Server Update Services (WSUS) and the Systems Management Server (SMS) Inventory Tool for Microsoft Updates (ITMU). Get the details at http://list.windowsitpro.com/t?ctl=23D94:4FB69 ==================== ==== Resources and Events ==== Windows Connections Conference, April 9-12, 2006 Don't miss the essential Windows technology conference. http://list.windowsitpro.com/t?ctl=23D9D:4FB69 When disaster strikes your servers, whether they are dedicated to Windows, SQL, or Exchange, you need answers. Make sure that if an emergency occurs, you're prepared. Get the full eBook and get started on your recovery plan today! http://list.windowsitpro.com/t?ctl=23D86:4FB69 Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=23D83:4FB69 Make sure your email server is secure. Learn everything from basic techniques to defense-in-depth strategies, including network-level access control lists, Web authentication, firewall protocol inspection, and perimeter filtering. Live Web seminar Thursday, March 23. http://list.windowsitpro.com/t?ctl=23D84:4FB69 Use Windows Server 2003 R2 as a platform for SQL Server 2005 to support large-database requirements, including clustering and multiple processors. Register for this free Web seminar today! http://list.windowsitpro.com/t?ctl=23D85:4FB69 ==================== ==== Featured White Paper ==== Use scripted deployments to ensure that all your Exchange servers are configured and deployed with exactly the same options and to maintain a record of your installation configurations. Learn how today! http://list.windowsitpro.com/t?ctl=23D8A:4FB69 ==================== ==== Hot Spot ==== Symantec Corporation A multi-tier approach to email security prevents unauthorized access and can stop spam, viruses, and phishing attacks. Learn to implement one today, and protect your network security and business systems! http://list.windowsitpro.com/t?ctl=23D88:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: L0phtcrack Retired by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=23D98:4FB69 After years as a password-cracking staple, L0phtcrack is apparently being put out to pasture--discontinued. However, there are alternatives, including Cain & Abel, LCP, Ophcrack 2, and the Openwall Project's John the Ripper. Find links to these alternatives in this blog article. http://list.windowsitpro.com/t?ctl=23D95:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=23D97:4FB69 Q: Can you use the Microsoft File Server Migration Toolkit (FSMT) to migrate shares between servers in different forests? Find the answer at http://list.windowsitpro.com/t?ctl=23D96:4FB69 Security Forum Featured Thread: Audit Tools Know of any good tools to audit a Windows Server 2003 domain environment, including password reports? If so, join the discussion at http://list.windowsitpro.com/t?ctl=23D82:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Windows IT Pro Magazine Article Library--access available Sign up for a Monthly Online Pass and get INSTANT access to all articles, tools, and helpful resources published on WindowsITPro.com, including exclusive subscriber-only content. You'll get 24/7 access to the full Windows IT article library (which includes more than 9,000 articles) as well as the latest digital issue of Windows IT Pro delivered right to your inbox. Sign up now: http://list.windowsitpro.com/t?ctl=23D8E:4FB69 Windows IT Pro Magazine--SAVE 58% Windows IT Pro is a must-have in 2006! Subscribe now and plug into the largest independent Windows IT community in the world. Along with loads of how-to articles, time-saving advice, and expert tips and solutions, you'll gain exclusive access to the entire online Windows IT Pro article library FREE. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=23D8D:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Better Security Event Reporting Astaro released Astaro Report Manager 4.2, which lets you collect and report on data from Astaro Security Gateway appliances and security gateways from other vendors such as Check Point and Cisco. New features include a Java-based console that provides information about critical security events in real time, a new forensics analysis tool that helps you search log data on multiple devices, and new reports designed to meet federal regulatory requirements. Pricing starts at $295 for systems running Astaro Security Gateway Software and at $395 for Astaro Security Gateway appliances. For more information, go to http://list.windowsitpro.com/t?ctl=23D9F:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=23D9B:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=23D90:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Mar 17 03:34:10 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:34:10 -0600 (CST) Subject: [ISN] State seizes newspaper's hard drives in leak probe Message-ID: http://www.yorkdispatch.com/pennsylvania/ci_3608667 MARYCLAIRE DALE The Associated Press 03/16/2006 PHILADELPHIA -- The Pennsylvania Attorney General's Office has seized four newsroom hard drives as part of a probe into alleged leaks by a county coroner, after the state Supreme Court denied the newspaper's challenge to the search. The attorney general's office, which is conducting a grand jury probe, rebuffed offers from the Intelligencer Journal of Lancaster to provide the information sought through less intrusive means or to search the computers in the newsroom, newspaper officials said. Harold E. Miller Jr., the president and chief executive of parent Lancaster Newspapers Inc., said the ruling dismayed his reporters and could have a chilling effect on newsgathering. "You get to the point where sources have confidence that we'll do the right thing and that our industry's protected. They'll talk to us," Miller said yesterday. "Without that confidence, we lose our ability to do our job." Kevin Harley, a spokesman for state Attorney General Tom Corbett, declined to comment, citing grand jury rules. The state Supreme Court, upholding a lower court ruling, last week rejected the paper's effort to quash the subpoena for the hard drives. The newspaper has not filed an appeal to the U.S. Supreme Court, in part because they were told the search would start the next morning, lawyer George C. Werner Jr. said. Under terms of the lower court's ruling, the newspaper had given the hard drives conditionally to the attorney generals' office before the Supreme Court ruling. The attorney general's office is investigating whether Lancaster Coroner G. Gary Kirchner gave reporters his password to a secure law-enforcement Web site, according to a brief filed in the case. Kirchner has denied doing so. The attorney general's office has pledged to limit its search to usage related to the Web site in question, which is run by the Lancaster County-Wide Communications' Computer Assisted Dispatch Web site. "Once you turn your hard drives over to a government entity and they have your computers, they essentially have access to the newsroom," said Lucy Dalglish, executive director of the Reporters Committee for Freedom of the Press in Washington. "It's not like it was in the days when we were all typing out on manual typewriters. It's like going into the brain of the newsroom and dissecting it. I find that horrifying," she said. ? 2005 Copyright The York Dispatch From isn at c4i.org Fri Mar 17 03:34:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:34:30 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-11 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-03-09 - 2006-03-16 This week : 56 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Again this week Apple has released a security update, which fixes multiple vulnerabilities. However, the "Extremely Critical" vulnerability released on the 21st of February 2006 remains only partially fixed, due to the fact that it is still possible to trick users into opening malicious shell scripts (masqueraded as a safe file type) in ZIP archives. You can test whether or not your system is affected by this vulnerability here: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ For additional details about the other vulnerabilities fixed please refer to SA19129, the first of the referenced Secunia advisories below. Details about the partial fixed vulnerability may be found in SA18963. References: http://secunia.com/SA19129 http://secunia.com/SA18963 -- Microsoft has released 2 security bulletins as part of their monthly patch release cycle. All users are advised to visit Windows Update and apply available patches. For additional details about the issues corrected, please refer to the referenced Secunia advisories below. References: http://secunia.com/SA19138 http://secunia.com/SA18756 -- Some vulnerabilities have been reported in Flash Player, which can be exploited by malicious people to compromise a user's system. See referenced Secunia advisory for a list of affected products as well as links to updated versions. Reference: http://secunia.com/SA19218 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19218] Flash Player Unspecified Code Execution Vulnerabilities 2. [SA19129] Mac OS X Security Update Fixes Multiple Vulnerabilities 3. [SA19138] Microsoft Office Multiple Code Execution Vulnerabilities 4. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 5. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 6. [SA19173] GnuPG Unsigned Data Injection Detection Vulnerability 7. [SA19175] Gallery "stepOrder[]" Local File Inclusion Vulnerability 8. [SA19189] Red Hat update for python 9. [SA19064] Mac OS X Security Update Fixes Multiple Vulnerabilities 10. [SA19150] Kerio MailServer IMAP LOGIN Denial of Service Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19247] ASP Portal Cross-Site Scripting and SQL Injection Vulnerabilities [SA19191] Hosting Controller "search" Forum SQL Injection [SA19229] Adobe Document/Graphics Server File URI Resource Access [SA19238] Avaya Modular Messaging Windows Privilege Escalation Security Issues [SA19217] AntiVir PersonalEdition Update Report Privilege Escalation UNIX/Linux: [SA19237] CrossFire "SetUp()" Buffer Overflow Vulnerability [SA19230] SGI Advanced Linux Environment Multiple Updates [SA19226] Debian update for metamail [SA19210] Debian update for bomberclone [SA19199] Gentoo cube Buffer Overflow and Denial of Service [SA19244] Fedora update for gnupg [SA19241] Apache Log4net Denial of Service Vulnerability [SA19236] Gentoo update for tar [SA19234] Debian update for gnupg [SA19232] Gentoo update for gnupg [SA19228] Gentoo update for flex [SA19227] Debian update for freeciv [SA19203] Slackware update for gnupg [SA19197] SUSE update for gpg [SA19196] Trustix update for mailman [SA19194] Debian update for crossfire [SA19193] SCO OpenServer Updates for Multiple Packages [SA19192] Debian update for ffmpeg [SA19190] Red Hat update for kdegraphics [SA19189] Red Hat update for python [SA19240] Debian update for webcalendar [SA19225] sa-exim "greylistclean.cron" File Deletion Vulnerability [SA19221] glFTPd IP Address Check Bypass Vulnerability [SA19211] CGI::Session Insecure Default Session File Permissions [SA19205] Gentoo update for squirrelmail [SA19187] Debian update for libcrypt-cbc-perl [SA19239] Apache mod_python FileSession Handling Vulnerability [SA19235] AIX "mklvcopy" Command Unspecified Vulnerability [SA19220] Ubuntu update for kernel [SA19200] Ubuntu Installer Log Files Exposure of User Credentials Other: [SA19233] Funkwerk X2300 ISAKMP IKE Message Processing Vulnerabilities Cross Platform: [SA19218] Flash Player Unspecified Code Execution Vulnerabilities [SA19246] Horde "url" Disclosure of Sensitive Information Vulnerability [SA19245] Drupal Multiple Vulnerabilities [SA19224] @1 File Store Script Insertion and SQL Injection [SA19222] GuppY "pg" Arbitrary File Overwrite Vulnerability [SA19219] Vegas Forum "postid" SQL Injection Vulnerability [SA19215] Jupiter Content Manager "image" BBcode Script Insertion [SA19214] Zeroboard Multiple Script Insertion Vulnerabilities [SA19209] DSPoll "pollid" SQL Injection Vulnerability [SA19208] ENet Library Two Denial of Service Vulnerabilities [SA19207] DSNewsletter "email" SQL Injection Vulnerability [SA19206] DSCounter "X-Forwarded-For" SQL Injection Vulnerability [SA19202] DSDownload Multiple SQL Injection Vulnerabilities [SA19201] DSLogin Multiple SQL Injection Vulnerabilities [SA19195] PHP SimpleNEWS "admin" Authentication Bypass [SA19216] vCard Cross-Site Scripting Vulnerabilities [SA19212] GGZ Gaming Zone XML Handling Denial of Service [SA19204] WMNews Cross-Site Scripting Vulnerabilities [SA19188] UnrealIRCd Server Link TKL Command Denial of Service [SA19186] DokuWiki Mediamanager EXIF Data Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19247] ASP Portal Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-15 CodeScan Labs have reported some vulnerabilities in ASP Portal, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19247/ -- [SA19191] Hosting Controller "search" Forum SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-10 "nope" has discovered a vulnerability in Hosting Controller, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19191/ -- [SA19229] Adobe Document/Graphics Server File URI Resource Access Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2006-03-15 Secunia Research has discovered a vulnerability in Adobe Document Server and Adobe Graphics Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information, overwrite arbitrary files, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19229/ -- [SA19238] Avaya Modular Messaging Windows Privilege Escalation Security Issues Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-15 Avaya has acknowledged some security issues in Avaya Modular Messaging, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19238/ -- [SA19217] AntiVir PersonalEdition Update Report Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-13 Ramon 'ports' Kukla has discovered a vulnerability in AntiVir PersonalEdition Classic, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19217/ UNIX/Linux:-- [SA19237] CrossFire "SetUp()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-14 landser has discovered a vulnerability in CrossFire, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19237/ -- [SA19230] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-03-14 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19230/ -- [SA19226] Debian update for metamail Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Debian has issued an update for metamail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19226/ -- [SA19210] Debian update for bomberclone Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-14 Debian has issued an update for bomberclone. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19210/ -- [SA19199] Gentoo cube Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Gentoo has acknowledged some vulnerabilities in cube, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19199/ -- [SA19244] Fedora update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-14 Fedora has issued an update for gnupg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19244/ -- [SA19241] Apache Log4net Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-14 Sebastian Krahmer has reported a vulnerability in Log4net, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19241/ -- [SA19236] Gentoo update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Gentoo has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19236/ -- [SA19234] Debian update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Debian has issued an update for gnupg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19234/ -- [SA19232] Gentoo update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Gentoo has issued an update for gnupg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19232/ -- [SA19228] Gentoo update for flex Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-13 Gentoo has issued an update for flex. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19228/ -- [SA19227] Debian update for freeciv Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-13 Debian has issued an update for freeciv. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19227/ -- [SA19203] Slackware update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-14 Slackware has issued an update for gnupg. This fixes a vulnerability and a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19203/ -- [SA19197] SUSE update for gpg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-13 SUSE has issued an update for gpg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19197/ -- [SA19196] Trustix update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-10 Trustix has issued an update for mailman. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19196/ -- [SA19194] Debian update for crossfire Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-15 Debian has issued an update for crossfire. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19194/ -- [SA19193] SCO OpenServer Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-15 SCO has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to potentially cause a DoS (Denial of Service) and to compromise a user's system or vulnerable system. Full Advisory: http://secunia.com/advisories/19193/ -- [SA19192] Debian update for ffmpeg Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Debian has issued an update for ffmpeg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19192/ -- [SA19190] Red Hat update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-10 Red Hat has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19190/ -- [SA19189] Red Hat update for python Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-10 Red Hat has issued an update for python. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19189/ -- [SA19240] Debian update for webcalendar Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-15 Debian has issued an update for webcalendar. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information and conduct SQL injection attacks, and by malicious people to conduct HTTP response splitting attacks. Full Advisory: http://secunia.com/advisories/19240/ -- [SA19225] sa-exim "greylistclean.cron" File Deletion Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Chris Morris has reported a vulnerability in sa-exim, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19225/ -- [SA19221] glFTPd IP Address Check Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-15 A vulnerability has been reported in glFTPd, which potentially can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19221/ -- [SA19211] CGI::Session Insecure Default Session File Permissions Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-13 Joey Hess has reported some security issues in CGI::Session, which potentially can be exploited by malicious, local users and by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/19211/ -- [SA19205] Gentoo update for squirrelmail Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-13 Gentoo has issued an update for squirrelmail. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19205/ -- [SA19187] Debian update for libcrypt-cbc-perl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Debian has issued an update for libcrypt-cbc-perl. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19187/ -- [SA19239] Apache mod_python FileSession Handling Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-14 A vulnerability has been reported in mod_python, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19239/ -- [SA19235] AIX "mklvcopy" Command Unspecified Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2006-03-15 A vulnerability has been reported in IBM AIX, which has an unknown impact. Full Advisory: http://secunia.com/advisories/19235/ -- [SA19220] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2006-03-13 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19220/ -- [SA19200] Ubuntu Installer Log Files Exposure of User Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-13 Karl ?ie has reported a security issue in Ubuntu, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19200/ Other:-- [SA19233] Funkwerk X2300 ISAKMP IKE Message Processing Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2006-03-15 Some vulnerabilities have been reported in Funkwerk X2300, which potentially can be exploited by malicious people to cause a DoS (Denial of Service), and with an unknown impact. Full Advisory: http://secunia.com/advisories/19233/ Cross Platform:-- [SA19218] Flash Player Unspecified Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-15 Some vulnerabilities have been reported in Flash Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19218/ -- [SA19246] Horde "url" Disclosure of Sensitive Information Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-15 Paul Craig has discovered a vulnerability in Horde, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19246/ -- [SA19245] Drupal Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-03-14 Some vulnerabilities have been reported in Drupal, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and manipulate outgoing mails. Full Advisory: http://secunia.com/advisories/19245/ -- [SA19224] @1 File Store Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported some vulnerabilities in @1 File Store, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19224/ -- [SA19222] GuppY "pg" Arbitrary File Overwrite Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 trueend5 has reported a vulnerability in GuppY, which can be exploited by malicious people to manipulate certain information. Full Advisory: http://secunia.com/advisories/19222/ -- [SA19219] Vegas Forum "postid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-14 Aliaksandr Hartsuyeu has reported a vulnerability in Vegas Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19219/ -- [SA19215] Jupiter Content Manager "image" BBcode Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 Nomenumbra/[0x4F4C] has discovered a vulnerability in Jupiter Content Manager, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19215/ -- [SA19214] Zeroboard Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 dong-houn yoU has reported some vulnerabilities in Zeroboard, which can be exploited by malicious people to conduct script-insertion attacks. Full Advisory: http://secunia.com/advisories/19214/ -- [SA19209] DSPoll "pollid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported a vulnerability in DSPoll, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19209/ -- [SA19208] ENet Library Two Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-13 Luigi Auriemma has reported two vulnerabilities in ENet Library, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19208/ -- [SA19207] DSNewsletter "email" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported a vulnerability in DSNewsletter, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19207/ -- [SA19206] DSCounter "X-Forwarded-For" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported a vulnerability in DSCounter, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19206/ -- [SA19202] DSDownload Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has discovered some vulnerabilities in DSDownload, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19202/ -- [SA19201] DSLogin Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-14 Aliaksandr Hartsuyeu has discovered multiple vulnerabilities in DSLogin, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19201/ -- [SA19195] PHP SimpleNEWS "admin" Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-10 Aliaksandr Hartsuyeu has reported a vulnerability in PHP SimpleNEWS and PHP SimpleNEWS MySQL, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19195/ -- [SA19216] vCard Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 Linux_Drox has reported some vulnerabilities in vCard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19216/ -- [SA19212] GGZ Gaming Zone XML Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-13 Luigi Auriemma has reported a vulnerability in GGZ Gaming Zone, which can be exploited by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/19212/ -- [SA19204] WMNews Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 R00T3RR0R has reported some vulnerabilities in WMNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19204/ -- [SA19188] UnrealIRCd Server Link TKL Command Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-10 A vulnerability has been reported in UnrealIRCd, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19188/ -- [SA19186] DokuWiki Mediamanager EXIF Data Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-10 A vulnerability has been reported in DokuWiki, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19186/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 17 03:34:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:34:45 -0600 (CST) Subject: [ISN] Security Experts Warn of Devastating Web Attack Message-ID: http://www.foxnews.com/story/0,2933,188102,00.html Paul Wagenseil Fox News March 16, 2006 WASHINGTON - A powerful new twist on the most common kind of Internet attack could overwhelm even the most popular and well-fortified Web sites and disrupt e-mail traffic by enlisting the network infrastructure servers that manage Internet traffic worldwide, security experts warn. First detected as early as 2002, the assault, known as a distributed reflected denial-of-service (DRDoS) attack, bombards targeted Web servers with such massive amounts of spurious data that even flagship technology companies would not be able to cope. In one case examined, an unknown assailant used an Internet domain-name server in South Africa to unknowingly bombard targeted computers with overwhelming floods of amplified data. Domain-name servers are specialized computers that help direct Internet traffic. Computers see Web addresses as a string of numbers called an IP address; a domain-name server translates a user's request for, say, "www.yahoo.com" into the IP address "68.142.226.34." Experts traced at least 1,500 attacks that briefly shut down commercial Web sites, large Internet providers and leading Internet infrastructure companies during a period of weeks beginning late last year. The attacks were so targeted that most Internet users did not notice widespread effects. Like a standard "denial-of-service" (DoS) attack, a DRDoS attack exploits the standard TCP/IP "three-way handshake" between a client and server machine. Typically, a "client" PC looking up a Web site sends a request for acknowledgement, including its own return IP address, to the Web site's server. The server acknowledges the request, and in turn asks the client for a confirmation the request was made. The client sends its own acknowledgement, and data then flows freely between the two machines. In a standard DoS attack, a malicious machine takes down a Web site by flooding it with requests containing false IP return addresses, which the server will acknowledge. But since it the acknowledgement goes to a non-existent IP address, the server will get no reply, and will keep trying again and again. Enough false requests will overload a server and make a Web site unavailable. In in the case of a distributed denial-of-service (DDoS) attack, a hacker, having secretly taken command of hundreds or thousands of "zombiefied" ordinary PCs by infecting them with computer viruses, enlists them all in bombarding the targeted Web server. A DRDoS attack takes the concept to a new level. The malicious requests, again coming from countless "zombie" machines, contain a legitimate return IP address ? in this case, the IP address of the server being targeted. The requests go not to the target, but to hundreds of intermediate infrastructure servers, often owned by large technology companies, which help direct Web traffic. The infrastructure servers, which are innocently doing their jobs and can easily handle huge numbers of requests, "return" the acknowledgements to the target machine, which is quickly overwhelmed. Ken Silva, chief security officer for VeriSign Inc., compared the scale of a possible DRDoS attack to the damage caused in October 2002 when nine of the 13 computer "root" servers that make up the core of the Internet were crippled by a powerful straight-on DDoS attack. VeriSign operates two of the 13 root server computers, but its machines were unaffected. "This is significantly larger than what we saw in 2002, by an order of magnitude," Silva said. Silva said the attacks earlier this year used only about 6 percent of the more than 1 million domain-name and other infrastructure servers across the Internet to flood victims' servers. Still, the attacks in some cases exceeded 8 gigabits per second, indicating a remarkably powerful electronic assault. "This would be the Katrina of Internet storms," Silva said. The U.S. Computer Emergency Readiness Team, part of the Homeland Security Department, warned network engineers in December to properly configure their domain-name servers to prevent hackers from using them in attacks. It called the attacks "troublesome" because domain-name servers must operate to help direct Internet traffic. FOXNews.com's Paul Wagenseil and The Associated Press contributed to this report. From isn at c4i.org Fri Mar 17 03:35:09 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:35:09 -0600 (CST) Subject: [ISN] Lost Ernst & Young laptop exposes IBM staff Message-ID: http://www.theregister.co.uk/2006/03/15/ernstyoung_ibm_laptop/ By Ashlee Vance in Mountain View 15th March 2006 Exclusive - Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk. Ex-IBM employees are also affected. The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed. The husband of one IBM employee has provided The Register with an exclusive copy of the letter Ernst & Young mailed out to the affected parties. This particular letter did not arrive until 8 March - two months after the theft. Neither IBM nor Ernst & Young have returned calls seeking comment. Last month, The Register revealed that another Ernst & Young laptop theft had exposed the social security number and other personal information of Sun Microystems CEO Scott McNealy and an unknown number of other people. Since our story ran, a Cisco employee informed us that his data was on the same laptop as the one containing McNealy's information. The loss of the IBM data outraged Jeff Moran, the husband of the IBM worker told of the data breach. "Ernst & Young has a policy that this type of information is not supposed to be on a laptop," Moran said. "Yet, these guys download the data because it's convenient for them." "All of our information is out there, and they didn't bother to tell us until March. By that time, the thief would have already used the information. This is an outrage, but until Congress starts punishing these guys, nothing will happen." The letter from Ernst & Young states that the company does tax work for current and former overseas workers of IBM. In this role, the auditing firm needs information such as an employee's address, family size, US social security number and tax identification number. It then holds onto this information for at least seven years. "The employee whose laptop was stolen is part of a group in our tax practice that works regularly with historical data files, assisting our Global Mobility and other tax professionals with data conversion, formatting and analysis," Ernst and Young wrote in the letter. "In connection with his job, the employee ran reports, which result in files being created on the laptop. "We have determined that the laptop contained various personal information for a select number of IBM employees. Among the items of information included for some or all of these employees were name, address, US social security number, email address, and country where stationed." Nothing short of a nirvana for an identity thief. Ernst & Young has offered those affected a free, 12 month credit monitoring service provided by Experian. The service includes a hotline that IBM employees can call. Moran made such a call and found the staffer to be most unhelpful. "I left my name and number and no one called me back for ages," he said. "Then the guy says that this will never happen again in the future. So, I pointed out that they had lost McNealy's information after our thing happened. He didn't have a response to that." We called the Ernst and Young hotline for IBM employees and asked if it was the right place to ask about the IBM workers who had their data exposed via the laptop theft. The employee responded with a curt, "yes" but would provide no other information. Following the Sun/Cisco incident, Ernst & Young filed a police report in Miami, noting that it had lost four more laptops. Its employees left the systems in a conference room when they went out for lunch. A security camera at the conference center showed that it took all of about five minutes for two people to steal the laptops. Ernst & Young maintains that the laptops are password protected and do not pose a significant security risk. But such statements have not impressed security experts following the story. "For a big four firm consisting of auditors and compliance professionals to say such a thing is very revealing of their lack of understanding and ignorance of security controls (and how to defeat them)," wrote one Register reader. "I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc." Other readers backed up this sentiment, saying that their experience with the big four accounting firms shows that the companies rarely encrypt data on laptops or use sophisticated security measures. Ernst & Young continues to avoid copping to these incidents in public, preferring for us and police blotters to expose the details. It's unclear how many more laptops have gone missing and have not been reported, and the company's security measures seem disconcerting to say the least for a company that specialises in accounting and auditing. Ernst & Young often gets paid to assess how well clients are complying with government policies around data protection and how forthcoming these clients are with discussing data breaches. Ernst & Young has yet to return our calls seeking information about what is being done to prevent future losses, whether this data should have been on laptops in the first place and if anyone has been held accountable for the string of breaches. ? From isn at c4i.org Fri Mar 17 03:33:01 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:33:01 -0600 (CST) Subject: [ISN] No security in security stocks? Message-ID: http://money.cnn.com/2006/03/15/technology/security_stocks/index.htm By Amanda Cantrell CNNMoney.com March 15, 2006 NEW YORK (CNNMoney.com) - The rise in online scams such as identity theft and phishing is bad news for consumers -- but is it good news for investors in companies who make products designed to stop these attacks? Not necessarily. Some security stocks such as Symantec, Cogent and McAfee have gotten nicked this year, owing to both company-specific issues and to the fact that Microsoft announced it is entering the consumer security space, which spooked some investors. Also, some markets within the security sector have matured and no longer offer the attractive growth opportunities they once did -- such as the market for fire wall products that protect corporate networks. And companies such as Cisco and Juniper have also announced new or improved offerings in the space, posing a longer-term threat to so-called "pure play" security companies. Finally, some companies have experienced phenomenal growth in their share prices, leading investors to take some of their winnings off the table. These factors have caused some investors, such as Sunil Reddy, senior portfolio manager at Cincinnati-based Fifth Third Asset Management, to steer clear of the space altogether for now. But theft of consumer and corporate data for profit continues to increase, which is why some investors and analysts still think security stocks will pay off in the long run. These investors and analysts feel that companies make "authentification" products designed to verify a user's identity as well as encrypt data have enjoyed growth in recent months and still have potential to do so. "The security industry as a whole is talking about hackers that are motivated by profit," said Horacio Zambrano, a securities analyst with Wedbush Morgan Securities. "Enterprises are putting a higher attention on identity (verification) products." Here's a look at how some players in the security sector have fared in recent weeks: Cogent Systems (up $0.17 to $19.26, Research) Shares of Cogent, which makes fingerprint ID systems, took a nasty 17 percent dive and suffered a slew of analyst downgrades when the company reported its fiscal fourth quarter earnings Feb.28. That's because, despite doubling earnings and recording a 46 percent sales increase, the company revealed it isn't sure when it will be able to book revenue on certain contracts. If there's one thing investors don't like, it's a lack of transparency where sales are concerned, and the stock hasn't recovered since. Ken Allen, investment analyst with T. Rowe Price, said because the contracts Cogent signs are so large, the stock price moves based on announcements of those deals. Wall Street analysts had been expecting a better sales outlook for 2006 given the announcement that the company has won some important contracts in recent months from rivals such as Motorola. But on the bright side, the company will likely have a bigger 2007 than expected, if it books revenue for some of those contracts then instead of this year. Allen's firm owns shares of Cogent in some of its funds. Joel Fishbein, an analyst with Janny Montgomery Scott, said he thinks companies will increasingly want to monitor who has access to what in their networks and added that he thinks Cogent is well-positioned to take advantage of this. RSA Security (down $0.05 to $17.71, Research) Shares of RSA, which makes authentification software and hardware, such as the "SecurID" system log-in tokens that corporate and government workers use, have had a remarkable run, appreciating 58 percent this year. That rise alone has led some investors to take their winnings off the table. Gary McDaniel, an equity analyst at Standard & Poor's, said his firm recently downgraded the stock from a buy to a hold because of concerns the share price has topped out for the near term. Allen of T. Rowe Price said a series of negative events in December, including the abrupt departure of the company's CFO, caused an unduly big drop in the stock. But strong fourth-quarter earnings, followed by the strategic acquisition of software maker Cyota to boost RSA's position in the consumer market, led to the recovery. Allen, whose firm owns shares of RSA, thinks the shares have more to gain, as 2006 should be a strong year for the renewal of SecurID contracts from corporate customers. But Zambrano of Wedbush Morgan said RSA has been his top pick. He still likes the stock, given its position as a market leader in the authentication area, but he acknowledges that the company needs to position itself to sell higher-cost data protection solutions to corporate customers. Internet Security Systems (up $0.04 to $23.87, Research) Shares of Internet Security Systems have enjoyed a solid 2006 to date, with shares rising 14 percent this year. The company makes products that protect corporate networks from attacks and has primarily specialized in devices that detect and prevent attacks. McDaniel of Standard & Poor's said the company is poised to gain market share from its competitors, in part because it's coming out with complete platforms that are easy for corporate customers to configure. He expects the company to grow revenues 13 percent this year and net income about 15 over the next five years. Zambrano agrees, saying that larger vendors such as ISS are able to offer "one-stop shop" solutions that will allow IT managers to work with fewer vendors and get more done with less. Of course, no discussion of security stocks would be complete without mentioning Symantec (down $0.28 to $15.79, Research) and McAfee (up $0.41 to $24.73, Research), two of the biggest makers of anti-virus software for consumers. Shares of those companies have depreciated eight and 10 percent, respectively, since the start of the year. McAfee shares slid in January after the company pre-announced disappointing results for its December quarter, and investors and analysts had also expressed some concern about Symantec's acquisition of storage firm Veritas. Going forward, both face increased competition from Microsoft, which recently announced it will formally launch its Windows Live OneCare service, which it bills as an all-in-one "PC health service" for consumers to help them detect and prevent viruses and spy ware, among other functions. The service will cost $49.95 per year for up to three PCs and will be available from retailers in June in the U.S. That product will be available in beta form for free later this year, and customers who sign up now qualify for discounts later. But both Symantec and McAfee have fans in the analyst community despite this threat. Rick Summer, equity analyst at Morningstar, acknowledged that his endorsement of Symantec is a "contrarian play" in the current environment, but said he thinks Symantec has the best sales and distribution of its competitors and is still "the best horse to bet on in the consumer space." Fishbein of Janney Montgomery Scott said that while he currently rates McAfee a hold, he's becoming more encouraged about the company's prospects due to a combination of factors, including the fact that he thinks viruses and malware will proliferate on mobile devices in the future, and he believes McAfee is best equipped to handle those problems. From isn at c4i.org Fri Mar 17 03:35:26 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:35:26 -0600 (CST) Subject: [ISN] Security flaws could cripple missile defense network Message-ID: http://www.fcw.com/article92640-03-16-06-Web By Bob Brewin Mar. 16, 2006 The network that stitches together radars, missile launch sites and command control centers for the Missile Defense Agency (MDA) ground-based defense system has such serious security flaws that the agency and its contractor, Boeing, may not be able to prevent misuse of the system, according to a Defense Department Inspector General's report. The report [1], released late last month, said MDA and Boeing allowed the use of group passwords on the unencrypted portion of MDA's Ground-based Midcourse Defense (GMD) communications network. The report said that neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on unencrypted communications and monitoring systems. Even though current DOD policies require such automated network monitoring, such a requirement "was not in the contract." The network, which was also developed to conform to more than 20-year-old DOD security policies rather than more recent guidelines, lacks a comprehensive user account management process, the report said. Neither MDA nor Boeing conducted required Information Assurance (IA) training for users before they were granted access to the network, the report stated. Because of this poor information security, the DOD IG report said, MDA and Boeing officials "may not be able to reduce the risk and magnitude of harm resulting from misuse or unauthorized access or modification of information [on the network] and ensure the continuity of the system in the event of an interruption." David Wright, a senior scientist with the Union of Concerned Scientists, said he was surprised by the network flaws outlined in the report. It "sounds like the kind of stuff routinely done with this kind of network," he said. "It's hard to imagine they would design one without it." Stephen Young, an MDA analyst at UCS, said the security flaws could affect operation of the entire GMDS project. "The network is absolutely essential to GMD without it, the system can't work." President Bush directed DOD in 2002 to develop GMD to counter missile threats from countries such as North Korea as well as terrorists, and Boeing on its Web site describes the project as "the first missile defense program deployed operationally to defend the homeland against ballistic missile attacks conducted by terrorists or rogue states" GMD consists of missile interceptors based in underground silos at Fort Greely, Alaska and Vandenberg Air Force Base, Calif., and high-powered sea- and land-based radars to track incoming missiles, a Boeing fact sheet said. Spokesmen for MDA, Boeing and Northrop Grumman, contractor for the unencrypted portion of GCN, all declined to answer questions from Federal Computer Week on the security flaws in the GMD network. Boeing and Northrop Grumman deferred to MDA, and an MDA spokesman said his agency would not answer any press questions until it responds to the IG report on March 24. Harris Corp., a GCN subcontractor, described the network on its Web site as "the largest synchronous optical networking ring in the world that includes more than 20,000 miles of fiber crossing 30 states and will connect all GMD sites." MDA budget documents describe the GCN as a fiber-optic network interconnected with military satellites. These budget documents said the GCN connects the two missile silo sites with control and communications nodes at Fort Greely and Shriever Air Force Base and the Cheyenne Mountain Operations Center, both in Colorado, as well as radars in Alaska and a test bed in Huntsville, Ala. [1] http://www.dodig.mil/audit/reports/FY06/06-053.pdf From isn at c4i.org Fri Mar 17 03:35:39 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:35:39 -0600 (CST) Subject: [ISN] Microsoft goes public with Blue Hat hacker conference Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109606,00.html By Robert McMillan MARCH 16, 2006 IDG NEWS SERVICE Microsoft Corp. is going public with some of the hacking information discussed at its Blue Hat Security Briefings event. Just days after the end of its third Blue Hat conference, the software vendor today posted the first blog entries at a new Web site. Microsoft is also promising to publish more details on the secretive invitation-only event. The Web site will include Microsoft staffer's "reflections on BlueHat 3" as well as photos, podcasts and video interviews with some of the presenters, said Security Program Manager Kymberlee Price in a blog posting. "We sincerely hope that our BlueHat 3 speakers (and BlueHat 1 & 2 speakers) will post their comments to the site as well and share their BlueHat experience," she wrote. Presentations given during the latest conference, held last week on Microsoft's campus in Redmond, Wash., covered topics such as "exploiting Web applications" and "breaking into database systems," according to the Web site. Microsoft started the Blue Hat briefings a year ago to begin a dialogue between the company's security team and external security researchers, many of whom have been critical of the company's approach to security. A handful of outside security researchers spent a few days at Blue Hat discussing Microsoft's security vulnerabilities with several hundred of the company's engineers and executives. There were more than 650 attendees at Blue Hat 3, which was also broadcast to Microsoft employees worldwide, according to Alexander Kornbrust, a business director at Red-Database-Security GmbH in Neunkirchen, Germany, who attended the event. One Microsoft blogger praised the open dialogue at the event. "Everything was fair game," wrote SQL Server engineer Brad Sarsfield in a blog posting. "Hearing senior executives say things like, 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event." The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The "blue" part comes from the color of badges that Microsoft staffers wear on campus. Last year, Black Hat organizers were sued by Cisco Systems Inc. after a conference presenter disclosed vulnerabilities in the company's Internetworking Operating System router software. That lawsuit was eventually settled with Black Hat agreeing not to further disseminate the presentation. Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said. From isn at c4i.org Mon Mar 20 03:46:03 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:03 -0600 (CST) Subject: [ISN] Experts refute RFID virus claims Message-ID: http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=183700485 John Walko EE Times 03/17/2006 LONDON . The trade association for automatic identification and mobility, AIM Global, attempted to refute key findings of an IEEE conference paper presented this week that suggested RFID tags could be used to corrupt databases and even spread computer viruses. The paper, by Melanie Rieback, a third-year PhD student at Amsterdam's Vrije University, was presented at the IEEE conference in Pisa, Italy, on Wednesday (March 15), sent shock waves through the RFID industry. Titled "Is Your Cat Infected with a Computer Virus?" the paper suggested computer viruses could spread from RFID tags through readers into poorly written middleware applications and backend systems and databases. "Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design," asserted AIM Global President Dan Mullen. Mullen suggested that researchers built a system with a weakness and then proceeded to show how the weakness could be exploited. "Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data, will create vulnerabilities." The association said it recognizes the efforts of university researchers is designed to highlight RFID security issues. "But the methodology of this particular research is questionable,. added Mullen. Responding to the paper, RFID experts and International Organization for Standardization scientists, meeting this week in Kyoto, Japan, to debate RFID standards, emphasized that fixed data RFID tags, such as those used to identify pets, cannot be changed and therefore are immune to infection by a virus. They skirted the issue of whether other types of tags, such as those where data can be changed, are prone to attacks. The experts did note that specific attributes in RFID systems can protect the overall system. For instance, they stressed that most RFID applications, including EPC Gen2, look for specific kinds of data. Poor reader design might allow detection of a "rogue" tag, but a secure system will verify data against predefined parameters, as do current bar code systems. The ability to insert a virus implies that a tag contains executable code that is recognized by software. This, they assured, is impossible with most RFID applications since specific kinds of data are sought and systems will either flag or reject anything that doesn't fit the data template. Other industry reaction to the paper was mixed, but many agree it presented a wake-up call. "With respect to the students involved, the paper as presented is rather weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real' virus they claim to demonstrate in the paper is not a virus, just a self-replicating piece of SQL code." The paper, however, does call attention to an obvious problem the software industry has faced for years, suggested Julie England, vice president at Texas Instruments. "Companies need to provide multilevel security and take responsibility for testing before releasing applications to the market," said England. Last month, cryptographers reported weaknesses in the underlying RFID chips and hashing algorithms. In a panel discussion during the RSA Conference, Adi Shamir, professor of computer science at the Weizmann Institute, disclosed that he had recently applied power analysis techniques to crack passwords for the most popular brand of RFID tags. At the same panel, Ron Rivest, who co-developed the RSA algorithms with Shamir, called for an industry effort to create a next-generation hashing algorithm to replace SHA-1, which is used broadly for computer security. From isn at c4i.org Mon Mar 20 03:46:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:15 -0600 (CST) Subject: [ISN] Beware The Wardriver at Your Next Conference Message-ID: http://www.internetnews.com/wireless/article.php/3592361 By Sean Michael Kerner March 17, 2006 Every tech conference put on today is swimming in Wi-Fi signals. Some are meant to provide public Internet access to attendees, and some are meant to be private for exhibitors connecting to corporate networks. According to research conducted by Russian security firm Kaspersky Lab, most of those Wi-Fi signals are wide open. Kaspersky conducted its "wardriving" research at the recent CeBIT show in Hanover, Germany, that bills itself as the world's largest IT trade fair. Wardriving is the act of scanning Wi-Fi signals to access open bandwidth that isn't necessarily supposed to be open. Kaspersky Senior Virus Analyst Alexander Gostev and Senior Research Engineer Roel Schouwenberg discovered at the show nearly 300 access points, which they collected data on. According to Kaspersky, "the researchers did not attempt to intercept or decrypt any traffic." They did, however, discover a number of interesting things about the nature of Wi-Fi networks. More than half (approximately 56 percent) of the detected access points offered no WEP (define) protection. Alex Gostev, senior virus analyst at Kaspersky wasn't surprised by the finding. "We expected that access points without traffic encryption will be less than in global statistics," Gostev told internetnews.com in a translated e-mail. "And it was as expected, 56 percent against 70 percent in other countries. Although we expected less unprotected networks, 20 to 30 percent." CeBIT access points for the most part were apparently not left in their default modes, either. SSIDs (define), which stands for Service Set Identifier, were in most cases changed from their factory settings, which typically are a combination of the manufacturer's name and/or device model number. A factory default SSID is an indication that the administrator has not changed the default setting and may well not have changed the default username/password, either. The Kaspersky researchers detected only two access points out of their scan of 300 that still had the factory default SSID configuration. "The fact that there were only two access points with default SSIDs was very good to see," Schouwenberg told internetnews.com. "We expected that number to be quite a bit higher." SSIDs are also typically set to broadcast their availability, which more easily enables users, both legitimate and malicious, to locate the access point. By disabling SSID broadcasting, the idea is that it is harder for malicious users to discover an access point and attempt to infiltrate it. Kasperksy's CeBIT research found that only 8 percent had disabled SSIDs and of those, 89 percent had enabled WEP encryption. Schouwenberg advised that for WLANs that need to be treated as private, tradeshow participants should disable SSID and use the best encryption. "If you want to be really secure, you should use authentication to prevent unauthorized access to the access point," Schouwenberg said. "And use a tunnel (VPN for instance) to make sure others can't intercept/decrypt traffic." Gostev warns of another threat that could potentially affect conference Goers: mobile viruses. "Creation and implementation of automatic traps of the viruses combined with Bluetooth scanners seems to me expedient," Gostev said. He suggests that the mobile equivalent of airport metal detectors is needed to help prevent mobile virus transmission. That way, he said, it will be possible to discover infected phones the minute they enter the building. From isn at c4i.org Mon Mar 20 03:46:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:26 -0600 (CST) Subject: [ISN] DHS Gets Another F in Computer Security Message-ID: Forwarded from: security curmudgeon : http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589.html : : By Brian Krebs : washingtonpost.com Staff Writer : March 15, 2006 : : Most federal agencies that play key roles in the war on terror are doing : a dismal job of protecting their computers and information networks from : hackers and viruses, according to portions of a report to be released by : a key congressional oversight committee Thursday. Taken from another list I am on. We have all seen these A - F type grades for various agencies over the years. I'm surprised there hasn't been a big public article tracking the grades year to year with commentary. Federal Computer Security Grades, 2001-2005 Agency 2005 2004 2003 2002 2001 ------------------------------------------------------------------------------ Department of Agriculture F F F F F Agency for International Development A+ A+ C- F F Department of Commerce D+ F C- D+ F Department of Defense F D D F F Department of Education C- C C+ D F Department of Energy F F F F F Environmental Protection Agency A+ B C D- D+ General Services Administration A- C+ D D D Department of Health and Human Services F F F D- F Department of Homeland Security F F F Department of Housing and Urban Development D+ F F F D Department of the Interior F C+ F F F Department of Justice F B- F F F Department of Labor A+ B- B C+ F National Aeronautics and Space Administration B- D- D- D+ C- Nuclear Regulatory Commission D- B+ A C F National Science Foundation A C+ A- D- B+ Office of Personnel Management A+ C- D- F F Small Business Administration C+ D- C- F F Social Security Administration A+ B B+ B- C+ Department of State F D+ F F D+ Department of Transportation C- A- D+ F F Department of the Treasury D- D+ D F F Department of Veterans Affairs F F C F F ------------------------------------------------------------------------------ All Agencies D+ D+ D F F From isn at c4i.org Mon Mar 20 03:45:48 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:45:48 -0600 (CST) Subject: [ISN] Linux Advisory Watch - March 17th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 17th 2006 Volume 7, Number 12a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for zoph, bluez-hcidump, curl, zoo, ffmpeg, GnuPG, freeciv, metamail, CBC, bomberclone, libextractor, lurker, crossfire, webcalendar, xpvm, vlc, net-tools, tcsh, shadow-utils, db, tar, flex, squirrelmail, zoo, php, python, kdegraphics, squid, vixie-cron, the Red Hat kernel. Distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. ---- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi ---- Preventing DDoS Attacks By: Blessen Cherian Introduction In this article I am trying to explain what DDOS is and how it can be prevented. DDOS happens due to lack of security awareness of the network/server owners. On a daily basis we hear that a particular machine is under DDOS attack or NOC has unplugged the machine due to DDOS attack . So DDOS has become one of the common issues in this electronics world. DDOS is like a disease which doesn't have an anti-viral developed. So we should be carefull while dealing with it. Never take it lightly. In this article i am trying to explain the steps/measures which will help us defend from DDOS attack, up to a certain extend. What is a DDOS attack? Simply said, DDOS is an advanced version of DOS attack. Like DOS, DDOS also tries to deny the important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/ host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised. Normally, DDOS consists of 3 parts . One is the Master ,Other the slave and atlast the victim. The master is the attack launcher ie the person/machine behind all this,sound's COOL right. The slave is the network which is being compromised by the Master and Victim is the target site/server. Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence its also called co-ordinated attack. In my term, Master is said to be the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target. How do they Do it? DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase that they install DDOS tools and starts attacking the victims machines/site. This Phase is called Distributed DoS attacks phase. Read Full Paper http://www.linuxsecurity.com/content/view/121960/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zoph packages fix SQL injection 9th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121857 * Debian: New bluez-hcidump packages fix denial of service 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121875 * Debian: New curl packages fix potential security problem 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121876 * Debian: New zoo packages fix arbitrary code execution 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121877 * Debian: New ffmpeg packages fix arbitrary code execution 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121878 * Debian: New GnuPG packages fix broken signature check 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121891 * Debian: New freeciv packages fix denial of service 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121898 * Debian: New metamail packages fix arbitrary code execution 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121899 * Debian: New Crypt::CBC packages fix cryptographic weakness 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121900 * Debian: New GnuPG packages fix broken signature check 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121903 * Debian: New bomberclone packages fix arbitrary code execution 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121910 * Debian: New libextractor packages fix several vulnerabilities 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121912 * Debian: New lurker packages fix several vulnerabilities 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121914 * Debian: New Apache2::Request packages fix denial of service 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121915 * Debian: New crossfire packages fix arbitrary code execution 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121916 * Debian: New webcalendar packages fix several vulnerabilities 15th, March, 2006 Several security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities. http://www.linuxsecurity.com/content/view/121926 * Debian: New xpvm packages fix insecure temporary file 16th, March, 2006 Eric Romang discoverd that xpvm, a graphical console and monitor for PVM, creates a temporary file that allows local attackers to create or overwrite arbitrary files with the privileges of the user running xpvm. http://www.linuxsecurity.com/content/view/121949 * Debian: New vlc packages fix arbitrary code execution 16th, March, 2006 Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. The vlc media player links statically against libavcodec. http://www.linuxsecurity.com/content/view/121951 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: net-tools-1.60-52.fc4.2 10th, March, 2006 The update adds two new options for netstat; T stops trimming remote and local addresses; Z shows selinux context, and fixes doublefree bug in route and netstat. http://www.linuxsecurity.com/content/view/121882 * Fedora Core 4 Update: tcsh-6.14-1.fc4.2 11th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121894 * Fedora Core 4 Update: shadow-utils-4.0.12-8.FC4 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121909 * Fedora Core 4 Update: gnupg-1.4.2.2-1 13th, March, 2006 Tavis Ormandy discovered a flaw in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to add unsigned text to a signed message in such a way so that when the signed text is extracted, the unsigned text is extracted as well, appearing as if it had been signed. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. http://www.linuxsecurity.com/content/view/121911 * Fedora Core 4 Update: db4-4.3.27-5.fc4 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121922 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: GNU tar Buffer overflow 10th, March, 2006 A malicious tar archive could trigger a Buffer overflow in GNU tar, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121884 * Gentoo: flex Potential insecure code generation 10th, March, 2006 flex might generate code with a buffer overflow, making applications using such scanners vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121892 * Gentoo: GnuPG Incorrect signature verification 10th, March, 2006 GnuPG may erroneously report a modified or unsigned message has a valid digital signature. http://www.linuxsecurity.com/content/view/121893 * Gentoo: SquirrelMail Cross-site scripting and IMAP command injection 12th, March, 2006 SquirrelMail is vulnerable to several cross-site scripting vulnerabilities and IMAP command injection. http://www.linuxsecurity.com/content/view/121895 * Gentoo: Cube Multiple vulnerabilities 12th, March, 2006 Cube is vulnerable to a buffer overflow, invalid memory access and remote client crashes, possibly leading to a Denial of Service or remote code execution. http://www.linuxsecurity.com/content/view/121897 * Gentoo: Freeciv Denial of Service 16th, March, 2006 A memory allocation bug in Freeciv allows a remote attacker to perform a Denial of Service attack. http://www.linuxsecurity.com/content/view/121944 * Gentoo: zoo Buffer overflow 16th, March, 2006 A buffer overflow in zoo may be exploited to execute arbitrary when creating archives of specially crafted directories and files. http://www.linuxsecurity.com/content/view/121945 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated php packages fix vulnerability 9th, March, 2006 A flaw in the PHP gd extension in versions prior to 4.4.1 could allow a remote attacker to bypass safe_mode and open_basedir restrictions via unknown attack vectors. http://www.linuxsecurity.com/content/view/121871 * Mandriva: Updated gnupg packages fix signature file verification vulnerability 14th, March, 2006 Another vulnerability, different from that fixed in MDKSA-2006:043 (CVE-2006-0455), was discovered in gnupg in the handling of signature files. http://www.linuxsecurity.com/content/view/121913 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: python security update 9th, March, 2006 Updated Python packages are now available to correct a security issue. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121869 * RedHat: Important: kdegraphics security update 9th, March, 2006 Updated kdegraphics packages that fully resolve a security issue in kpdf are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121870 * RedHat: Moderate: initscripts security update 15th, March, 2006 Updated initscripts packages that fix a privilege escalation issue and several bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121930 * RedHat: Moderate: squid security update 15th, March, 2006 Updated squid packages that fix a security vulnerability as well as several bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121931 * RedHat: Low: vixie-cron security update 15th, March, 2006 An updated vixie-cron package that fixes a bug and security issue is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121932 * RedHat: Updated kernel packages available for Red Hat 15th, March, 2006 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the seventh regular update. This security advisory has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121933 * RedHat: Important: gnupg security update 15th, March, 2006 An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121934 * RedHat: Critical: flash-plugin security update 15th, March, 2006 An updated Macromedia Flash Player package that fixes a security issue is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121943 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: gpg signature checking problems 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121883 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Mar 20 03:46:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:38 -0600 (CST) Subject: [ISN] Muslim Hacker Attack Feared on War Anniversary Message-ID: http://times.hankooki.com/lpage/200603/kt2006031917321610220.htm By Kim Tae-gyu Staff Reporter 03-19-2006 Korean firms are running risks of being attacked by Muslim extremist hackers on occasion of the third anniversary of the U.S.-led invasion to Iraq that falls Monday, police said Sunday. The National Police Agency issued a warning about politically motivated cyber attacks against Korea, which is regarded as one of main enemies by some Muslim crackers due to the nation's dispatch of forces to Iraq. ``Among countries that sent troops to Iraq, Korea is thought of as one of few countries, along with the United States, which do not consider pulling out its soldiers,'' said an official at the law enforcement agency. At the request of Washington, Seoul dispatched up to 3,600 troops to Iraq in August 2004, representing the third largest foreign force after the U.S. with 155,500 and Britain with 8,500. Korea looks to substantially cut down on the number to just higher than 2,000. But the country is not considering pulling out all soldiers _ mainly construction and medical staffs _ from the war-torn Iraq. ``That appears to encourage some Muslim extremists to vandalize Korean companies' Web sites as a measure of revenge. We have intelligence regarding that,'' he said. AhnLab, Korea's foremost online security company, cautions that ``defacement,'' which means replacing the normal content of a site with a specific political or social message or erasing the content entirely, might happen Monday. ``Defacement attack is not difficult technology. Korean outfits are required to prepare for any potential (defacement) vandalizing attempts, timed with the third anniversary of the Iraqi war,'' AhnLab chief executive Kim Chul-soo said. Microsoft Korea, an affiliate here of the world's biggest producer of software, said more severe threat of denial-of-service (DoS) attacks might be on the line. DoS attackers are attempting to bring corporate networks to their knees by flooding them with useless traffic, thus shutting down the networks. ``There is a possibility that viruses are lurking in cyber space, which are programmed to activate DoS attacks on Korean sites, on the war anniversary,'' Microsoft Korea chief security officer Cho Won-young said. ``We are keeping a tab on things. In (an) emergency, our task force team will immediately convene,'' he continued. Cho worried that those who do not patch up their security holes periodically are under constant hazards of being victimized by DoS attacks. ``Big corporations are well prepared by paying much attention to security woes but small-sized ones are not. That causes concerns,'' Cho added. From isn at c4i.org Mon Mar 20 03:46:56 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:56 -0600 (CST) Subject: [ISN] Visa warns software may store customer data Message-ID: http://news.com.com/Visa+warns+software+may+store+customer+data/2100-1029_3-6051261.html By Greg Sandoval Staff Writer, CNET News.com March 17, 2006 A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa. Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers. A Visa representative confirmed that the warning was sent. Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed. Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months and have told customers that thieves obtained vital debit-card information as a result of a security breach at a large merchant. One commonality among the fraud victims, according to law enforcement and banking officials, is that most had shopped at one of Fujitsu's clients: OfficeMax. The office-supply retailer has said that it has found no indication that it suffered an illegal intrusion. Fujitsu, which did not return repeated phone calls from CNET News.com on Friday, denied that its software has had anything to do with any alleged security breach. A representative for the company told the Journal that customer data, such as PIN codes, could not be stored using just its software. Other software tools would have to be added. Major credit-card companies have banned the storing of customer data and can fine merchants who do store such data. The fear is that customer information may be a sitting duck for hackers should it be left in a company's computer system. What may be more worrisome for consumers is that it's not uncommon for merchants to accidentally stockpile their customers' data, says Branden Williams, a principal consultant at computer-infrastructure firm VeriSign. One of VeriSign's offerings is that it will assess a company's computer systems to ensure they meet security standards required by the big credit-card firms. During his white-glove inspections, Williams said, he has often found software that would trap customer data, including PIN information, without the retailer's knowledge. Big companies working with complex systems are more prone to such slipups he said. "You could totally understand how they could forget to turn off some switch," he said. But Williams said there's no reason for the problem to go unchecked. Not only are there companies like VeriSign that will monitor system security, but Visa also offers a list of software products proven not to store data. Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site. "It's really the responsibility of a company doing business to protect their customers," said Williams. "Especially when you consider what's at stake: identity theft, bad public relations and potential fines. Software vendors should also have their applications checked for any vulnerabilities that could lead to a security breach." From isn at c4i.org Tue Mar 21 04:11:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:28 -0600 (CST) Subject: [ISN] Recon 2006: Guest speakers announcement. Call for papers and early registration ending in less than 2 weeks. Message-ID: Forwarded from: Hugo Fortier Recon 2006 - 16th 17th 18th June 2006 - Plaza Hotel, Montreal - http://recon.cx ------------------------------------------------------------------------ We are pleased to announce the guest speakers of Recon 2006 : Anthony de Almeida Lopes: Multi-cavity NOP-infection Operating System- Independent x86 Virus David Hulton (h1kari): Breaking Wi-Fi... Faster! (with FPGA) Joe Stewart: OllyBone - Semi-Automatic Unpacking on IA-32 Spoon: IDARub (IDARub is an IDA plugin that wraps the IDA SDK for access from the Ruby programming language) Early registration ends in less than two weeks so if you want a cheap ticket register now! visit http://recon.cx/en/reg.html for more details. ------------------------------------------------------------------------ The Call For Papers deadline is 31st of March, 2006 so if you want to present at Recon 2006 you have less than two weeks left submit your paper. For more details on the CFP please visit http://recon.cx/en/cfp.html. ------------------------------------------------------------------------ Recon 2005 videos : http://2005.recon.cx/recon2005/papers/ ------------------------------------------------------------------------ We are offering three training courses this year. * Advanced Reverse Engineering Learn how to unpack Packers and Protectors, and how to analyse Polymorphic viruses Instructor: Nicolas Brulez Dates: 13-15 June 2006 Availabilty: 18 seats * Introduction to Reverse Engineering Learn how you can reverse engineer programs to understand their inner workings Instructor: Nicolas Brulez Dates: 19-21 June 2006 Availabilty: 18 seats * Packet Mastering the Monkey Way Learn how to write scanners, sniffers and packet flooders using libpcap, libdnet, and libevent. Instructor: Jose Nazario and Marius Eriksen Dates: 14-15 June 2006 Availabilty: 18 seats For more details on the trainings go to http://recon.cx/en/training.html ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 21 04:10:42 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:10:42 -0600 (CST) Subject: [ISN] Police data on 4,400 uploaded via Winny Message-ID: http://www.yomiuri.co.jp/dy/national/20060321TDY02008.htm The Yomiuri Shimbun Mar. 21, 2006 Ehime prefectural police have announced that confidential personal information on 4,400 people was included in files accidentally uploaded to the Internet via Winny file-sharing software. The investigation data was leaked through the computer of a 42-year-old police inspector of the criminal investigation department and included information on crime suspects, victims and investigation informants, as well as statements from suspects. The announcement was the first by the police on how much data had been compromised. The police, however, had not publicized details about the data in an effort to protect the people concerned. According to the Ehime police, the oldest bit of leaked data dated back to 1984. The police began searching for the data on the Internet after they were notified of the leak on March 5. After recently obtaining the leaked files, they confirmed the contents were identical to material the police inspector had transferred from his personal computer to several compact discs. The police will apologize to people whose personal information was leaked and launch a free telephone consultation service concerning the incident in a few days. The police are requesting that providers and managers of Internet bulletin boards delete the leaked data if it is uploaded onto their Web sites. In a similar case that surfaced earlier this month, Okayama prefectural police investigation data, including personal information of about 1,500 crime victims and suspects, was leaked through the software From isn at c4i.org Tue Mar 21 04:11:02 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:02 -0600 (CST) Subject: [ISN] Forgotten password clues create hacker risk Message-ID: http://www.theregister.co.uk/2006/03/20/forgotten_password_security_risk/ By John Leyden 20th March 2006 Security flaws in the "forgotten password" feature of ecommerce websites leave half the UK's online retailers open to attack, according to security consultancy SecureTest. It warns that the log-in process of many transactional websites can be subverted by a "brute force" or enumeration attack. In a survey of 107 popular online retail websites in the UK, SecureTest found that 54 of the sites (or 50.5 per cent) are potentially vulnerable to this type of hack attack. Differences in responses by applications when valid and invalid user account names can give clues to hackers and form the basis of enumeration attacks. If a valid user name (or registered email address) is entered on a "forgotten password" page, a web application might respond stating that a password will be sent to the user by email. If an invalid user name is entered, the application could respond with "invalid account name". Using this information, a script can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process it does create a means to create a list of valid user names. Armed with this list, a hacker might apply a similar brute force attack to target the application and crack account passwords. Once sets of user names and passwords are established a hacker would be able to log into an account, make purchases or extract confidential data, such as a user's postal addresses and credit card details. "We test web applications daily and repeatedly find that enumeration is possible. This problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks," SecureTest managing director Ken Munro said. A self-confessed ecommerce user, Munro said he looked into the issue after becoming concerned about the way sites he used handled users with forgotten passwords. Hack attacks targeting the forgotten passwords of ecommerce websites are something neither Munro or ourselves can cite examples of. However, Munro maintains that the risk is real and worth considering, especially because defending against enumeration attacks on passwords is a simple coding exercise. Some etailers have implemented a "lock out" feature that restricts access to accounts after a fixed number of failed password attempts. SecureTest reckons this approach, while it might appear to be a good idea, leaves open other forms of abuse such as a risk that the attacker will bombard valid accounts with bad passwords, thus locking out the retailers' customers. In effect this creates a Denial of Service (DoS) attack with the application blocking bona fide users through its own aggressive lock out policy. SecureTest advises retailers to consult their application developer about alternative countermeasures. The security consultancy has developed a list of recommendations that can be taken to help prevent brute force attacks against ecommerce sites: * Instigate a 'time out' feature on the log-in form. This will slow down a brute force attack to such an extent that it will render it ineffective. * Avoid applying a permanent lock-out on the log-in form: an attacker could deliberately lock out valid users by trying bad passwords on their accounts. * Make sure the error message on the log-in form is generic; don't distinguish between a valid/invalid username and valid/invalid password. "Incorrect credentials entered" is a suitable response. * Consider implementing a second authentication factor on the forgotten password feature, e.g. a memorable date. * Ensure you are logging HTTP POST requests from the log-in form and forgotten password feature as this may not be enabled by default. * Inspect logs to monitor attacks particular accounts and take appropriate action if any such hacking attack is identified. ? From isn at c4i.org Tue Mar 21 04:11:43 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:43 -0600 (CST) Subject: [ISN] Internet untouchable for FBI agents in city Message-ID: http://www.nydailynews.com/front/story/401323p-339883c.html BY TRACY CONNOR DAILY NEWS STAFF WRITER March 20, 2006 It seems as if every Manhattan prep schooler has one, but many of New York's FBI agents are fighting crime and terrorists without an Internet-ready phone or even an e-mail account, the Daily News has learned. Mark Mershon, the assistant director in charge of the FBI's 2,000-employee city office, blamed the technology gap on Washington budget constraints. He said there's a cost attached to assigning an agent or analyst an e-mail address with the official domain name - ic.fbi.gov. "And as ridiculous as this might sound, we have real money issues right now, and the government is reluctant to give all agents and analysts dot-gov accounts," he said when asked about the gap at a News editorial board meeting. "We just don't have the money, and that is an endless stream of complaints that come from the field." Mershon also revealed that only about 100 agents in New York have BlackBerry devices, which allow users to send and receive e-mail and access the Internet from their phone. And just a few weeks ago, the New York office was notified that funding for its BlackBerry pilot program - designed to help the FBI better communicate with city, state and federal law enforcement - was being cut. "I, with the help of others, raised a stink," Mershon said, adding that BlackBerry funding has been restored. Sen. Chuck Schumer (D-N.Y.) decried the penny-pinching. "The FBI should have the tools it needs to fight terrorism and crime in the 21st century, most of all in New York City, and one of the most effective means of communications is e-mail and the Internet," he said. "FBI agents not having e-mail or Internet access is much too much a pre-9/11 mentality." FBI officials in Washington, however, insisted that agents are not at a disadvantage because of cost-cutting. Spokeswoman Cathy Milhoan said about half the FBI employees don't have official accounts because e-mail addresses are still being assigned. By the end of the year, the entire bureau should have dot-gov mailboxes, she said. As for the BlackBerry devices, she conceded funding for the pilot program was put in jeopardy because a lawsuit over the technology had threatened to make the machines obsolete. Now that the issue has been resolved, the FBI intends to keep the 100 wireless gizmos in the budget - though there are no plans to issue them to more agents. Those who don't have them can use their regular cell phones, pagers and secure radios to communicate internally and with other agencies. "BlackBerrys do cost money," she said. "It's the newest high-tech gadget, but it's not the only way to communicate." From isn at c4i.org Tue Mar 21 04:11:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:59 -0600 (CST) Subject: [ISN] Users of SELinux now have a choice on security Message-ID: http://www.gcn.com/print/25_6/40117-1.html By Joab Jackson GCN Staff 03/20/06 The release of a new open-source security package has sparked debate over how many Mandatory Access Control applications Linux really needs, and if more than one would just dilute volunteer efforts. Novell Inc. of Provo, Utah, recently released the source code for its recently acquired Linux security application, AppArmor. It also set up a project site in hopes of attracting outside developers to further refine the program. MAC software tackles the growing problem of applications executing malicious tasks on their host systems. It keeps profiles of routine actions that each application on a computer usually takes. When a program starts behaving in an unusual fashion, the MAC software can call on the operating system to halt that errant operation. Novell has stressed that AppArmor is easier to use than SELinux, another MAC program first developed by the National Security Agency. Novell admits that SELinux tackles mandatory access control with more rigor than AppArmor, but questions if most users really need that degree of protection. "There needs to be a better way to deploy [MAC] so that the average systems administrator doesn't need to go through three weeks of training," said Frank Rego, products manager for Novell. Some observers fear that the AppArmor project will fracture the open-source development community around the demanding science of MAC. SELinux has a vibrant user community, with input from companies such as Red Hat Inc. of Raleigh, N.C., Mitre Corp. of Bedford, Mass., and Tresys Technology LLC of Columbia, Md., as well as support from NSA itself. "In my opinion, Novell wants to split the market," said Dan Walsh, the principal software engineer of Red Hat. Both Red Hat and Novell offer enterprise-class Linux distributions. "Rather than working with the open-source community [on SELinux], Novell has thrown out its own competing version." Novell acquired AppArmor last May when it purchased Immunix Inc. The chief component of AppArmor is a module that must be added to the Linux kernel. Those who don't want to recompile the kernel can install Novell's SuSE Linux 10 desktop Linux distribution, as well as SuSE Linux Enterprise Server 9 Service Pack 3, both of which have AppArmor preinstalled. "The biggest difference between App-Armor and SELinux is in the ease of deployment," Rego said. NSA designed SELinux to address highly classified documents for sensitive environments, according to Rego. And while it executes this job well, it may be too powerful for most everyday deployments. In fact, Rego speculated, SELinux's complexity may have been an obstacle to wider deployment. Administrators may turn off security privileges in an effort to facilitate smooth operations. "Is this the beginning of the Unix wars all over again?" Walsh asked on a blog he created to express his views on the subject. In the early 1990s and late 1980s, different Unix vendors developed tools and applications that would only work with their own versions of Unix. By introducing a second MAC application into the open-source landscape, Novell is splintering the development community, Walsh charged. On his blog, Walsh also cast aspersions on the viability of AppArmor itself, pointing out that the program is easier to use because it doesn't control as many low-level aspects of system operation as SELinux does - aspects that are necessary to consider when setting up a secure environment. At a recent SELinux Symposium held in Baltimore, many participants disparaged the AppArmor announcement. Still, several of the conference's presentations were of applications designed to ease the deployment of SELinux. In most implementations, SELinux must be configured from the command line, which involves changing attributes in a configuration file over 70,000 lines long. Although the latest version of Red Hat's own enterprise Linux distribution, as well as its volunteer-led Fedora offshoot, lets users enable SELinux for the prepackaged applications, they must write policies for new applications - or make changes to any existing application policies - by hand. Tresys Technology Chad Sellers said the security company was working on a higher-level policy language for SELinux that should be easier to understand, as well as a related compiler and an Eclipse-based graphical user interface called Slide. Even SELinux adherents admit it can be a tough program to work with. "There is a steep learning curve," Sellers said. "Once you have that higher-level language, you could reach new users." From isn at c4i.org Tue Mar 21 04:12:14 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:12:14 -0600 (CST) Subject: [ISN] DOD removes missile defense system report from Web site Message-ID: http://www.fcw.com/article92668-03-20-06-Web By Bob Brewin Mar. 20, 2006 The Defense Department has removed from the DOD inspector general's Web site a critical report that states that the network that links radar systems, missile sites and command centers for the Missile Defense Agency's (MDA) ground-based defense system has serious flaws in the security technologies, policies and procedures needed to protect the integrity, availability and confidentiality of information on the network. Federal Computer Week published a Web article [1] March 16 and a follow-up print article [2] today about the report, which states that MDA and Boeing, the prime contractor for the Ground-based Midcourse Defense (GMD) system and the GMD Communications Network (GCN) have allowed the use of group passwords on the unencrypted portion of the GCN rather than requiring individual passwords. The report also faults MDA and Boeing for the lack of automated audit trails -- essential to catch inside or outside threats -- on the network. The report, "Select Controls for the Information Security of the Ground-based Midcourse Defense Communications Network," vanished from the DOD IG audit report this past weekend. A DOD spokesman said he was working on getting an explanation from the IG office on why the report was removed from the Web site, but he said he was not optimistic about getting back to FCW today. An MDA spokesman did not return calls from FCW asking for an explanation. MDA is holding its annual conference today in Washington, D.C., at the Ronald Reagan Building and International Trade Center, named after the president who first advocated a missile defense system nicknamed "Star Wars" to counter perceived missile threats from the now-defunct Soviet Union. FCW saved a digital version of the DOD IGN report [1] on the security flaws in the GCN system and posted the report on its Web site. [1] http://www.fcw.com/article92640-03-16-06-Web [2] http://www.fcw.com/article92665-03-20-06-Print [3] http://www.fcw.com/images/st_images/MDADODIGReport.pdf From isn at c4i.org Tue Mar 21 04:12:53 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:12:53 -0600 (CST) Subject: [ISN] Linux Security Week - March 20th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 20th, 2006 Volume 7, Number 12n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "An introduction to Elliptic Curve Cryptography," "The 7 myths about protecting your web applications," and "Wi-Fi Security's Personal Problems." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Cryptography in the Database: The Last Line of Defense 14th, March, 2006 Excerpt: This chapter discusses how cryptography can address the concerns raised in the previous chapter. After explaining what cryptography is and providing a general idea of how it works, we dig into the various types of cryptographic algorithms and see where the strengths and weaknesses of each lie. http://www.linuxsecurity.com/content/view/121920 * Philip Zimmermann releases Zfone for Linux 15th, March, 2006 Phil Zimmermann thinks Zfone is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. http://www.linuxsecurity.com/content/view/121925 * An introduction to Elliptic Curve Cryptography 17th, March, 2006 Elliptic Curve Cryptography (ECC) has been gaining momentum as a replacement for RSA public key cryptography largely based on its efficiency, but also because the US National Security Agency (NSA) included it, while excluding RSA, from its Suite B cryptography recommendations. Suite B is a set of algorithms that the NSA recommends for use in protecting both classified and unclassified US government information and systems. Public key cryptography is the basis for tools like ssh as well as Secure Sockets Layer (SSL) for encrypting web traffic. For readers who would like more information, a nice introduction to public key cryptography and the RSA algorithm can be found on Wikipedia. http://www.linuxsecurity.com/content/view/121963 * Linux Dictionary 19th, March, 2006 (SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP has been very well perceived by the market. Throughout the last couple of years, SWP becomes the top leading OSS training and service provider in Hong Kong. And in fact we are leading the market direction in some ways. http://www.linuxsecurity.com/content/view/121977 * Febuary's Security Streams 11th, March, 2006 It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January. http://www.linuxsecurity.com/content/view/121888 * SC Magazine CSO of the Year: Thomas Dunbar, Global Chief Security Officer, XL Capital 15th, March, 2006 As the global chief security officer at a leading multinational insurance company, Thomas Dunbar has a lot of data to protect, a range of regulations with which to comply and a huge number of employees whose access to corporate IT assets he must manage. The efforts he undertakes on a daily basis to achieve these and other mandates are the primary reasons why the SC Magazine Awards U.S. for 2006 saw him walk away with the title of CSO of the Year. http://www.linuxsecurity.com/content/view/121939 * 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) 16th, March, 2006 The newest contender on the block of course is BackTrack, which we have spoken about previously. An innovative merge between WHax and Auditor (WHax formely WHoppix). BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions Whax and Auditor, combining the best features from both distributions, and paying special attention to small details, this is probably the best version of either distributions to ever come out. http://www.linuxsecurity.com/content/view/121946 * US Government Studies Open Source Quality 17th, March, 2006 "US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. http://www.linuxsecurity.com/content/view/121967 * FrSIRT Puts Exploits up for Sale 17th, March, 2006 Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service). http://www.linuxsecurity.com/content/view/121969 * Social Engineering Reloaded 15th, March, 2006 The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program. http://www.linuxsecurity.com/content/view/121941 * Anti Phishing Toolbars - Can You Trust Them? 12th, March, 2006 A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive. How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? http://www.linuxsecurity.com/content/view/121890 * VM Rootkits: The Next Big Threat 13th, March, 2006 Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. http://www.linuxsecurity.com/content/view/121906 * Useful Firefox Security Extensions 18th, March, 2006 Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here's a roundup of some of the more useful ones I've found. http://www.linuxsecurity.com/content/view/121975 * Kids Learn About Cyber Security 13th, March, 2006 A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country. The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security. Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security. http://www.linuxsecurity.com/content/view/121907 * Skype Branded Danger To Enterprise IT Security 16th, March, 2006 Although cost savings and improved communications are luring enterprises to Skype, the popular voice over IP service may violate security policies, industry experts have warned. Burton Group recommended enterprises assess the risks vs. rewards of Skype as the simplest solution for evaluating its use. http://www.linuxsecurity.com/content/view/121942 * The Enemy Within The Firewall 16th, March, 2006 Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey. http://www.linuxsecurity.com/content/view/121958 * How to Create RFID Access for Your Front Door 17th, March, 2006 There are many uses for RFID such as supply chain management, but access control is one of the most relevant applications for personal use. Many people use RFID access cards to get into buildings, use elevators, or even open the doors to those special penthouse type hotel suites. Setting up your own front door (or any door for that matter) with an RFID enabled access mechanism is pretty easy. http://www.linuxsecurity.com/content/view/121974 * Digital Forensics and Hacking Investigations 13th, March, 2006 We discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts. http://www.linuxsecurity.com/content/view/121901 * Security Podcasts Roundup 13th, March, 2006 We at PaulDotCom security weekly listen to many podcasts in an attempt to assimilate as much information as possible. Each podcast we listen to has its own strengths, and there are few on this list that I would dismiss altogether, but I'll let you be the judge. There have been a few other blog postings related to security podcasts. http://www.linuxsecurity.com/content/view/121902 * Photoshop Concepts For Law Enforcement 13th, March, 2006 With its comprehensive suite of powerful digital imaging products, Adobe software provides the solutions law enforcement agencies need to conduct enhanced forensic investigations. With its unmatched set of image management tools, Adobe Photoshop software is widely used by law enforcement agencies to make digital phtots of suspects and crime scenes clearer for positive identification. http://www.linuxsecurity.com/content/view/121904 * Married Couple Indicted for Corporate Espionage 14th, March, 2006 An Israeli couple has been charged with corporate espionage after the two were discovered engineering and distributing a Trojan horse application found to be responsible for several cases of data theft. The Tel Aviv District Attorney filed the 65-page indictment Sunday and announced that prosecutors had entered into a plea bargain agreement with the two defendants. The couple, formerly residents of London, were extradited to Israel. Prosecutors consider Ruth Haephrati, 29, the ringleader and principal party responsible for the couple's criminal enterprise. According to the indictment, Haephrati was the one who sought out new clients to increase business. http://www.linuxsecurity.com/content/view/121917 * 'Security pro' - an oxymoron? 14th, March, 2006 The term 'infosec professional' is almost a contradiction in terms, according to analyst group Gartner, which warns the field of IT security is still finding its feet. The analyst house said there is little agreement on what constitutes professionalism. This means hiring decisions are complicated by a lack of consensus on the skills needed and, as a result, many security problems will remain unsolved until specialists pool their knowledge and experience, Gartner said in a briefing note. http://www.linuxsecurity.com/content/view/121919 * The 7 myths about protecting your web applications 15th, March, 2006 Web applications are currently proving to be one of the most powerful communication and business tool. But they also come with weaknesses and potential risks that network security devices are simply not designed to protect. http://www.linuxsecurity.com/content/view/121923 * Basketball Social Engineering 15th, March, 2006 On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win. Enter "Victoria." Victoria was a hoax UCLA co-ed, created by Cal's Rally Committee. For the previous week, "she" had been chatting with Gabe Pruitt, USC's starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends. http://www.linuxsecurity.com/content/view/121927 * Study Says RFID Tags Are Vulnerable To Viruses 15th, March, 2006 A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications. In a paper to be presented Wednesday at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chip, which can hold as little as 128 characters of information. http://www.linuxsecurity.com/content/view/121938 * LAMP lights the way in open-source security 16th, March, 2006 The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible. The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday. http://www.linuxsecurity.com/content/view/121947 * Top 50 malicious code samples reveals secrets 16th, March, 2006 While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence, the company said. In its previous report, Symantec cautioned that malicious code for profit was on the rise, and this trend continued during the second half of 2005. http://www.linuxsecurity.com/content/view/121948 * BS7799 Ver 3 Security Standard Published 17th, March, 2006 The new security standard from BSI, BS7799 3, has been published today. This is titled "Guidelines for Information Security Risk Management", and supports the more general security management standard, ISO27001, which was published last year. http://www.linuxsecurity.com/content/view/121962 * Report: 80 percent of emails out to manipulate 14th, March, 2006 Four out of five inbound emails are designed to deceive the recipient, according to a new report studying the scope of abusive online messages. The Messaging Anti-Abuse Working Group's (MAAWG) Email Metric Report, which analyzed data from more than 127 million mailboxes during last year's fourth quarter, found that more than 142 billion emails either were tagged or blocked before they reached the end user. Another 61.3 billion emails were the victims of dropped connections, the study showed. Nearly 37 billion emails were unaltered before reaching their destination. http://www.linuxsecurity.com/content/view/121918 * Human Rights and Wrongs Online 14th, March, 2006 A government's position on censorship used to protect its citizenry is dictated by who they are. The well-popularized censorship of Internet content in China by Google and other big players, and criticism of this by the U.S. government, is really just the tip of the iceburg. On Febrary 15, the United States Congress held hearings on the role of U.S. Internet companies like Google, Microsoft, Yahoo and Cisco in suppressing free expression and therefore encouraging repressive tactics by countries like China. The hearings explored the role and the responsibility of these companies for deliberately filtering communications, assisting in the interception of citizen's communications, and using technology to restrict access by citizens to information. http://www.linuxsecurity.com/content/view/121921 * Search firms surveyed on privacy 15th, March, 2006 We asked the same seven questions of each company. Their answers are reproduced below, with the responses sorted by the companies' names in alphabetical order. What information do you record about searches? Do you store IP addresses linked to search terms and types of searches (image vs. Web)? Weinstein: Any time a search is done on the AOL service or AOL.com, the left rail on the results page offers a list of the most recent searches conducted by that user. http://www.linuxsecurity.com/content/view/121928 * Federal Budget For 2007 To Boost Cybersecurity 11th, March, 2006 Although President Bush's proposed budget for fiscal 2007 (starting Oct. 1, 2006) increases spending for key cybersecurity programs, it is not clear how that money would be spent, raising concerns in the information security industry. One of the biggest security-related boosts would be a $35 million infusion to the "critical infrastructure outreach and partnerships" initiative within the Department of Homeland Security. The goal of that effort is to increase cooperation and information sharing among DHS, state and local governments and infrastructure providers. Thirty million dollars of that allocation would go toward implementing partnership plans for private industry verticals like information technology, finance and electrical utilities. http://www.linuxsecurity.com/content/view/121887 * How To Legislate Against Hackers 16th, March, 2006 Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act. http://www.linuxsecurity.com/content/view/121952 * NIST sets FISMA Standards For Federal IT Systems 17th, March, 2006 The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. Federal Information Processing Standard 200 [1] sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls. http://www.linuxsecurity.com/content/view/121968 * Linux Zero IP ID Vulnerability? 15th, March, 2006 I've recently stumbled upon an interesting behaviour of some Linux kernels that may be exploited by a remote attacker to abuse the ID field of IP packets, effectively bypassing the zero IP ID in DF packets countermeasure implemented since 2.4.8 (IIRC). http://www.linuxsecurity.com/content/view/121940 * Trojan Cryzip Extorts Decryption Fee 18th, March, 2006 A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989. http://www.linuxsecurity.com/content/view/121976 * Wi-Fi Security's Personal Problems 13th, March, 2006 With security such an important concern for wireless networks, most new Wi-Fi gear has long supported Wi-Fi Protected Access 2 (WPA2), the latest standard for encrypting data sent over the air. As of this month, all Wi-Fi gear will, as the Wi-Fi Alliance is making WPA2 compatibility a mandatory part of its interoperability tests. But there are two kinds of WPA2, and most Wi-Fi phones and many other gadgets support only the lesser version, which was originally designed for home networks. http://www.linuxsecurity.com/content/view/121908 * ISO Rejects China's WAPI Wireless Security Protocol 16th, March, 2006 The International Standards Organization (ISO) last week rejected a security protocol that was backed by some Chinese representatives as an amendment to the group's wireless LAN standard. The ISO turned down the Chinese technology, called the WLAN Authentication and Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i security specification that was developed by the Institute of Electrical and Electronics Engineers Inc., according to a member of the IEEE 802.11 Working Group who asked not to be named because of working group rules. http://www.linuxsecurity.com/content/view/121953 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 21 04:13:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:13:31 -0600 (CST) Subject: [ISN] Security Experts Warn of Devastating Web Attack Message-ID: Forwarded from: security curmudgeon : http://www.foxnews.com/story/0,2933,188102,00.html : : Paul Wagenseil : Fox News : March 16, 2006 : : WASHINGTON - A powerful new twist on the most common kind of Internet : attack could overwhelm even the most popular and well-fortified Web : sites and disrupt e-mail traffic by enlisting the network infrastructure : servers that manage Internet traffic worldwide, security experts warn. : : First detected as early as 2002, the assault, known as a distributed : reflected denial-of-service (DRDoS) attack, bombards targeted Web : servers with such massive amounts of spurious data that even flagship : technology companies would not be able to cope. The following comments are courtesy of Dave Dittrich, reworded a bit here with his permission: There are some news stories starting to break in which VeriSign claims to have "discovered" a "new DDoS" attack (two below, at least two more on the way). http://software.silicon.com/security/0,39024655,39157301,00.htm http://www.theinquirer.net/?article=30361 If anyone wants to set the record straight on all of this, the first public mention of these kinds of attacks was Vern Paxson in 2001. The first public mention of a distributed reflected DDoS attack involving DNS was against futuresite.register.com in 2001. The Honeynet Project "Reverse Challenge" binary turned out to be a DDoS agent, and it implemented several DNS related attacks *including* a distributed reflected DNS attack. That was in 2002. Dittrich and his co-authors mentioned reflection attacks (including the above) in their book "Internet Denial of Service: Attack and Defense Mechanisms", which was published just over a year ago. So if 5 years old is "new".. Dittrich just updated his DDoS web page to include references to the above information, as well as other references, history and more: http://staff.washington.edu/dittrich/misc/ddos/ From isn at c4i.org Tue Mar 21 04:13:50 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:13:50 -0600 (CST) Subject: [ISN] AT&T spotlights disaster recovery Message-ID: http://telephonyonline.com/telecomnext/news/ATT_TelecomNext_NDR_031706/ By Carol Wilson Mar 17, 2006 AT&T doesn't normally train for disasters when "it's 75 degrees and sunny outside," according to Ken Smith, team lead of AT&T's Network Disaster Recovery unit. But next week, the unit will make an exception, putting its 16 years of disaster recovery experience on exhibit as part of the TelecomNext trade show in Las Vegas. The company will have 20 of the 150 self-contained trailers it uses in real-life disaster recovery on display at the trade show and will run a demonstration that shows part of what goes on behind-the-scenes at AT&T four times a year, when the company does its real disaster recovery training. Begun in the early "90s, AT&T's disaster recovery training program is unique in the industry, Smith said, because of the resources it devotes to preparing on a national scale for almost any type of disaster, manmade or natural. The company houses the 150 trailers and other NDR vehicles as well as another 250 trailers that provide backup and logistical support in four undisclosed locations around the country, ready to mobilize at a moment's notice, as they did in the fall for 2005 for Hurricanes Katrina and Rita. The main trailers are designed provide full Central Office functionality with everything from Class 5 switching to digital cross-connect, ATM and frame relay gear and electrical power equipment. More importantly, however, the response effort can be configured to provide exactly the capability of the specific CO affected by the disaster, Smith said. "We have proprietary software developed by our labs that contains information about every one of our AT&T COs," he said. "For example, for Jacksonville, Fla., [our team] can tell me what is in the office, what trailers I would need, the closest trailers stored, and all of the cabling needed to recover that office. That allows me to show up at a site and recover an office, regardless of the size, within seven days or less." After the September 11, 2001 attacks on the World Trade Center, AT&T had its NDR trailers up and running in New Jersey within 48 hours to replace the switch it lost under the collapsing towers, Smith said. AT&T also has emergency communications vehicles that it supplies to local emergency services personnel to help them maintain their communications. In response to Hurricane Katrina, the company provided five such vehicles - its maximum - for the first time ever, Smith said. "Normally, when we see a situation developing, like Katrina, we will have two vehicles in position ready to deploy - one for us and one for emergency services," he said. "For Katrina, we deployed all five for the first time." Among other services provided was the capability for local law enforcement to check on the prior records of individuals arrested while looting, to determine if they had previous criminal histories and should be held. AT&T puts its NDR capabilities to use for its corporate customers as well, doing disaster recovery assessments for them, to determine how prepared they are in case of major problems. In Las Vegas, AT&T will have a total of 29 trailers, including its command center, a Lucent 5ESS class 5 switch, digital cross connect capability, other technology trailers and those providing power and other support. The company will be conducting tours and demonstrations of its disaster recovery capability. "My hope is that they walk away understanding that AT&T takes reliability very seriously and has probably the best disaster recovering program in the industry," Smith said. "Whether they are an AT&T customer or they are not, they can ask themselves about their company's disaster recovery program. Individual customers need to ask themselves about their own plan. We have seen the devastation that can happen." AT&T's NDR includes both full-time workers and other AT&T employees who have other jobs in addition to disaster recovery. While the program is a major financial investment, Smith considers it to be insurance. "You either pay it up front and then you recover, or if you don't pay it up front, you wind up paying later," he said. From isn at c4i.org Wed Mar 22 02:37:38 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:37:38 -0600 (CST) Subject: [ISN] Book Review: High-Tech Crimes Revealed Message-ID: Forwarded from: security curmudgeon http://attrition.org/~jericho/works/security/review/book_review.high-tech_crimes_revealed.html High-Tech Crimes Revealed Cyberwar Stories from the Digital Front Steven Branigan ISBN: 0-321-21873-6 Addison-Wesley, Copyright 2005 I found this book just after Christmas (Dec 2005) and grabbed it hoping for a decent read about computer crimes and sociology, backed by real world experience and first hand tales from the 'digital front'. Instead, I got the worst collection of naive and inexperienced crap I have read in a long time. After paying money for this book, I feel as if I have fallen victim to a lame phishing scam. It is important to note that this book is copyright 2005, and says the first printing was in August 2004. It puts the entire book into perspective and quickly makes you question the author's credentials. In fact, if this book wasn't written in the mid to late 90's, shelved for almost ten years, and eventually printed, then Branigan should never claim any affiliation with the computer security industry/community. [..] From isn at c4i.org Wed Mar 22 02:37:58 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:37:58 -0600 (CST) Subject: [ISN] Arrest over 'high profile hacking' Message-ID: http://finance.news.com.au/story/0,10166,18562649-31037,00.html AAP March 22, 2006 A VICTORIAN man has been charged over a series of high profile international internet hacking attacks. The 22-year-old was arrested in Melbourne early today after a joint state and federal investigation into the sophisticated attacks on internet relay chat (IRC) servers in Australia in 2005, the federal police said. The Belgian Federal Computer Crime unit tipped Australian authorities off to the attacks, which used remotely controlled computer networks known as botnets. The US, Singapore and Austria also were affected by the hacking attacks on Australian IRC servers. Botnets are made up of bots, which spread by taking advantage of common vulnerabilities on unprotected computers, and can attack servers in their tens of thousands. Once on a host computer, most often personal home machines, they lay dormant and wait for a remote command. NSW, Victorian and Australian Federal Police, as well as the Australian High Tech Crime Centre (AHTCC) carried out the investigation. The man was charged with using a telecommunications network with intention to commit a serious offence, which carries a maximum penalty of 10 years in prison. He will face Melbourne Magistrate's Court on Friday. AHTCC director Kevin Zuccato said botnets had been linked to unlawful activity. "Bots and bot networks continue to be of concern and are linked ... to a range of other malicious activity including identity theft and spam," Mr Zuccato said. He urged people to safeguard their computers with anti-virus software and firewalls. From isn at c4i.org Wed Mar 22 02:38:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:38:33 -0600 (CST) Subject: [ISN] It's raining IT security surveys Message-ID: http://www.techworld.com/security/features/index.cfm?FeatureID=2350 By Cara Garretson and Ellen Messmer Network World March 20, 2006 If it feels like you're getting bombarded with surveys about network security threats, that's because you are. Leading security vendors, looking to scare up interest in their products, pumped out more than twice as many of these surveys last year as in 2004, and this year are on an even more aggressive pace. Such surveys have shown that 25 percent of corporate e-mail users send personal messages, that there were 2.9 million phishing attacks in February and that 65 percent of ISPs consider distributed denial-of-service (DoS) attacks a main concern. The factoids go on and on and on. According to our informal review of 20 leading security vendors, they made public 34 such surveys last year, most of which were conducted by third parties on behalf of the vendors. In addition, the vast majority of them issued reports - some as frequently as monthly - derived from information that their products collect regarding distributed DoS attempts, spam blasts, phishing attacks and the like. While vendors say these surveys and reports are meant to alert IT professionals to growing security threats and to help vendors determine what sorts of products customers need, in fact they're creating a thick layer of fear, uncertainty and doubt, or FUD, that helps sell products in a market that IDC says totalled US$32.6 billion last year and is headed toward $38.4 billion this year. For example, a survey of 603 consumers conducted last October by Momentum Research Group on behalf of RSA Security showed the French are more fearful than Germans about the possibility of fraudulent access to personal information at banking sites. But when it comes to fear of identity theft, no one beats Americans; nine out of 10 have heard of it, as compared with only one in three in France and Germany. RSA, which provides products and services for authentication and anti-phishing, says in its press release about the survey: "The key to online confidence lies at the door of the business community - meaning that it is imperative for online vendors to be seen taking appropriate measures to protect their customers' interests." "There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year. "But we really are trying to educate markets and share interesting data that helps people make really intelligent decisions about their technology investments." It's not surprising that vendors use survey results to help sell their products, often paying tens of thousands of dollars per survey with the hopes the results will support the need for their offerings. (Those that contracted professional firms said they did so because the size and quality of each sample would be superior to what the vendor itself could come up with, and therefore produce more accurate results that would be less likely perceived as biased.) But security vendors seem to be particularly fond of publicizing surveys these days, perhaps because there are very few ways to gauge just how secure a PC or network is - the FUD created by survey results sends the message that you're never secure enough. IBM, which offers a number of hosted security services, this week released results of a survey it sponsored, conducted by Braun Research, that shows 84 percent of the 600 IT managers surveyed said they believe organized criminal groups with technical sophistication are replacing lone hackers as the main threat from the outside. But the press release describing the survey questions respondents' ability to protect themselves. According to IBM, 83 percent of respondents "boast that they have adequate safeguards in place to combat organized cybercrime." The message? You're not as secure as you think you are. Be afraid One security company recently attempted to quantify just how worried IT managers should be. Antimalware vendor WebSense's sixth annual Web at Work survey, conducted by Harris Interactive and released last May, revealed that "one-quarter of IT decision-makers feel that the test of protecting their company against malicious Internet security threats is more stressful than a minor car accident." It's difficult to ignore the steady stream of magazine and newspaper headlines announcing these survey findings, Network World not excluded. Some publications, including ours, conduct their own surveys as well to gauge readers' opinions and actions regarding security. This flood of security headlines has led some to discount many surveys as marketing material. Bill Boni, vice president and chief information security officer at Motorola, says he will pay some attention to surveys if they appear to show validated data from responsible sources. No one expects a vendor to issue a press release touting a survey that negates the need for its product, but this selective practice underscores the requirement to consider the source. "Surveys are one of the only benchmarks you can use to make decisions . . . you'd be foolish if you didn't at least read them," says Jim Hite, supervisor of network services and central operations with Virginia's Prince William County schools. "But you have to consider that the manufacturer wants you to buy their product, so you have to weigh that." If a vendor sponsors a survey that contradicts its own product plans, it's unlikely we'll ever know about it. Vericept, a small company with products focused on preventing internal threats, last December commissioned its first-ever survey, conducted by Enterprise Management Associates. The survey asked how concerned corporations are about internal threats; 74 percent said the risk of sensitive corporate information leakage because of internal personnel is moderate to very high. And so, the company publicised its findings. "If we found people said 'internal risk is never a problem,' or that 'it will go away in six months,' then we may not have published it," says Brett Schklar, vice president of marketing with Vericept. Decisions, decisions Some IT managers use these surveys to help open the company purse strings to fund new security projects. "Reluctantly, I support the points many of these surveys are making, even though some of them make you cringe," because they're so blatantly oriented toward selling products, says Michael Dean, director of IT security for the 200 K-12 schools in the Palm Beach County School District in Florida, which support a high-speed network of 50,000 computers for 175,000 students and teaching staff. Surveys are designed to help the sponsoring vendors make decisions, too. In 2004, Proofpoint considered bringing to market an outbound e-mail compliance product. But first the company sponsored a survey conducted by Forrester Research that showed 43 percent of companies sampled used employees to scan outbound e-mail for confidentiality breaches or intellectual property leaks. Imagine the time and cost savings of automating this process? A few months later, Proofpoint released an outbound compliance product. "The volume of response to the survey showed us there was a great deal of interest," Crosley says. "If there was no interest in outbound e-mail compliance, we would have definitely changed our plans with respect to how quickly we created the product." Sometimes surveys show that security threats perpetuate despite the widespread use of preventive products. For example, ISCA Labs conducts an annual survey of 300 companies and government agencies to find out how much antivirus software they use on desktops and servers, and how many "virus disasters" they experienced over the course of the year. Every year, as in last year's 10th Annual Virus Prevalence Survey, the costs of cleaning up after a virus disaster seem to rise - last year showed a 23 percent increase over the year before to $130,000 per disaster - while companies keep buying more antivirus software. Some companies have gone to extremes to show how badly users need their products. Last