From isn at c4i.org Wed Mar 1 02:46:46 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:46:46 -0600 (CST) Subject: [ISN] Korea to Fight Web Attacks From China Message-ID: http://times.hankooki.com/lpage/tech/200602/kt2006022817142511780.htm By Kim Tae-gyu Staff Reporter 02-28-2006 To counter the problem of identity theft, the Korean government will block the backdoor Internet pathway from abroad, which were used to steal personal data by getting bypass links to the country's Internet network. The Ministry of Information and Communication Tuesday revealed steps aimed at controlling the nation's rampant personal data leakage to overseas countries, especially China. ``Since last week, in collaboration with Internet service providers, we already intercepted 2,600 illegal IPs, which were found to be the main routes for penetrating the Korean network,'' Lee Sung-ok, director general at the ministry, said. Identity theft en masse surfaced last month after complaints piled up that hackers stole private data, including resident registration numbers, from Koreans in order to subscribe to ``Lineage,'' the popular online game. Chinese hackers are suspected of leading the cyber crimes via a bypass link based on unlawful IPs, an alternative path other than the legitimate, primary one. ``In the future, we will continue to keep tabs on such illegal IPs geared toward breaking into the Korean network and stealing personal information,'' Lee said. Lee said the ministry will also urge local Internet firms to use an alternative system other then resident registration numbers, the Korean version of social security numbers, for signing up to Web sites. ``Furthermore, we will recommend Web sites use cell phones as a certification method to deter illegal subscribers. They can require people to enter their mobile phone numbers together with resident numbers when signing up,'' Lee noted. ``The site then will send certification figures via mobile handsets and users will be have to enter the multi-digit number on the Web site for user verification,'' he added. The Chinese government will be asked to delete the personal data of many Koreans in circulation in China's cyberspace, he said. To prevent the recurrence of massive personal data leakage, the ministry also unveiled a package of measures including propagation of security patches as well as firewalls. ``Currently, the penetration rates of security patches stand at just 38 percent. We will increase the figure 80 percent and mandate gaming companies to install Web firewalls,'' Lee said. Toward that end, the country's main portal and game sites will have to be equipped with programs that automatically install security patches on subscribers' computers. The ministry also looks to check the security of the country's 70,000 most-visited Web sites every day to shield them from onslaughts by unscrupulous crackers. From isn at c4i.org Wed Mar 1 02:47:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:47:23 -0600 (CST) Subject: [ISN] Companies Contemplate Life Without BlackBerrys Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/28/AR2006022801480.html By Yuki Noguchi Washington Post Staff Writer March 1, 2006 Eugene Stein is thinking about Plan B for the 1,900 BlackBerry e-mail devices under his charge that could be rendered useless if their maker, Research in Motion Ltd., gets slapped with a court-ordered shutdown. "It'd be pretty significant," said Stein, chief technology officer for law firm White & Case LLP. His backup plan for keeping the firm's employees connected to wireless e-mail is to use more Palm Treo devices with Good Technology Inc. software, a rival to the BlackBerry system. "I would have to use all my technical guys" and sink at least $40,000 into buying new devices, he said. "I can't buy and replace them all in one shot," but he has secured assurances from vendors that he will be able to order some Treos overnight, putting them in the hands of attorneys traveling internationally or working on key deals first. After that, he would experiment with the software upgrade RIM says it has developed, or replace the remaining BlackBerrys as soon as possible. It's hard not to resent RIM for not resolving its legal issues, Stein said. "They shouldn't have put me in this position." Many BlackBerry users are in limbo, awaiting a federal judge's decision about whether to shut down the company's U.S. operations for infringing on patents. But life is even harder for people like Stein, who manage information technology and have to make educated guesses about the outcome of the case, then make contingency plans. There are lots of factors to consider. At a hearing last week, U.S. District Judge James R. Spencer indicated that he would honor a 2002 jury decision finding RIM guilty of infringing McLean-based NTP Inc.'s patents. At the same time, on the morning of Friday's hearing, the U.S. Patent and Trademark Office rejected the validity of the second of the five relevant patents it originally granted to NTP -- a move RIM was hoping would sway public and judicial opinion in its favor. If all other legal measures fail and the judge orders service cut off for most non-government users -- roughly two-thirds of the 3.2 million U.S. subscribers -- RIM has said it has a software solution that will work around its patent problem. But information technology officers like Stein haven't had a chance to test it yet. Iron Age Corp.'s chief information officer, Drew Farris, is divided about what to do with the 150 BlackBerry e-mail devices that sales executives at his specialty shoe business rely on. On the one hand, Farris thinks RIM will settle its long-running patent dispute before a possible court-ordered shutdown. That would spare Farris's company from having to replace its devices at an estimated cost of $1,500 per user for equipment, software and training. On the other hand, it may not. "Based on what I've read and seen, I'm at a loss; I'd say it's 50-50" for either outcome, said Farris, who follows the case closely on Internet news sites and newsletters. RIM's problems have been good for competitors' business, including Good and Visto Corp., both of which have received hundreds of inquiries from companies looking for alternatives, and both of which have licensing agreements with NTP. But most businesses are still waiting for the judge's decision, said Todd Kort, an analyst with Gartner Inc. who said he has talked to 75 to 80 technology officers since November about their contingency plans. "They're under a fair amount of pressure from their users, and they're getting pressure from above" to make sure systems keep running uninterrupted, Kort said. "But of those, only four or five are in the process of switching service," because changing out the service is expensive and time-consuming, he said. Among other things, longtime BlackBerry users are used to the software and the ergonomics of their palm-size devices, so deploying something new would mean losing productivity while people figure out a new system. Kort remains optimistic that his clients won't have to do that. He said RIM is far more likely to either settle or deploy its work-around than shut down service. John Stevenson is placing his bets on the work-around. He retired this week as chief information officer at Sharp Electronics' U.S. division, but not before having to decide what to do about the 300 BlackBerrys used by company executives. "Do we go back to the old way of doing things -- using cell phones, text messaging, and laptop computers," or should the company think about buying a new set of devices at great expense, Stevenson wondered, and he consulted his peers through a trade group, the Society for Information Management. For now, he said, "we're counting on a BlackBerry work-around. Is that a dangerous plan without a Plan C? Maybe." John Jones is among those information technology executives who think the case won't amount to a hill of beans. "I just see this going in RIM's favor the entire way," said Jones, who is vice president for information technology at Pulver.com Inc., an Internet telephony and technology conference company. But even Jones has a backup plan. "Right now my colleague is taking a look at the new Microsoft push e-mail technology -- just in case." ? 2006 The Washington Post Company From isn at c4i.org Wed Mar 1 02:47:35 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:47:35 -0600 (CST) Subject: [ISN] DDoS Attacks Target Prominent Blogs Message-ID: http://news.netcraft.com/archives/2006/02/28/ddos_attacks_target_prominent_blogs.html By Rich Miller February 28, 2006 Several prominent weblogs have been hit with distributed denial of service (DDoS) attacks in recent weeks, as the target list for digital attackers continues to broaden. While some of the attacks appear to be politically motivated, on Monday a DDoS struck one of the blogosphere's most financially successful bloggers. Australian Darren Rowse confirmed that an outage Monday on his ProBlogger weblog was caused by a DDoS, but provided no details about the attackers or their motives. Rowse gained international attention last year when he revealed that he would make more than $100,000 as a solo blogger in 2005, primarily through earnings from Google AdSense advertising and commissions from affiliate referral programs. Has the success of professional bloggers made them viable financial targets for professional DDoS attackers? Sites with large volumes of transactions are the primary targets for a cottage industry of digital extortionists using DDoS attacks, usually launched through large botnets of compromised computers. These attacks have previously targeted online betting sites, payment gateways, domain parking services and even online games. An earlier series of attacks targeted the blog of Michelle Malkin, who led a movement among bloggers to mirror the controversial cartoons of the Prophet Mohammad that initially appeared in a Danish magazine. The attacks began Feb. 15, and escalated on Feb. 23, when an attack from a botnet in Turkey forced Malkin to post on the Pajamas Media weblog until her main site was available again. The attacks on Malkin's blog appear to be part of a broader pattern of hacker activism targeting sites that have featured the cartoons, including the defacement of hundreds of sites as well as denial of service attacks. From isn at c4i.org Wed Mar 1 02:48:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:17 -0600 (CST) Subject: [ISN] Wh00ps - Email from CSI last week Message-ID: ---------- Forwarded message ---------- Date: Tue, 28 Feb 2006 15:54:41 -0600 From: "Chris Keating, Director Of CSI" Reply-To: chriskeating @ cmp.com To: wk at ........... Subject: Email from CSI last week [csi_letter_header2.jpg] Dear CSI Member, I'm writing to apologize for a mistake we made in an e-mail message you received from us last week. In the rest of this note, I will explain the mistake we made and why we believe it merits an apology (and an explanation). But since your time is valuable, let me summarize in my first paragraph that an error occurred, in which your name and address were inadvertently given to one other CSI member or potential event attendee. This was caused by a mail merge error, not any kind of breach of security, nor was your information generally broadcast or the mailing list as a whole exposed in any way. Though the inadvertent distribution was limited in scope, we still take it very seriously. To try to ensure there are no more such errors, we are taking the steps outlined below. If you have any questions about the error or our reaction, please read the paragraphs that follow and if you still have questions beyond this explanation, please don't hesitate to contact me at the address given below. The message we sent last week invited you to join us for an Editorial Perspective TechWebCast called Security: The Application Point of View. The invitation still stands--we'd love to have you join us and you can find out more by Clicking Here. In last week's letter, we made use of a feature we're rather proud of: to help speed the process if you decided to register for the event, the e-mail message included a pre-filled registration form. Obviously, what's supposed to be in the pre-filled form is information about you--information you've shared with us in the past such as your business mailing address and your telephone number. This information did not include traditionally sensitive categories of information such as credit card numbers or social security numbers. The data for the form is merged with the email message content as each message is sent out. In this particular mailing, the data used for the merge had been corrupted, such that each recipient record included in part certain data relating to another recipient. As a result, each form we emailed was incorrectly pre-filled with the information of a different individual in the database who was not the recipient of the message. The specific condition that caused the database error to occur on this occasion is being corrected. Additionally, we are examining the possibility of designing new code for the application that merges the data with e-mail messages to assist in addressing problems of this type. If these efforts and other efforts do not result in making us sufficiently confident in our ability to catch such errors, we plan to remove the pre-filled form feature from future mailings until we can achieve that level of confidence. Again, your information was released to only one other CSI member or potential event attendee and no credit card or information of similar sensitivity was involved. Even a small slip-up, though, doesn't show as much respect for the trust you've placed in us as we'd like. Please accept my apologies and my assurance that we consider your privacy an integral part of our success as a security organization. With best regards, Chris Keating, Director Computer Security Institute chriskeating @ cmp.com If you would prefer not to be contacted again about such events, please opt-out here. CMP Media LLC 600 Community Drive Manhasset, NY 11030 CMP Privacy Policy From isn at c4i.org Wed Mar 1 02:46:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:46:30 -0600 (CST) Subject: [ISN] Three Fidesz workers suspended over hacking of MSZP server Message-ID: http://www.budapesttimes.hu/index.php?art=1508 Michael Logan Budapest February 27, 2006 Main opposition party Fidesz has suspended the three men believed responsible for hacking into the election campaign website of the ruling Hungarian Socialist Party (MSZP). The unnamed men were blamed for using the Fidesz server to hack into the website and download around 3,000 files, something that Fidesz initially denied before shifting the blame onto the "overzealous" employees. Police have asked Fidesz for the three workers' names. Counter-claims appear effective Fidesz leader Viktor Orb?n has attempted to play down the incident, despite the fact that police are now investigating, and other party members have claimed that the MSZP has committed similar crimes in the past. Daily N?pszabads?g claimed that Prime Minister Ferenc Gyurcs?ny's campaign schedule has now been thrown into doubt, as have many of the documents related to his speeches and itinerary. The paper said that Gyurcs?ny would now have to change his route around the country and change his speeches. However, it would seem that, despite the MSZP's efforts to draw attention to what it believes is a serious incident, polls conducted after the goings-on found that people do not particularly care. Pollsters found that, despite the vast majority of people saying information should not be collected by illegal means, only 10% believed that either party had used underhand methods in the campaign so far. From isn at c4i.org Wed Mar 1 02:48:32 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:32 -0600 (CST) Subject: [ISN] Symantec ranks Houston high in WiFi security survey Message-ID: http://www.chron.com/disp/story.mpl/business/silverman/3689686.html By DWIGHT SILVERMAN Copyright 2006 Houston Chronicle Feb. 27, 2006 Wireless networking has become the dominant way in which home users network their computers. WiFi is fast, fairly easy to set up and relatively inexpensive. But it's also by nature insecure. With WiFi networking, you're spewing your data into the ether, and most wireless hardware comes with the most basic security features turned off by default. Understanding human nature - and acknowledging the technical cluelessness of the average home user - you'd think that the majority of wireless home networks would be wide open, allowing anyone with a WiFi-enabled computer to connect to the Internet and possibly access personal data. But, based on a drive-by survey conducted by software maker Symantec, not in Houston. For two days in mid-November, Symantec security experts drove through neighborhoods in seven areas of Houston: Galleria/Memorial, the Heights, the Third Ward, Midtown/Montrose, Shadow Creek/Silverlake near Pearland, the Villages off I-10 West, and parts of the Westchase/near-Katy area. The specific Zip codes: 77056, 77008, 77004, 77006, 77002, 77584, 77024, 77082 and 77079. As they drove, they used WiFi "sniffing" devices to look for signals from wireless routers, a practice known as wardriving. They checked each one to see if it was encrypted - meaning signals between the routers and the devices that connected to them are scrambled - and whether the owners of the routers had changed the default network name, or SSID. Although the methodology was hardly foolproof, which I'll discuss in a minute, the results are interesting: * Symantec's researchers found a total 1,985 WiFi access points. * More than 61 percent were using encryption. * More than 80 percent had nondefault SSIDs. * The more affluent neighborhoods had a higher incidence of nonencrypted access points, although there were far more residential WiFi networks in the richer areas. * The highest percentage of nonencrypted networks was in the Villages, at almost 47 percent. The lowest percentage was in the Third Ward and West Houston, with about 30 percent. Jonah Paransky, a senior manager for security products at Symantec, said four other cities had been surveyed in a similar fashion - New York, Los Angeles, Chicago and Washington, D.C. - and Houston had the highest percentage of encrypted residential networks. Symantec would not release the specific numbers for the other cities. Congratulations, gang! It's good to be No. 1 at something other than obesity and pollution - although you folks in the Villages obviously have some work to do. Now, while these numbers are interesting, a couple of aspects make the survey's results less than ironclad. The researchers primarily focused on the central and western parts of the area, and largely ignored the far-flung suburbs. Adding those into the mix might have produced dramatically different results. In addition, they only looked for encrypted versus open networks. But there are other ways to secure a WiFi network without encryption, including a technique known as MAC filtering. All network cards, whether wired or wireless, have a unique serial number. You can tell a WiFi router to only accept connections from computers with certain MAC numbers, thus locking out unknown users. It's possible that some of the unencrypted networks were using MAC filtering. Paransky argued that MAC filtering isn't truly secure, because it's possible to capture traffic between a PC and a router if it's not encrypted. He offered these tips for wireless network security, many of which should be familiar to readers of this column: * Turn on encryption. D'oh! * Change the default SSID in your router, and if the router allows it, turn off broadcasting of the SSID. This makes your home network invisible to those casually looking for wireless connections, although it can be spotted with the right software or equipment. * Place your wireless router as close to the middle of your house as possible, which decreases the chance its signal could be detected from the street. It also helps decrease WiFi dead spots. Newer routers that use range-boosting technologies such as MIMO, and the upcoming 802.11n routers, will blast signals for greater distances, so depending on your house's size, this may not have much effect. * Use a software firewall even though your router likely has one built in. Paransky said if intruders manage to penetrate your network, firewalls on each machine may keep others protected. And, of course, because the survey was done by Symantec ? which makes the Norton line of security software ? Paransky suggested users keep up-to-date antivirus and antispyware on all their computers. You didn't think the Symantec people went to all this trouble out of the goodness of their hearts, now did you? From isn at c4i.org Wed Mar 1 02:48:54 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:54 -0600 (CST) Subject: [ISN] Who's Reading Your Cell's Text Messages? Message-ID: http://www.eweek.com/article2/0,1895,1931904,00.asp By Paul F. Roberts February 27, 2006 Have you ever hit "Send" on a text message on your mobile phone before addressing it? Ever wondered where all those lost SMS text messages go? If so, you might want to speak with Stan Bubrouski, whose cell phone has been channeling wayward text messages from across the country for years. Bubrouski, a computer science major at Northeastern University in Boston, is the proud owner of 'Null at vtext.com,' an account on the popular Verizon text messaging service that allows Internet users to send e-mail and IM messages directly to his cell phone as SMS text messages. Bubrouski said he was just being clever when he signed up for a Verizon vText account with the user name 'null,' after his parents bought him his first mobile phone during his freshman year at Northeastern, in 2001. "I've been paying for it ever since," Bubrouski told eWEEK. Bubrouski's new vText account didn't just hook him up with his friends, it also opened the door to a blizzard of unsolicited messages from individuals and companies that, for the last five years, have unwittingly forwarded reams of data to his phone. That data has become more sensitive in recent months, as companies rush to deliver everything from SAT test scores to medical information and automobile diagnostics to cell phones and PDAs. Bubrouski's experience, while unusual, could be a sign of growing pains in the wireless industry, as companies rush to provide wireless data services, overlooking steps that could secure the data in transit, according to one security expert. Bubrouski, who is finishing his senior year at Northeastern, noticed something strange about his vText account almost immediately after activating it in 2001. "I started getting phantom text messages with no callback number and an empty 'From:' field," Bubrouski wrote. Initially, the content of the messages was innocuous, he said. "It was things like 'don't forget to drop the car off at baker's' and to 'call mom at 781-XXX-XXXX', stuff like that," Bubrouski wrote. The problem worsened in mid-2002, when Bubrouski's phone began channeling what he claims were dozens of messages from an e-mail address used by General Motors' then-new "OnStar" system. The messages quickly filled up the memory on his cell phone and contained diagnostic response to tests on a beta version of OnStar. "Basically, peoples' cars were sending messages to my phone," Bubrouski wrote. Bubrouski contacted GM and was able to reach someone familiar with the OnStar tests, and get them to stop the messages after about a week. "I was happy again - for about two weeks," he wrote. Next, Bubrouski's phone started receiving SMS sports scores and news from ESPN, the sports cable network, which had struck up a partnership with Verizon. Bubrouski's phone was still getting dozens of messages from the service, but because the service wasn't public yet, he couldn't find anyone at Verizon or ESPN who had heard of it and could help him with his problem. Bubrouski said he deleted the messages from his phone. He was unable to provide proof of the OnStar or ESPN messages to eWEEK. In a pattern that would repeat itself in the years to come, Bubrouski simply blocked the ESPN e-mail address using a blocking list at vtext.com and waited for the next stream of messages to hit his phone. Over time, Bubrouski accumulated a block list of around 15 "offenders"?individuals and companies who were sending him large volumes of unsolicited information. Bubrouski theorizes that his choice of user name is the culprit in the data leaks. In the world of software design, "Null" is commonly used to represent "no value" or "0." Developers of mobile services use the "Null" address during testing routines, assuming that the messages won't be sent to anyone. Verizon may also be substituting "Null" for an invalid or missing "To" address in messages sent over Vtext, he said. Misplaced "Call Mom" messages aren't likely to harm anyone, but by late 2004, the unsolicited SMS problem exploded, and took on a darker nature, as mobile data services started popping up all over to take advantage of a new generation of feature-rich mobile phones, Bubrouski said. "I was getting people's grades, order information from unknown retailers, personal messages with people's credit card numbers [and] social security numbers," he wrote. Most of the messages were sent by individuals, but many arrived in volume from companies like eMbience Inc. of San Diego, Calif., which unwittingly sent reams of MapQuest Traffic data to Bubrouski's phone. An eMbience spokeswoman said that Bubrouski's vText account was the same as an account used by engineers for internal testing. Once eMbience was informed, in November, that MapQuest test messages were going to Bubrouski's phone, they changed the address used in testing for the company's services. Another company involved was Vocel Inc., also of San Diego, which develops mobile data services for companies including The Princeton Review and Random House. The company's Princeton Review service helps students study for a variety of standardized tests using their cell phone, including the SAT, GRE and LSAT, according to Tyler Jensen, vice president of operations at Vocel. A new Vocel service that is in testing called "Pill Phone" sends medication reminders to individuals' cell phones, he said. Messages from both the Princeton Review Service and Pill Phone were accidentally sent to Bubrouski's phone because of a flaw in a sharing feature in the service that allows test results completed on the phone to automatically be forwarded in SMS or e-mail format to a third party such as a parent or tutor, he said. Messages without a "To" address were not delivered by the service. However, because of a programming flaw in the client server software, messages with an invalid address, such as a blank space, were translated as "Null," and wound up on Bubrouski's phone, Jensen said. "The fault was entirely ours," he said. Vocel was informed of the problem by Bubrouski on Feb. 8 and had the problem fixed by Feb. 10. Verizon Wireless sues another spammer. Click here to read more. While the Princeton Review messages that Bubrouski received were from a service that is in production, the Pill Phone messages were merely test data generated by Vocel engineers, not actual reminders, he said. For example, text messages from server at vocel.com told Bubrouski that "A student at 4105704297 has just completed Princeton Review Word Set 1 with a score of 71%." A message from pillphone at vocel.com informed him that "A user at 7325894169 has not responded to his/her 01:45 PM dose of Pronestyl-SR," according to examples of data provided to eWEEK. Vocel does not channel sensitive data from third-party servers. All the data that is circulated, such as test scores and medication information?is entered by the cell phone user, or generated on his or her phone, Jensen said. Still, Vocel is taking the incident seriously. "This was a wake-up call for us from the standpoint of ensuring that back-end systems are doing verification and checking," he said. Jensen was loath to criticize Verizon, which provides SMTP gateways that route data sent from cell phone users and providers like Vocel to its customers. However, others said that Bubrouski's experience may be a sign of larger problems with the way that providers like Verizon are running their text messaging networks. SMS users, like e-mail users, rely on the fact that carriers like Verizon won't accidentally deliver improperly formatted messages, such as those with no addressee, to an unrelated address, said John Pescatore, a vice president at Gartner. "There's no way that this should be happening. No e-mail system would ever do that," he said. Verizon should be rejecting messages with improperly formatted addressee information, not forwarding it to an account, he said. Bubrouski agrees. "I'd have to say Verizon is at fault. Sure, service providers make mistakes, but Verizon shouldn't be accepting messages from no one to no one," he said. Verizon declined to comment in detail on Bubrouski's case. However, Verizon wireless spokesman Jeffrey Nelson thanked eWEEK for bringing the 'Null' account issue to the company's attention, and said Verizon is looking into the issue. The problems that Bubrouski experienced may be particular to Verizon's network. However, security is a larger problem in text messaging and e-mail, where trust is assumed between senders and receivers of message data, said Brian Berger, a vice president of marketing at Wave Systems Inc. and marketing chair at the TCG (Trusted Computer Group). TCG is developing specifications for hardware building blocks, including the TPM (Trusted Platform Module) chip that can secure transactions from mobile devices. Companies like Nokia, Motorola, ARM, Vodaphone, Wave Systems, as well as Intel and IBM are participating in the process, and specifications are expected this Summer, Berger said. As mobile devices become more powerful and are used to log into secure networks, and conduct high value transactions, users will need to have a way to authenticate themselves, manage passwords and prove their identity using mobile phones, he said. While Verizon works on the problem, Bubrouski said he's grown accustomed to his plight as a shepherd for lost text messages. "I've received thousands of text messages over the past five years," he wrote. "Probably only about 200 or so were actually meant for or even sent to me directly." Getting rid of his vText account would stop the stream of unwanted SMS message problem, but Bubrouski said he enjoys reading the messages he receives, and blocks companies and individuals when the volume of SMS they're sending him gets too high. "I've kind of gotten used to it," he wrote. From isn at c4i.org Fri Mar 3 05:29:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:29:30 -0600 (CST) Subject: [ISN] Fight Spam with Blacklists Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Availl http://list.windowsitpro.com/t?ctl=22685:4FB69 St.Bernard Software http://list.windowsitpro.com/t?ctl=22670:4FB69 ==================== 1. In Focus: Fight Spam with Blacklists 2. Security News and Features - Recent Security Vulnerabilities - Over 45,000 New Malware Threats Discovered in 2005 - Phishing Sites Increase Significantly in December 2005 - Combining LogParser and Sed 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Block Bots and Other Web Malware ==================== ==== Sponsor: Availl ==== Ensure instant access to files at all remote servers and eliminate 95% of your network traffic. Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs? Get a free software trial, and register for the free seminar. http://list.windowsitpro.com/t?ctl=22685:4FB69 ==================== ==== 1. In Focus: Fight Spam with Blacklists ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I'd guess that the biggest spam headache we all face is false positives--messages that are inadvertently flagged as spam. False positives can be a significant problem, particularly for businesses. After all, you don't want business associates to think you're ignoring them. I recently wrote in the Security Matters blog about my findings with one particular mail server's various filters (at the URL below). The system uses a dozen filters to help eliminate unwanted email. One thing to keep in mind about filters is that what works for one entity might not work as well for another. You should try several filters and monitor your systems to determine what works best to eliminate the particular types of unwanted mail you receive. http://list.windowsitpro.com/t?ctl=2267E:4FB69 That said, my findings for the organization in question might be interesting to you. After observing the filters process more than 254,000 messages, I found that the most effective one for this particular organization is a simple language filter. The filter drops messages written in character sets that aren't used by the organization. Language filters might not be appropriate for every business, particularly those that have international relations, but many businesses might find such filtering useful. The second most effective filter is an IP blacklist filter. IP blacklist filters query blacklist service providers about a given IP address, including the address of the message sender and any addresses that relayed a particular message along its delivery route. If the result of the query shows that the IP address is on the service provider's blacklist, then the probability is high that the message is spam. Some blacklist service providers also track addresses that are known to send viruses, Trojan horses, worms, back doors, and other sorts of malware. These blacklists can be useful in helping you keep such nuisances off your network. A reader of the Security Matters blog asked which blacklists are used by the organization that I wrote about, so I thought I'd share those names here. The list of blacklist service providers is ordered based on the success rate of discovering blacklisted IP addresses: sbl-xml.spamhaus.org blackholes.five-ten-sg.com dnsbl.sorbs.net t1.dnsbl.net.au bl.spamcop.net no-more-funn.moensted.dk sbl.csma.biz cn-kr.blackholes.us cbl.abuseat.org multihop.dsbl.org list.dsbl.org Another type of blacklist filtering is simple Uniform Resource Identifier (URI) filtering. Message content is scanned to locate all URIs in the body. Then those URIs can be checked against URI blacklist services to see whether any belong to known spammers. At the time I conducted my tests, I knew of only one URI blacklist provider, Spam URI Realtime Blocklists (SURBL), whose DNS address is multi.surbl.org. Since then, I've learned about another URI blacklist service provider, URIBL.COM, whose DNS server address is multi.uribl.org. I just started using URIBL.COM last week, so I'm not yet sure how well it performs. Keep in mind that blacklist filters can also produce false positives. However, most people agree that using a blacklist filter is highly effective. Other types of filters you might investigate or write your own scripts for are ones that check for weird spelling patterns (such as "s.A v.e. B 1 g.!!!") and SMTP header validators that check for standards compliance. For an explanation of how blacklist filters work, see "Dynamic Blacklists Demystified," at the first URL below. For links to other articles about blacklist filters on our Web site, use the second URL below. http://list.windowsitpro.com/t?ctl=22680:4FB69 http://list.windowsitpro.com/t?ctl=2266F:4FB69 Jeff Makey publishes a monthly report that shows which IP blacklist services perform best for his environment. Bookmark his report page URL (listed below) and check out the report once in a while--over time, you might learn about new IP blacklist service providers that you didn't know existed. http://list.windowsitpro.com/t?ctl=22684:4FB69 ==================== ==== Sponsor: St.Bernard Software ==== Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now! http://list.windowsitpro.com/t?ctl=22670:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=22676:4FB69 Over 45,000 New Malware Threats Discovered in 2005 According to Panda Software, more than 123 new malware threats were discovered every day in 2005. That adds up to more than 45,000 new malware threats being discovered last year. The figures represent a 240 percent increase over 2004, in which some 13,000 new threats were recorded by the company. Panda thinks there's a specific reason for the trend. Read about it in this news article on our Web site. http://list.windowsitpro.com/t?ctl=2267F:4FB69 Phishing Sites Increase Significantly in December 2005 The Anti-Phishing Working Group (APWG) published its Phishing Activity Trends Report for December 2005. According to data gathered by the group, more than 7197 new phishing sites were created in December 2005 and attacks are becoming more sophisticated. http://list.windowsitpro.com/t?ctl=2267C:4FB69 Combining LogParser and Sed Scrolling through the Windows event logs for specific information can be burdensome, and most administrators probably review the logs only when something bad happens or when something is broken. In this article on our Web site, Jeff Fellinge shows a method for extracting interesting data from event logs by using LogParser and parsing the data by using Sed. http://list.windowsitpro.com/t?ctl=2267D:4FB69 ==================== ==== Resources and Events ==== Dev Connections provides world-class education for developers, architects, DBAs, and IT professionals. *WinConnections (2 conferences for the price of 1): April 9-12, 2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22687:4FB69 *DevConnections (4 conferences for the price of 1): April 2-5, 2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22688:4FB69 *DevConnections Europe coming to Nice, France, April 24-27, 2006. EARLY BIRD SPECIAL ends 1 March! http://list.windowsitpro.com/t?ctl=2267B:4FB69 Learn why new features in Windows Server 2003 R2, including large clustering, increased RAM, and 64-bit support, make it the ideal platform for your collaboration tools. Live event: March 28; 12:00 pm EST http://list.windowsitpro.com/t?ctl=22671:4FB69 Find out or what policies help or hurt in protecting your company's assets and data. View this on-demand seminar today! http://list.windowsitpro.com/t?ctl=22672:4FB69 Learn how to leverage new features in SQL Server 2005 to extend your existing backup and restore capabilities. View the on-demand Web seminar now! http://list.windowsitpro.com/t?ctl=22673:4FB69 Implement real-time processes in your email and data systems--you could also win an iPod Nano! http://list.windowsitpro.com/t?ctl=22675:4FB69 ==================== ==== Featured White Paper ==== Get the tips you need to prepare for and comply with the PCI Data Security Standard, including how to define the 12 major requirements and how those requirements affect IT. http://list.windowsitpro.com/t?ctl=22674:4FB69 ==================== ==== Hot Spot ==== Cyclades AlterPath(TM) KVM/netPlus KVM over IP Switches Cyclades AlterPath(TM) KVM/netPlus is the industry's first KVM solution to offer Cyclades AdaptiveKVM(TM) technology that combines Microsoft(R) Remote Desktop Protocol (RDP) functionality with KVM over IP access. Download Cyclades AdaptiveKVM white paper at www.cyclades.com/wit and visit us at FOSE 2006 Washington, D.C., March 7-9, Booth 2807. http://list.windowsitpro.com/t?ctl=22689:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: How to Nip a Little More Spam in the Bud by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=22683:4FB69 Most spam filtering systems do a good job of tagging spam, but many can be tweaked for better detection and better performance. I ran a test on more than 254,000 email messages to see which filters work best. My tests were conducted against live incoming email on a legitimate mail server. Read what I found in this blog article. http://list.windowsitpro.com/t?ctl=2267E:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=22682:4FB69 Q: How can I use a script to delete a computer from a domain? Find the answer at http://list.windowsitpro.com/t?ctl=22681:4FB69 Security Forum Featured Thread: Running WSUS A forum participant would like to establish Windows Server Update Services (WSUS) on his Windows Server 2003 backup server. He knows that WSUS requires Microsoft IIS and wonders whether he should use a dedicated server and whether there are any related security concerns. Join the discussion at http://list.windowsitpro.com/t?ctl=2266E:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Subscribers have it all! Become a VIP subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs per year that contain the entire article database. Don't miss out--sign up now: http://list.windowsitpro.com/t?ctl=22679:4FB69 Save 44% Off the Windows Scripting Solutions Newsletter For a limited time, order Windows Scripting Solutions and SAVE up to $30 off the regular price. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article database (more than 500 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=22677:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Block Bots and Other Web Malware Websense announced enhanced features in Websense Web Security Suite 6.2 and Websense Web Security Suite--Lockdown Edition 6.2, which are scheduled to ship in Q2. The new versions of the Web security and Web filtering software will block access to Web sites that host bot command-and-control centers, eliminate non-HTTP bot network traffic, block the launch and spread of bots, and extend protection to mobile employees. Websense also launched Websense Web Protection Services. Comprising three security services--SiteWatcher, BrandWatcher, and ThreatWatcher--Websense Web Protection Services give Websense Security Suite customers a view of their Web servers and external-facing Web sites and protection of customers' online brand. For more information, go to http://list.windowsitpro.com/t?ctl=2268A:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=22686:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2267A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Mar 3 05:29:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:29:59 -0600 (CST) Subject: [ISN] Phones stolen in Iraq used for sex chatlines Message-ID: http://www.guardian.co.uk/Iraq/Story/0,,1721387,00.html David Hencke Westminster correspondent March 2, 2006 The Guardian It certainly was not part of Britain's plans to win the hearts and minds of the people of Iraq. But the Foreign Office has been apparently paying for an adult sex chatline in a Baghdad street for 17 months without knowing it. The Foreign Office has had to tell MPs that an investigation into how a diplomat lost two satellite phones in Iraq has nothing to do with terrorism but more to do with a budding entrepreneur and a telephone porn network. FO officials had already admitted that the lost phones had cost them ?594,000 in unauthorised phone bills but it is now bracing itself for an extremely critical report from the Commons public accounts committee on how it came to pay phone bills, which at one stage hit ?212,000 in one month, without asking questions. Sir Michael Jay, permanent secretary at the FO, told MPs: "All the pattern of usage of these phones ... points to some kind of criminal activity ... It was almost as though they were taken and used as a kind of mobile phone booth at the end of the street where anybody could come along and use them. "After that, they appear to have been used for a couple of scams based on what are known as personal numbers and premium numbers." Sir Michael said the premium rate numbers were used for betting agencies or adult phone lines, and that one of the FO phones had been "on virtually full time with the person who is, as it were, making the call getting some benefit from it." Sir Michael said initial inquiries had revealed a series of blunders. The phones were already activated when they were sent to Baghdad and they were not properly logged in - so no one realised at first that they had been stolen. None of the bills were initially challenged until people realised the phones had gone missing. The rules at all embassies have now been changed and no phone is sent abroad already activated for use. Edward Leigh, chairman of the committee, told him: "In terms of this mobile phone being on permanently at the end of a street in Iraq, that gives a whole new meaning to winning hearts and minds in Iraq, but it is quite serious." Austin Mitchell, Labour MP for Great Grimsby, whose phone had been swiped and used to dial a betting agency, asked if the FO had tried to get its money back. Since the disclosure, Richard Bacon, Tory MP for Norfolk South, has made further inquiries: "It appears that they haven't been able to find the culprit or trace the phone. You would have thought having spent hundreds of millions of pounds setting up a sophisticated listening centre at GCHQ it would be very easy to trace a satellite phone and who was operating it in Iraq. But it doesn't appear anything was done. It just beggars belief that the FO kept paying the bills." Sir Michael has promised to try to get the money back. But so far the only thing FO staff appeared to have done is to try to ring the premium rate number. Sir Michael told MPs they did not get a reply. From isn at c4i.org Fri Mar 3 05:30:24 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:30:24 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-9 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-23 - 2006-03-02 This week : 66 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave Player, which can be exploited by malicious people to compromise a user's system. For additional details please refer to the referenced Secunia advisory below. Reference: http://secunia.com/SA19009 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 2. [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow 3. [SA16280] IBM Lotus Notes Multiple Vulnerabilities 4. [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA18989] The Bat! Email Subject Header Buffer Overflow Vulnerability 7. [SA19014] Website Generator PHP Code Injection Vulnerability 8. [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability 9. [SA18990] ArGoSoft Mail Server Pro Multiple Vulnerabilities 10. [SA19001] iCal "Calendar Text" Script Insertion Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow [SA19067] Mail Transport System Professional Mail Relay Vulnerability [SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion [SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability [SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities [SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection [SA19001] iCal "Calendar Text" Script Insertion Vulnerability [SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability [SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability [SA19006] SpeedProject Products ZIP and JAR Directory Traversal [SA19059] HP System Management Homepage Directory Traversal [SA19077] M4 Project enigma-suite Default Account Password Weakness [SA19057] Internet Explorer Iframe Folder Deletion Weakness UNIX/Linux: [SA19000] Mandriva update for metamail [SA19071] Flex Unspecified Scanner Vulnerabilities [SA19065] Debian update for gpdf [SA19041] Sun Solaris update for Perl [SA19036] iGENUS Webmail File Inclusion Vulnerability [SA19030] Gentoo update for graphicsmagick [SA19029] Debian update for bmv [SA19021] Debian update for pdftohtml [SA19016] Trustix update for sudo / tar [SA19012] SUSE Updates for Multiple Packages [SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow [SA18999] Ubuntu update for tar [SA19046] NuFW TLS Socket Handling Denial of Service [SA19038] SUSE update for kernel [SA19035] Ubuntu update for postgresql [SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service [SA19015] Trustix update for postgresql [SA19005] SUSE update for heimdal [SA19042] Sun Solaris HSFS File System Privilege Escalation Vulnerability [SA19027] Gentoo update for noweb Other: [SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting [SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability Cross Platform: [SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability [SA19055] PeHePe Membership Management System Two Vulnerabilities [SA19047] ShoutLIVE Multiple Vulnerabilities [SA19028] phpRPC Library Arbitrary Code Execution Vulnerability [SA19020] freeForum Multiple Vulnerabilities [SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities [SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities [SA19061] MyBB "comma" Parameter SQL Injection Vulnerability [SA19056] sendcard Unspecified SQL Injection Vulnerabilities [SA19053] DirectContact Directory Traversal Vulnerability [SA19048] LanSuite LanParty Intranet System "fid" SQL Injection [SA19045] EKINboard Multiple Vulnerabilities [SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability [SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability [SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities [SA19007] Calcium "EventText" Script Insertion Vulnerability [SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion [SA19003] iUser Ecommerce Unspecified Vulnerabilities [SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting Vulnerability [SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities [SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities [SA19050] WordPress Cross-Site Scripting Vulnerabilities [SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability [SA19031] JFacets "ProfileID" Profile Change Vulnerability [SA19026] 4images "template" Parameter File Inclusion Vulnerability [SA19014] Website Generator PHP Code Injection Vulnerability [SA19011] PEAR Archive_Tar Directory Traversal Vulnerability [SA19034] MySQL Query Logging Bypass Security Issue [SA19018] Issue Dealer Unpublished Content Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-24 Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19009/ -- [SA19067] Mail Transport System Professional Mail Relay Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-01 A vulnerability has been reported in Mail Transport System (MTS) Professional, which can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/19067/ -- [SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 KeyShore and Yog have reported a vulnerability in StoreBot 2002 Standard Edition, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19060/ -- [SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-28 Nemesis Security Audit Group has discovered a vulnerability in SPiD, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19033/ -- [SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-27 Mustafa Can Bjorn has discovered two vulnerability in Pentacle In-Out Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19024/ -- [SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-03-01 KeyShore and Yog have reported a vulnerability in StoreBot 2005 Professional Edition, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19019/ -- [SA19001] iCal "Calendar Text" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 KeyShore and Yog have discovered a vulnerability in iCal, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19001/ -- [SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 runvirus has reported a vulnerability in bttlxeForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19043/ -- [SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-02-28 KeyShore and Yog have reported a vulnerability in Parodia, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19025/ -- [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has discovered a vulnerability in WinACE, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19013/ -- [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has reported a vulnerability in StuffIt and ZipMagic, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19010/ -- [SA19006] SpeedProject Products ZIP and JAR Directory Traversal Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has reported a vulnerability in various SpeedProject products, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19006/ -- [SA19059] HP System Management Homepage Directory Traversal Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2006-03-01 A vulnerability has been reported in HP System Management Homepage, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19059/ -- [SA19077] M4 Project enigma-suite Default Account Password Weakness Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-01 A weakness has been reported in M4 Project enigma-suite, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19077/ -- [SA19057] Internet Explorer Iframe Folder Deletion Weakness Critical: Not critical Where: From remote Impact: Manipulation of data Released: 2006-02-28 cyber flash has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into deleting local folders. Full Advisory: http://secunia.com/advisories/19057/ UNIX/Linux:-- [SA19000] Mandriva update for metamail Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-02-23 Mandriva has issued an update for metamail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19000/ -- [SA19071] Flex Unspecified Scanner Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-03-01 Some vulnerabilities have been reported in Flex, which has an unknown impact. Full Advisory: http://secunia.com/advisories/19071/ -- [SA19065] Debian update for gpdf Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-28 Full Advisory: http://secunia.com/advisories/19065/ -- [SA19041] Sun Solaris update for Perl Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-01 Sun has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable Perl application. Full Advisory: http://secunia.com/advisories/19041/ -- [SA19036] iGENUS Webmail File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-27 rgod has reported a vulnerability in iGENUS Webmail, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19036/ -- [SA19030] Gentoo update for graphicsmagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-27 Gentoo has issued an update for graphicsmagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19030/ -- [SA19029] Debian update for bmv Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-28 Debian has issued an update for bmv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19029/ -- [SA19021] Debian update for pdftohtml Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-28 Full Advisory: http://secunia.com/advisories/19021/ -- [SA19016] Trustix update for sudo / tar Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2006-02-27 Trustix has issued updates for sudo and tar. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, and malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/19016/ -- [SA19012] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2006-02-27 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and HTTP response splitting attacks, cause a DoS (Denial of Service), and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19012/ -- [SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-24 Jean-S?bastien Guay-Leroux has discovered a vulnerability in zoo, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19002/ -- [SA18999] Ubuntu update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-23 Ubuntu has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/18999/ -- [SA19046] NuFW TLS Socket Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-28 A vulnerability has been reported in NuFW, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19046/ -- [SA19038] SUSE update for kernel Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-02-28 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, bypass certain security restrictions and cause a DoS (Denial of Service), and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/19038/ -- [SA19035] Ubuntu update for postgresql Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-27 Ubuntu has issued an update for PostgreSQL. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19035/ -- [SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-27 Evgeny Legerov has reported a vulnerability in FreeBSD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19017/ -- [SA19015] Trustix update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-27 Trustix has issued an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/19015/ -- [SA19005] SUSE update for heimdal Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-27 SUSE has issued an update for heimdal. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19005/ -- [SA19042] Sun Solaris HSFS File System Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-02-27 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/19042/ -- [SA19027] Gentoo update for noweb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-27 Gentoo has issued an update for noweb. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19027/ Other:-- [SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-28 Preben Nyl?kken has reported a vulnerability in Thomson SpeedTouch 500 Series, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19069/ -- [SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-01 /dev/0id has reported a vulnerability Compex NetPassage WPE54G, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19037/ Cross Platform:-- [SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-27 James Bercegay has reported a vulnerability in RunCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19058/ -- [SA19055] PeHePe Membership Management System Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-01 Yunus Emre Yilmaz has reported two vulnerabilities in PeHePe Membership Management System, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19055/ -- [SA19047] ShoutLIVE Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-27 Aliaksandr Hartsuyeu has reported some vulnerabilities in ShoutLIVE, which can be exploited by malicious people to conduct script insertion attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19047/ -- [SA19028] phpRPC Library Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-27 James Bercegay has reported a vulnerability in phpRPC, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19028/ -- [SA19020] freeForum Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-28 Aliaksandr Hartsuyeu has reported some vulnerabilities in freeForum, which can be exploited by malicious people to conduct script insertion attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19020/ -- [SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-01 Liz0ziM has discovered some vulnerabilities in N8cms, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19068/ -- [SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-28 SAUDI has reported two vulnerabilities in d3jeeb Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19062/ -- [SA19061] MyBB "comma" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-01 D3vil-0x1 has discovered a vulnerability in MyBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19061/ -- [SA19056] sendcard Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-01 Sumit Siddharth has reported some vulnerabilities in sendcard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19056/ -- [SA19053] DirectContact Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-28 Donato Ferrante has discovered a vulnerability in DirectContact, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19053/ -- [SA19048] LanSuite LanParty Intranet System "fid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-27 x128 has discovered a vulnerability in LanSuite LanParty Intranet System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19048/ -- [SA19045] EKINboard Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-28 Aliaksandr Hartsuyeu has reported some vulnerabilities in EKINboard, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/19045/ -- [SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-28 Luigi Auriemma has reported a vulnerability in CrossFire, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19044/ -- [SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-02-27 papipsycho has reported a vulnerability in PwsPHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19023/ -- [SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-02-23 Matt Van Gundy has reported some vulnerabilities in PEAR Auth, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19008/ -- [SA19007] Calcium "EventText" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 KeyShore and KeyYog have discovered a vulnerability in Calcium, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19007/ -- [SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 Aliaksandr Hartsuyeu has reported a vulnerability in Simple Machines Forum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19004/ -- [SA19003] iUser Ecommerce Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-23 Some vulnerabilities with unknown impacts have been reported in iUser Ecommerce. Full Advisory: http://secunia.com/advisories/19003/ -- [SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 Yunus Emre Yilmaz has discovered a vulnerability in TOPo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19070/ -- [SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-28 Revnic Vasile has discovered some vulnerabilities in CGI Calendar, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19066/ -- [SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-27 Mustafa Can Bjorn has reported some vulnerabilities in MyPHPNuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19052/ -- [SA19050] WordPress Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-03-01 K4P0 has discovered two vulnerabilities in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19050/ -- [SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 A vulnerability has been reported in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19039/ -- [SA19031] JFacets "ProfileID" Profile Change Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-28 A vulnerability has been reported in JFacets, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19031/ -- [SA19026] 4images "template" Parameter File Inclusion Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-27 rgod has reported a vulnerability in 4images, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19026/ -- [SA19014] Website Generator PHP Code Injection Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-24 Nemesis Security Audit Group has discovered a vulnerability in Website Generator, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19014/ -- [SA19011] PEAR Archive_Tar Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has discovered a vulnerability in PEAR Archive_Tar, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19011/ -- [SA19034] MySQL Query Logging Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-02-27 1dt.w0lf has discovered a security issue in MySQL, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19034/ -- [SA19018] Issue Dealer Unpublished Content Disclosure Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-02-28 A weakness has been reported in Issue Dealer, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19018/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 3 05:27:47 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:27:47 -0600 (CST) Subject: [ISN] Sourcefire Officials Hopeful Over Sale Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/03/02/AR2006030201907.html By Ellen McCarthy Washington Post Staff Writer March 3, 2006 Executives of Sourcefire Inc., the Columbia company whose sale to an Israeli firm has been delayed pending a national security review, said yesterday that they believe the concerns surrounding the deal can be resolved. In early October the information security firm announced an agreement to be acquired for $225 million by Check Point Software Technologies Ltd., the firm run by Israeli tech pioneer Gil Schwed. Though based in Ramat Gan, Israel, the firm has a U.S. headquarters in Redwood City, Calif., and is publicly traded on the Nasdaq Stock Market. The Sourcefire deal nevertheless has come under scrutiny, apparently because of the company's contracts with sensitive government clients, and is being investigated by the Committee on Foreign Investments in the United States. "I'm pretty stunned. Who would've figured 140 people in Columbia, Maryland, would be embroiled in a world controversy?" said Wayne Jackson, Sourcefire's chief executive. CFIUS is the interagency panel that is reviewing the potential purchase by a company from the United Arab Emirates of a British firm that operates U.S. ports. Five-year-old Sourcefire sells software that monitors computer networks for potential threats. About 13 percent of its revenue comes from federal clients, including civilian and defense agencies, Jackson said. Tony Fratto, a spokesman for the Treasury Department, which leads CFIUS, said, "Certain members of the committee have outstanding concerns that there's potential risks to national security were the transaction to proceed." Sourcefire is something of a darling of the local tech sector, in part because of its roots in the open-source community. The company was founded in 2001 by Martin Roesch, a programmer who started working on the basic product, "Snort," in an open-source forum that allows anyone to see the programming code and contribute to it. Though the product was eventually commercialized and Sourcefire brought in more than $30 million in revenue last year, the basic code remains freely available to anyone with an Internet connection. "What nobody's talking about is the fact that Snort, which is at the center of all this hubbub, is open source. . . . China could be using it. Iran could be using it. North Korea could be using it," Jackson said. "Nothing's being transferred except control, and those are issues that could certainly be addressed with the committee." Because such investigations are often kept secret, even from the parties involved, executives of Sourcefire and CheckPoint may not know which aspects of the deal are raising red flags for regulators. The companies would not comment on the details of the investigation or on their discussions with government officials. Still, Jackson said he is "confident that measures can be put in place to mitigate whatever risks the federal government believes might exist." He also said the firm will continue to serve its federal customers throughout the investigation, which is expected to conclude this month with a report to the president. Check Point, the Israeli firm, manufactures a widely used firewall program and has a separate federal sales office to market to the U.S. government. It has acquired U.S. firms in the past, including San Francisco-based Zone Labs Inc. in 2004. The Sourcefire deal is being closely watched regionally because it has a number of local investors, including Core Capital Partners LP of the District, New Enterprise Associates of Baltimore, and the Maryland Department of Business and Economic Development. Inflection Point Ventures of Newark, Del., and Sierra Ventures and Sequoia Capital, both of Menlo Park, Calif., also have invested in the firm. None of the venture capitalists would comment publicly on the investigation. Ray Rice, a limited partner in Core Capital, said he is confident that Sourcefire will have a number of other suitors if the Check Point deal is killed. "Frankly, I can wait six more months," Rice said. Jackson said the company is committed to seeing the Check Point acquisition through and is cooperating with the committee. ? 2006 The Washington Post Company From isn at c4i.org Fri Mar 3 05:30:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:30:45 -0600 (CST) Subject: [ISN] US man faces five years for hacking supervisor's PC Message-ID: http://www.theregister.co.uk/2006/03/02/us_education_hack/ By John Leyden 2nd March 2006 A former federal computer security expert faces a possible five year jail term after pleading guilty to hacking a US Department of Education computer. Kenneth Kwak, 34, of Chantilly, Virginia, admitted snooping on his supervisor's email and internet surfing activities while employed as a system auditor for the US Department of Education. Kwak placed unspecified software on his boss's computer that allowed him to access files on the system without permission. He shared snippets gleaned from his repeated spying forays with colleagues around the office. In a statement [1] the DoJ said: "Kwak carried out his crime and invaded his supervisor's privacy for personal entertainment; there is no indication he profited financially from his actions." As part of a plea bargaining agreement, Kwak pleaded guilty to one count of unauthorised access to a protected computer during a hearing in the District of Columbia federal court before US District Judge Royce Lamberth on Wednesday. He faces a maximum of five years in jail and a fine of $250,000 over the offence. Sentencing has been set for 12 May. The case was investigated by the Computer Crime Investigations Division of the Department of Education's Inspector General's Office. Kwak's prosecution was carried as part of the "zero-tolerance policy" recently adopted by the US Attorney's office over computer hacking offences. ? [1] http://releases.usnewswire.com/GetRelease.asp?id=61702 From isn at c4i.org Fri Mar 3 05:31:12 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:31:12 -0600 (CST) Subject: [ISN] OMB: Agency compliance with cybersecurity law improving Message-ID: http://www.govexec.com/story_page.cfm?articleid=33498 By Daniel Pulliam dpulliam at govexec.com March 2, 2006 Agencies improved slightly in fiscal 2005 at meeting computer security standards, according to a report released Wednesday by the Office of Management and Budget. The percentage of agency information technology systems certified and accredited rose from 77 percent in fiscal 2004 to 85 percent in 2005, just short of an administration goal of 90 percent, OMB stated. Furthermore, the number of systems with tested contingency plans increased from 57 percent to 61 percent over that same period, the report to Congress [1] on the implementation of the 2002 Federal Information Security Management Act found. The number of agency IT systems also grew in that time, rising 19 percent from 8,623 to 10,289. Contractors or other non-government organizations manage 1,105 of those systems on behalf of the government. The Defense Department, which houses 3,583 IT systems, went from 58 percent of systems certified and accredited to 82 percent, though the Pentagon inspector general gave the department a "poor" certification and accreditation rating in the OMB report. The Veterans Affairs Department, which reported 14 percent of its systems as certified and accredited in fiscal 2004, reported that all 585 of its systems were certified and accredited the next year. None of the inspector generals rated the certification and accreditation process as failing, but eight rated it as "poor." Four agency inspector generals rated it as "good," while the Social Security Administration IG was the only one to rate it as "excellent." Included in the report were goals needed to maintain a "green" status -- the highest available grade -- in e-government on the Bush administration's quarterly management score card. They involved certifying and accrediting all IT systems by July 1, 2006, installing and maintaining all systems with proper security configurations and including continuity of operations provisions in the agency's infrastructure. In fiscal 2005, agencies for the first time assigned risk levels to IT systems, with 1,646 categorized as "high impact" and another 2,497 as "moderate impact," the OMB report noted. Eighty-eight percent of those rated as "high impact" were certified and accredited, it said. Richard Tracy, chief technology and security officer of the Telos Corp., an IT contractor, said he was pleased to see that agencies were not "picking the low hanging fruit" by certifying and accrediting the low-impact systems in order to improve their cybersecurity scores. He said agencies are spending significant resources on the certification and accreditation process in order to improve the grades, but added that he would be curious to know whether they'll be able to continue monitoring the systems once FISMA compliance is reached. OMB highlighted the oversight of contractor systems as a reason for "strategic and continued management attention" and asked agency inspectors general to confirm that systems operated by contractors meet FISMA requirements. Inspectors general for the Pentagon and the Homeland Security and State departments told OMB their agencies "rarely" conduct oversight of contractor-operated IT systems. Inspectors for NASA and the Agriculture and Health and Human Services departments said their agencies "sometimes" oversee IT systems operated by contractors. Another area for concern according to OMB is the number of systems with tested security controls, which dropped from 76 percent in fiscal 2004 to 72 percent in fiscal 2005. Agencies' handling of incident reporting drew concern from OMB as well, with DHS finding "sporadic reporting by some agencies and unusually low levels of reporting by others." "Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event," the OMB report stated. Agencies' process for planning, implementing and evaluating deficient IT security policies -- known as POA&M -- drew concern because of ineffective processes at the Defense, Agriculture, DHS and the Interior, Transportation and Treasury departments. House Government Reform Committee staffers still are reviewing the report, according to Drew Crockett, spokesman for the panel's chairman, Rep. Tom Davis, R-Va. The committee is scheduled to release its annual cybersecurity grades and discuss the OMB report at a March 16 hearing with Karen Evans, administrator of OMB's Office of Electronic Government and Information Technology, testifying, Crockett said in a statement. [1] http://www.whitehouse.gov/omb/inforeg/reports/2005_fisma_report_to_congress.pdf From isn at c4i.org Fri Mar 3 05:31:55 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:31:55 -0600 (CST) Subject: [ISN] Apple Fixes Critical Safari Bug, 16 Other Flaws Message-ID: http://www.informationweek.com/news/showArticle.jhtml;?articleID=181500394 By Gregg Keizer March 2, 2006 Apple Computer on Wednesday released its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines. The update, dubbed Security Update 2006-001, comes just over a week after news broke of a critical flaw in the operating system and the Safari Web browser, leading to intense defense of Mac security by Apple users. The Safari vulnerability could let attackers hijack a Mac simply by enticing its user to a malicious Web site in a so-called "drive-by download" that's a common menace to Windows users but unheard of in the Mac world. The problem stemmed from Safari's (and Mac OS X's) trust of certain file types, specifically ZIP archives. Attackers could pack a ZIP with malicious scripts that the Mac would automatically run, the German firm Heise Security said last week. "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)," Apple's alert read. The speed with which Apple patched the vulnerability may impress Windows users -- who are used to waiting weeks if not months for fixes from Microsoft -- but it's not unusual, said Mike Murray, director of research at vulnerability management vendor nCircle. "There are a couple of reasons why Apple could patch this so quickly," said Murray. "First of all, Safari's based on open-source code, and that code is pretty well understood. Second, the vulnerability didn't seem that complex. The biggest factor in Apple's quick turnaround, however, has nothing to do with the Safari code or the bug. "Internet Explorer is tied into the core of the [Windows] operating system," Murray said. "If you change IE, something could break on the OS. The QA cycle has to be much longer, since one little change could break the whole damn thing. "But Safari is a stand-alone browser, like Firefox. If a patch introduces a bug in Safari, big deal. It's not affecting the [Mac] OS." That's the reason why Apple could put together a patch within a week, and why, Murray added, Firefox developers can do the same when vulnerabilities are found in that cross-platform browser. "Microsoft's strategy of tying the browser into the operating system has made it so much more difficult to patch," Murray added. Apple's e-mail client has also been patched so that it will warn the user when a malicious attachment may be trying to disguise itself as a "safe" file type. Safari accounted for 4 of the 17 fixes, including one in its RSS implementation. All four were serious -- judged "critical" by Danish vulnerability tracker Secunia -- since they allowed for remote code or script execution. The update also fixes iChat, Apple's instant messaging client, so IM threats such as the recent OSX/Leap.a worm could be blocked. Leap.a was the first-ever Mac OS X worm. "With this update, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said in the alert. Other patches in the update fixed a problem with the PHP programming language within the Apache server module, solved two issues in Apple's Directory Services, corrected a potential problem mounting malicious network servers, and quashed bugs in FileVault and IPSec within virtual private network (VPN) sessions. Although the new Intel-based Macs have been issued an operating system update since they debuted in January -- from 10.4.4 to the current 10.4.5 -- this was the first security fix released for those machines. Separate downloads are available on Apple's download site for Mac OS X 10.3.9 (Panther) clients and servers, as well as Mac OS X 10.4.5 (Tiger) Intel and PowerPC editions. Mac users who have Software Update enabled will automatically receive the update. Copyright ? 2005 CMP Media LLC From isn at c4i.org Mon Mar 6 05:30:40 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:40 -0600 (CST) Subject: [ISN] Linux Advisory Watch - March 3rd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 3rd 2006 Volume 7, Number 10a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gpdf, pdftohtml, tutos, bmv, xpdf, module-init-tools, udev, gnupg, gawk, dhcp, system-config-netboot, xterm, GraphicsMagick, noweb, metamail, mplayer, squirrelmail, unzip, gettext, tar, heimdal, and liby2util. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. ---- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi ---- ARC: A Synchronous Stream Cipher from Hash Functions By: Angelo P. E. Rosiello and Roberto Carrozzo Abstract We consider a simple and secure way to realize a synchronous stream cipher from iterated hash functions. It is similar to the OFB mode where the underlying block cipher algorithm is replaced with the keyed hash function, adopting the secret suffixx method[20]. We analyzed the key, the keystream and the necessary properties to assume from the underlying hash function for the stream cipher to be considered secure. Motivated by our analysis we conjecture that the most effcient way to break the proposed stream cipher is to break the hash function or through exhaustive search for the keyspace K of k bits, that requires O(2k) operations. Keywords : stream cipher, key, keystream, one-time pad cryptosystem, hash function, keyed hash function. 1.1 Algorithm Requirements The algorithm should have a flat keyspace allowing any random bit string to be a possible key. The algorithm should make easier the key-management for software implementations. The typed password should not become directly the key, else the actual keyspace is limited to keys constructed with the 95 characters of printable ASCII1. The algorithm should be easily modifiable satisfying minimum or maximum requirements. Moreover, according to basic engineering software theories, the algorithm does not have to bind developers with static u se of pre-defined logical block functions, but it is important to let wide alternatives during the implementation of the software[13, 17]. The algorithm should be simple to code, otherwise programmers could make implementation mistakes if the structure is too complicated[13]. 1.2 Areas of Application Nowadays encrypting information has become a 'must', which means that a good crypto algorithm must give to the community the possibility to manage safe data. Practical applications pertain to: * Bulk Encryption: data files or a continuous data stream (e.g. important information saved on hardisks such as databases or any kind of secret document); * Data Transmission: a lot of communication mediums need a secure way to crypt exchanged information (e.g. Internet packets, wireless connections, radio signals, etc.); * Small Encryption: banks and commercial companies need secure encryption methodologies to interact with customers by small encryption technologies. Definitely, a good algorithm should be suitable for lots of disparate situations. Read Full Paper http://www.linuxsecurity.com/images/stories/arc-hash.pdf ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gpdf packages fix several vulnerabilities 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121760 * Debian: New pdftohtml packages fix several vulnerabilities 28th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121765 * Debian: New tutos package fixes several vulnerabilities 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121790 * Debian: new bmv packages fix arbitrary code execution 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121791 * Debian: New xpdf packages fix several problems 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121792 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: module-init-tools-3.2-0.pre9.0.FC4.4 23rd, February, 2006 This module-init-tools adds a stub /etc/modprobe.conf.dist which is included by older /etc/modprobe.conf config files. This avoids the printing of a warning Matrox framebuffer modules are also not autoloaded with this version. http://www.linuxsecurity.com/content/view/121727 * Fedora Core 4 Update: udev-071-0.FC4.3 23rd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121728 * Fedora Core 4 Update: gnupg-1.4.2.1-3 24th, February, 2006 The previous update, to version 1.4.2.1, could produce errors when gpg attempted to read certain keyrings produced by earlier versions of GnuPG. This update includes a fix for that bug. http://www.linuxsecurity.com/content/view/121740 * Fedora Core 4 Update: gawk-3.1.4-5.4 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121741 * Fedora Core 4 Update: util-linux-2.12p-9.14 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121759 * Fedora Core 4 Update: dhcp-3.0.2-34.FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121787 * Fedora Core 4 Update: system-config-netboot-0.1.38-2_FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121788 * Fedora Core 4 Update: xterm-208-2.FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121789 * Gentoo: GraphicsMagick Format string vulnerability 26th, February, 2006 A vulnerability in GraphicsMagick allows attackers to crash the application and potentially execute arbitrary code. http://www.linuxsecurity.com/content/view/121750 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: noweb Insecure temporary file creation 26th, February, 2006 noweb is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/121751 * Mandriva: Updated metamail packages fix vulnerability 23rd, February, 2006 Ulf Harnhammar discovered a buffer overflow vulnerability in the way that metamail handles certain mail messages. An attacker could create a carefully-crafted message that, when parsed via metamail, could execute arbitrary code with the privileges of the user running metamail. http://www.linuxsecurity.com/content/view/121722 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated mplayer packages fix integer overflow vulnerabilities 24th, February, 2006 Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. The updated packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/121749 * Mandriva: Updated squirrelmail packages fix vulnerabilities 27th, February, 2006 Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188) http://www.linuxsecurity.com/content/view/121763 * Mandriva: Updated unzip packages fix vulnerabilities 28th, February, 2006 A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/121764 * Mandriva: Updated gettext packages fix temporary file vulnerabilities 28th, February, 2006 The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext. These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack. The updated packages have been patched to address this issue.

http://www.linuxsecurity.com/content/view/121776 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: tar security update 1st, March, 2006 An updated tar package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux 4. This update has been rated as having Moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121781 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:010) 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121738 * SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:011) 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121739 * SuSE: kernel various security problems 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121756 * SuSE: gpg,liby2util signature checking 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121777 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Mar 6 05:30:54 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:54 -0600 (CST) Subject: [ISN] State college in Colorado warns 93,000 after laptop theft Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109208,00.html By Robert McMillan MARCH 03, 2006 IDG NEWS SERVICE A state college in Denver believes it may have lost sensitive information on more than 93,000 students after one of the school's laptop computers was stolen from an employee's home late last month. The unnamed employee of Metropolitan State College had been using the information, including student names and Social Security numbers, to write a grant proposal, the college said Thursday. The data, which appears to have been unencrypted, was also being used by the employee to write a master's degree thesis, the school said. The laptop was stolen on Feb. 25, but Denver police asked the school to wait until March 1 to go public with news of the theft to help with the ongoing investigation. Students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester are now being notified of the incident via letter, the college said. Although there is no evidence that any of this data has been used for identity theft, there are a number of unanswered questions related to the incident. One question is whether or not the sensitive information was actually stored on the computer at the time of the theft, according to college President Stephen Jordan. "The employee, does not recall whether he had deleted those files from the laptop," he said in a statement. A second question is whether the employee should have been storing this type of data outside of school premises for the purposes of a masters thesis. The college is "investigating whether the employee had obtained permission ... to use the data in his thesis," the college said. The college is now reviewing its policies regarding laptops, particularly related to unencrypted information, Jordan said. The college Web site includes tips on avoiding laptop theft, and on preventing stolen information from being used following such an event. The college did not immediately return calls seeking comment for this story on Friday. From isn at c4i.org Mon Mar 6 05:31:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:31:12 -0600 (CST) Subject: [ISN] Hey Neighbor, Stop Piggybacking on My Wireless Message-ID: http://www.nytimes.com/2006/03/05/technology/05wireless.html By MICHEL MARRIOTT March 5, 2006 For a while, the wireless Internet connection Christine and Randy Brodeur installed last year seemed perfect. They were able to sit in their sunny Los Angeles backyard working on their laptop computers. But they soon began noticing that their high-speed Internet access had become as slow as rush-hour traffic on the 405 freeway. "I didn't know whether to blame it on the Santa Ana winds or what," recalled Mrs. Brodeur, the chief executive of Socket Media, a marketing and public relations agency. The "what" turned out to be neighbors who had tapped into their system. The additional online traffic nearly choked out the Brodeurs, who pay a $40 monthly fee for their Internet service, slowing their access until it was practically unusable. Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. As they do, new sets of Internet behaviors are creeping into America's popular culture. "I don't think it's stealing," said Edwin Caroso, a 21-year-old student at Miami Dade College, echoing an often-heard sentiment. "I always find people out there who aren't protecting their connection, so I just feel free to go ahead and use it," Mr. Caroso said. He added that he tapped into a stranger's network mainly for Web surfing, keeping up with e-mail, text chatting with friends in foreign countries and doing homework. Many who piggyback say the practice does not feel like theft because it does not seem to take anything away from anyone. One occasional piggybacker recently compared it to "reading the newspaper over someone's shoulder." Piggybacking, makers of wireless routers say, is increasingly an issue for people who live in densely populated areas like New York City or Chicago, or for anyone clustered in apartment buildings in which Wi-Fi radio waves, with an average range of about 200 feet, can easily bleed through walls, floors and ceilings. Large hotels that offer the service have become bubbling brooks of free access that spill out into nearby homes and restaurants. "Wi-Fi is in the air, and it is a very low curb, if you will, to step up and use it," said Mike Wolf of ABI Research, a high-technology market research company in Oyster Bay, N.Y. This is especially true, Mr. Wolf said, because so many users do not bother to secure their networks with passwords or encryption programs. The programs are usually shipped with customers' wireless routers, devices that plug into an Internet connection and make access to it wireless. Many home network owners admit that they are oblivious to piggybackers. Some, like Marla Edwards, who think they have locked intruders out of their networks, learn otherwise. Ms. Edwards, a junior at Baruch College in New York, said her husband recently discovered that their home network was not secure after a visiting friend with a laptop easily hopped on. "There's no gauge, no measuring device that says 48 people are using your access," Ms. Edwards said. When Mr. Wolf turns on his computer in his suburban Seattle home, he regularly sees on his screen a list of two or three wireless networks that do not belong to him but are nonetheless available for use. Mr. Wolf uses his own wired network at home, but he says he has piggybacked onto someone else's wireless network when traveling. "On a family vacation this summer we needed to get access," Mr. Wolf recalled, explaining that his father, who took along his laptop, needed to send an e-mail message to his boss on the East Coast from Ocean Shores, Wash.. "I said, 'O.K., let's drive around the beach with the window open.' We found a signal, and the owner of the network was none the wiser," Mr. Wolf said. "It took about five minutes." Jonathan Bettino, a senior product marketing manager for the Belkin Corporation, a major maker of wireless network routers based in Compton, Calif., said home-based wireless networks were becoming a way of life. Unless locking out unauthorized users becomes commonplace, piggybacking is likely to increase, too. Last year, Mr. Bettino said, there were more than 44 million broadband networks among the more than 100 million households in the United States. Of that number, 16.2 million are expected to be wireless by the end of this year. In 2003, 3.9 million households had wireless access to the Internet, he said. Humphrey Cheung, the editor of a technology Web site, tomshardware.com, measured how plentiful open wireless networks have become. In April 2004, he and some colleagues flew two single-engine airplanes over metropolitan Los Angeles with two wireless laptops. The project logged more than 4,500 wireless networks, with only about 30 percent of them encrypted to lock out outsiders, Mr. Cheung said. "Most people just plug the thing in," he said of those who buy wireless routers. "Ninety percent of the time it works. You stop at that point and don't bother to turn on its security." Martha Liliana Ramirez, who lives in Miami, said she had not thought much about securing her $100-a-month Internet connection until recently. Last August, Ms. Ramirez, 31, a real estate agent, discovered a man camped outside her condominium with a laptop pointed at her building. When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: "Oh my God. He could be stealing my signal." Yet some six months later, Ms. Ramirez still has not secured her network. Beth Freeman, who lives in Chicago, has her own Internet access, but it is not wireless. Mostly for the convenience of using the Internet anywhere in her apartment, Ms. Freeman, 58, said that for the last six months she has been using a wireless network a friend showed her how to tap into. "I feel sort of bad about it, but I do it anyway," Ms. Freeman said her of Internet indiscretions. "It just seems harmless." And if she ever gets caught? "I'm a grandmother," Ms. Freeman said. "They're not going to yell at an old lady. I'll just play the dumb card." David Cole, director of product management for Symantec Security Response, a unit of Symantec, a maker of computer security software, said consumers should understand that an open wireless network invites greater vulnerabilities than just a stampede of "freeloading neighbors." He said savvy users could piggyback into unprotected computers to peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography. "The best case is that you end up giving a neighbor a free ride," Mr. Cole said. "The worst case is that someone can destroy your computer, take your files and do some really nefarious things with your network that gets you dragged into court." Mr. Cole said Symantec and other companies had created software that could not only lock out most network intruders but also protect computers and their content if an intruder managed to gain access. Some users say they have protected their computers but have decided to keep their networks open as a passive protest of what they consider the exorbitant cost of Internet access. "I'm sticking it to the man," said Elaine Ball, an Internet subscriber who lives in Chicago. She complained that she paid $65 a month for Internet access until she recently switched to a $20-a-month promotion plan that would go up to $45 a month after the first three months. "I open up my network, leave it wide open for anyone to jump on," Ms. Ball said. For the Brodeurs in Los Angeles, a close reading of their network's manual helped them to finally encrypt their network. The Brodeurs told their neighbors that the network belonged to them and not to the neighborhood. While apologetic, some neighbors still wanted access to it. "Some of them asked me, 'Could we pay?' But we didn't want to go into the Internet service provider business," Mrs. Brodeur said. "We gave some weird story about the network imposing some sort of lockdown protocol." Andrea Zarate contributed reporting from Miami for this article, and Gretchen Ruethling from Chicago. From isn at c4i.org Mon Mar 6 05:31:30 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:31:30 -0600 (CST) Subject: [ISN] Symantec Takes Heat For Changing Adware Advice Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=181500850 By Gregg Keizer Mar 3, 2006 Symantec's out-of-court settlement with an adware maker is a loss for users, an anti-spyware researcher said this week. Friday, Feb. 24, the Cupertino, Calif. security company announced that it had dismissed its lawsuit against browser and e-mail toolbar maker Hotbar.com, Inc. Last June, Symantec filed a zero-dollar suit against the New York company, saying then that it was seeking a legal ruling that would affirm the position that Hotbar's programs "are indeed adware and can be treated as computer security risks." Under the new arrangement struck with Hotbar, Symantec has agreed to dismiss the lawsuit but will still classify the company's software as "adware." Symantec called it a victory. "What we got out of this was peace from these guys," said Joy Cartun, Symantec's senior director of legal affairs. "We didn't change our detection, so in that way we won." Hotbar, which had hounded Symantec with at least five litigation threats in the first half of 2005, is now blocked from any further action, said Cartun. "We get them to go away, but without having to make a change in our detection of them [as adware]." Hotbar's chief executive, however, was convinced that he had won. "Both sides now recognize that our application is disclosing its behavior," said Oren Dobronsky. "We've gained that recognition, so that when users scan for spyware, they don't get some kind of alert and by default, then remove it." Symantec acknowledged that although its security software will continue to detect Hotbar's products as adware, it has changed the recommendation it gives to customers. Previously, Symantec recommended that users delete Hotbar; now, says Symantec, it's reclassified Hotbar's toolbars as "low-risk" and recommends that users ignore the software and let it be. "We're telling users what it is, and assisting them to make a choice [whether to keep or remove Hotbar]," argued Symantec's Cartun. She also claimed that Symantec had been thinking of making the change long before Hotbar started complaining. "The change was driven not by Hotbar, but from what we learned what our customers wanted. They wanted guidance," she said. "The change was on a totally independent track [from the lawsuit]." Noted anti-spyware researcher Ben Edelman isn't buying that. By backing down on its recommendation from delete to ignore, said Edelman, Symantec's not serving its customers. "If I was an IT guy paying Symantec to defend my computers, I'd ask 'what are we paying them for, I still see Hotbar on a user's computer,'" said Edelman. "Something's gone wrong at Symantec." This isn't the first time that an anti-spyware maker has backed off from a vendor. A year ago, Microsoft quietly changed the advice it gave users on programs supplied by Claria, one of the largest adware purveyors. The resulting storm in the press and by bloggers forced Microsoft to issue an open letter to customers explaining why it made the changes. Symantec's move is more of the same, said Edelman. "They just don't get it. Whether software gets consent from users to install isn't the only thing they should be looking at." He questioned whether users of Hotbar understood they would get pop-up, pop-under, and auto-opening ads when they consented to the installation, and criticized the company for targeting kids with come-ons to download and install their toolbars. "Children may be less able to assess the merits of an Hotbar offer," Edelman wrote on his Web site in an analysis of Hotbar done last May. "[They're ] less able to determine whether Hotbar software is a good value, less likely to realize the privacy and other consequences of installing such software, less inclined to examine a lengthy license agreement." Symantec and other security vendors claiming to sniff out adware and spyware should take factors like those into account, Edelman told TechWeb. "Unfortunately, this isn't the kind of analysis that comes naturally to security experts," he said. "They're used to thinking of worms as all bad, and they're not in a position to shift gears to more subjective decisions." Still, Edelman's hopeful, if not because of the Symantec dismissal, then because of the general trend he sees shaping up. "What's interesting is how much things have changed since last spring. Then, there were new letters going out to anti-spyware companies every week. That's stopped as far as we know. "Why? I think the legal merits have sunk in, and that adware makers know they don't have a leg to stand on." From isn at c4i.org Mon Mar 6 05:30:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:12 -0600 (CST) Subject: [ISN] Trojan horse couple indicted Message-ID: http://www.globes.co.il/serveen/globes/DocView.asp?did=1000067928&fid=1725 Yitzhak Danon Globes 5 Mar 06 The Office of the State Attorney today filed charges with the Tel Aviv District Court against the couple Ruth and Michael Haephrati. The office has also asked that the couple be remanded until the end of proceedings. The Haephrati couple are charged with numerous offences related to industrial espionage. Ruth Haephrati is to be charged with aggravated fraud, inserting material and viruses into a computer (the Trojan horse), unlawful wire tapping, invasion of privacy and unlicensed management of a database. Michael Haephrati is to be charged with aiding and abetting his wife in the committing of the offences listed above. According the indictment, Michael Haephrati conceived and developed the Trojan horse software back in 2000 and subsequently attempted to offer it lawfully to various security bodies. In mid-2004, he used Ruth Haephrati, who handled the marketing activities, to contact the private investigators involved in the affair, with a view to using the software for criminal purposes. The investigators in question used the software to access information regarding competitors or other private entities, on behalf of their corporate or private clients. The State Attorney's office stressed that the investigation into the companies and individuals who commissioned the industrial espionage was ongoing. It also listed the types of data that had been accessed by the Trojan horse software used to hack into victims? computers. These include documents created using word processing software, electronic spread sheets, slide presentations, scanned documents and others. The material accessed by the hackers contained expensive and sensitive intellectual property. The Trojan horse also provided real-time sensitive images of material being viewed on hacked computers as well as of recordings of voice communications conducted between infected machines. Also accessed were email correspondence, passwords typed on the keyboards of hacked computers, a list of all texts typed on them, as well as lists of archived files and websites visited. From isn at c4i.org Tue Mar 7 01:12:23 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Mar 2006 00:12:23 -0600 (CST) Subject: [ISN] Oracle on track of secure search Message-ID: http://australianit.news.com.au/articles/0,7204,18341811%5E15841%5E%5Enbv%5E,00.html Bloomberg MARCH 07, 2006 ORACLE, the world's third- biggest software maker, has begun selling software that allows users to search only personal data on their work computers such as email, word documents and calendar appointments. Chief executive Larry Ellison says the California company's new search program "is one of the biggest products in years," and may help draw users away from Google, which also offers software for searching content on computers and operates the world's most-used internet search site. "Google has always had a good search, but it was the security side that it's not good at," Ellison told reporters at the annual Oracle OpenWorld Tokyo 2006 conference in Japan. "We have the security problem solved. That's what we're good at, and that's the hard part of the problem." The business-oriented Oracle Secure Enterprise Search 10g, which the company began offering worldwide today, uses a crawler that categorises what files a user can or cannot access depending on its security policies. To run the search, the user needs a password, and the results are tailored to the specific user's security settings. The software is downloadable for a free trial, Oracle Japan public relations director Takeo Tamagawa says. He declines to comment on how much the software will cost. "No one yet has done a good job of securely searching private data, even though private data is the most valuable. "Most people want to search private data much more often than they need to search public data," Ellison says. Ellison says he is also striving to make Oracle the top software maker for business systems through its "global strategy of innovation and acquisition." "In software, the more customers you have for a product, the more you can invest in research and development to make that product better," he says. "The top position is critical in allowing you to invest in engineering and continue to improve and innovate." After the $US10.6 billion takeover of PeopleSoft in January 2005, Oracle is now the world's biggest maker of software for handling payrolls and other human resource tasks, he says. The January 31 acquisition of California-based Siebel Systems also makes Oracle "a world leader" in customer relationship management, Ellison says. In enterprise resource planning software, which provides applications to help business manage product planning, parts purchasing and inventory management, Oracle is second, behind Germany's SAP, he says. From isn at c4i.org Tue Mar 7 01:12:35 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Mar 2006 00:12:35 -0600 (CST) Subject: [ISN] Server hack at Georgetown Univ. probed Message-ID: http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,109245,00.html By Jaikumar Vijayan MARCH 06, 2006 COMPUTERWORLD Georgetown University in Washington has called in the U.S. Secret Service to investigate a server breach that may have exposed confidential information including the names, dates of birth and Social Security numbers belonging to more than 41,000 people. The breach appears to have been caused by an external hacker and involved a server that was being managed by a Georgetown University researcher as part of a grant to manage information on the various services provided through the District of Columbia's Office of Aging, according to a university statement released Friday. The breach was first discovered during routine internal monitoring of university networks by Georgetown's information security office on Feb. 12, according to Erik Smulson, a university spokesman. The server that was compromised was immediately disconnected from the network. But because "it took some time to recognize the scope and nature of the exposure, the computer intrusion was not disclosed to the Office on Aging until Feb. 24, he said. Law enforcement officials were notified on Feb. 27, and the Secret Service took custody of the compromised server for forensic testing the next day. Only data that was on the Office of Aging server was compromised, Smulson said. He added that the breach did not affect any of the university's core computer systems containing financial and admission records. There is no evidence that the compromised information has been misused so far, he said. Georgetown University is now notifying the people whose information may have been exposed in the incident, Smulson said. But that task is complicated by the fact that the breached server contained records dating to 1983 on people who may be now deceased, he said. "We are making every reasonable effort to notify affected individuals," he said. Georgetown has established a toll-free phone number, 1-866-740-2458, and a Web site http://identity.georgetown.edu where people can get more information. According to a university source close to the incident who requested anonymity, the server in question was under the control of an individual who was not technically qualified to be a systems administrator. "Because we're a university and fairly open, there are many computing fiefdoms all over the place," often run by individuals with grant money, the source said in an e-mail. Because the university information system office has not figured out a way to manage these independently run computing environments, there can be gaps in security, he said. In an e-mail informing the university community about the incident, Georgetown's CIO, David Lambert, said the broad base of research and service programs conducted across campus "creates an additional responsibility for every research principal investigator, department chair and program director in the university to focus attention on information security. "As part of our increased focus on the security of all systems in the Georgetown network, the security office will launch a program throughout the spring and summer focused on enhancing the security of confidential information contained on campus and departmental servers," Lambert said without elaborating. From isn at c4i.org Tue Mar 7 01:13:24 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 7 Mar 2006 00:13:24 -0600 (CST) Subject: [ISN] REVIEW: "Practical Internet Law for Business", Kurt M. Saunders Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKPRILFB.RVW 20051117 "Practical Internet Law for Business", Kurt M. Saunders, 2001, 1-58053-003-6, U$73.00 %A Kurt M. Saunders %C 685 Canton St., Norwood, MA 02062 %D 2001 %G 1-58053-003-6 %I Artech House/Horizon %O U$73.00 800-225-9977 fax: 617-769-6334 artech at artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580530036/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580530036/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580530036/robsladesin03-20 %O Audience s- Tech 1 Writing 2 (see revfaq.htm for explanation) %P 162 p. %T "Practical Internet Law for Business" The preface states that this book is intended to allow business and system managers to understand the legal issues surrounding electronic commerce. Chapter one provides a brief and basic historical overview of the Internet, stressing the decentralized nature, and the fact that nobody is in charge. Jurisdiction, and the rulings in regard to it, are discussed in chapter two. (Somewhat ironically, in view of the topic, while international decisions are mentioned, the material is definitely oriented to the legal system of the United States.) Encryption is the topic of chapter three, which deals with export controls on cryptographic software (even though the regulations have been extensively liberalized) and electronic signature laws (even though many of these laws allow for completely unencrypted "signatures"). Chapter four very briefly examines the issue of trade secrets, seemingly without much relation to the Internet. Trademarks, on the other hand, do have a great deal of relevance to the net in cybersquatting cases and the like, and are addressed in chapter five. Some of the material on copyright, in chapter six, repeats content dealt with in chapter five. Chapter seven provides an interesting and detailed examination of email privacy in the workplace. Chapter eight is rather vague, since its definition of "online crime" is not very specific. (Some of the case law presented is also reported simplistically: the account of United States vs Thomas, for example, does not deal with the issue of community standards that made the material legal in California but not in Tennessee.) The book closes with patent law, in chapter nine (oddly separated from the other intellectual property topics in chapters four to six), most of which deals with the non-patentability of software. This work is a lot about law, and not very much about the Internet. How practical it may be is a question that individual readers will have to answer. copyright Robert M. Slade, 2005 BKPRILFB.RVW 20051117 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu We are currently being told to follow our bliss. However, tradition tells us that ignorance is bliss. Taking these two statements together would explain a lot about modern society. http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Wed Mar 8 02:10:08 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:10:08 -0600 (CST) Subject: [ISN] Korea Goes From Computer Security Threat to Victim Message-ID: http://english.chosun.com/w21data/html/news/200603/200603070011.html Mar. 7, 2006 Korea is increasingly becoming a target of hackers who seek to steal Internet users?? personal information while shedding its dubious status as a leading threat to online security. The ??Internet Security Threat Report?? released by the online security firm Symantec on Monday ranks Korea 10th as a source of security attacks in the second half of 2005, down from ninth in the first half and a shaming second in 2002. The report is produced by analyzing logging records in firewalls and attack detection systems of Symantec??s 20,000 corporate customers in 180 countries. South Korea was the world??s no. 2 after the U.S. as a source of spam in the first half of last year, accounting for 14 percent of spam messages in the world, but the nation improved to third place with the figure declining to 9 percent from July to December. However, Korea moved up to fifth place from sixth in terms of infection with bots, malicious programs which provide hackers with unauthorized control of a computer to steal confidential information or attack specific websites. By using bots, hackers are able to stop individual computers or corporate computer systems from working when they want and to steal financial data and other confidential information to cause large-scale security failures. Symantec claims this means nations around the world need to strengthen computer system security. China has joined countries on the security black list after it moved up to second place following the U.S. as a source of security attacks. The number of attacks from China increased by 153 percent in the second half of 2005, 72 percentage points more than the global average of 81 percent. China??s also rose to second place as a source of spam responsible for 12 percent, up from fourth place in the first half. From isn at c4i.org Wed Mar 8 02:10:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:10:21 -0600 (CST) Subject: [ISN] OMB: Modest Gains in Federal Cyber Security Message-ID: http://blog.washingtonpost.com/securityfix/2006/03/omb_modest_improvement_in_fede.html By Brian Krebs March 7, 2006 Federal government agencies have improved their overall computer and network security over the past year, but many agencies are still not doing enough to secure their systems against viruses and other cyber attacks, according to an annual report released by The White House last week. The White House's Office of Management and Budget issued the findings as part of its yearly review of how well agencies are meeting the standards set forth in the Federal Information Security Management Act (FISMA), which establishes specific requirements for information security programs at federal agencies. Lawmakers in the U.S. House have used OMB's findings for the past several years to issue "computer security report cards" to federal agencies. Last year, the House Government Reform Committee awarded federal agencies a combined grade of "D-plus" for security in 2004, up from a "D" in 2003. Another round of report cards are likely to be issued later this month. Among the improvements in 2005, the OMB cited a 32 percent increase in the number of federal systems that were certified and accredited as secure, a 28 percent increase in the number of systems tested with cyber attack contingency plans, and "modest" increases in the development of agencywide plans to address persistent computer security problems. However, the OMB also pointed to continued weaknesses in several key areas, including the oversight of work done by outside contractors. According to the report, at least six of the 24 agencies reviewed said they only "rarely" or "sometimes" reviewed whether work done by contractors met the government's minimum security requirements. The report also cited a 4 percent drop in the number of systems tested annually for computer security weaknesses. The OMB found that federal agencies spent $5 billion securing government systems -- or 8 percent of the total federal information-technology budget of $62 billion. During this period, the total number of reported computer systems increased by 19 percent to 10,289. The Department of Homeland Security, which is trying to keep track of digital attacks against federal civilian systems, tracked 3,569 reported security "incidents" in 2005. These ranged from infections by computer viruses and worms to distributed denial-of-service attacks, which use thousands of hacked PCs to overwhelm a Web site with so much traffic that legitimate users are shut out. Of those incidents, 1,806 involved some type of malware and 31 were distinct DDOS attacks. Another 304 were related to some form of unauthorized access. But according to OMB, those numbers almost surely mask a much larger number of attacks: "DHS continues to find sporadic reporting by some agencies and unusually low levels of reporting by others. Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event, e.g., the widespread propagation of an Internet worm." OMB said that in an effort to address this problem, DHS has installed at three agencies (and has funding to install at six others) an automated tool that "monitors network flow information and ... transmits data to DHS." The White House didn't elaborate on what kind of monitoring that "tool" does exactly, but it probably warrants closer scrutiny. From isn at c4i.org Wed Mar 8 02:10:34 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:10:34 -0600 (CST) Subject: [ISN] Soldiers use tech skills in Camp Parks cyber-attack simulation Message-ID: http://www.insidebayarea.com/trivalleyherald/localnews/ci_3578646 By Ben Semmes STAFF WRITER 03/07/2006 CAMP PARKS - Capt. Joe Salazar's may never have guessed that the skills he learned tinkering with computers when he was younger would prove useful in the Army. But Salazar, 34, who works as a systems administrator for Lockheed Martin in Sunnyvale, and a number of other high-tech workers are utilizing their computer skills in a special unit of the Army Reserve based at Camp Parks in Dublin. A member of the Army Reserve Information Operations Command's western operations center, along with about 60 other soldiers, Salazar, was busy last week fighting off viruses and other mock cyber-threats as part of the unit's second annual drill. Comprised of 300 full- and part-time soldiers nationwide, the unit was created in 2001 to provide defensive tech-support to the U.S. Army to protect vital computer systems from enemy hackers. The soldiers working in the unit have brought their tech skills developed in Silicon Valley to literally the front lines of digital warfare. Although Salazar earned a degree in legal studies from the University of California, Berkeley, he said it was his computer hobby that led to a job at Lockheed and ultimately to his position in the Army Reserve, which he joined in 1991. "(Currently) I'm rebuilding a laptop that was hit by a vulnerability," Salazar said, describing one of his many responsibilities during last week's four-day drill. The exercise was also a nationwide competition between all five Information Operations Commands - located at Camp Parks, Massachusetts, Maryland, Texas and Pennsylvania - to see what team acted most effectively in keeping critical network services up and running. During the exercise, Army personnel located in Maryland acted as hackers, attempting to infiltrate the network and cause havoc across the system. It was Salazar's job to fix the problem once other soldiers identified it. "What scan are we being hit by here?" Salazar yelled to Chief Warrant Officer Tom Millar, another reservist in the unit who works as an information technology specialist at Santa Clara University. "The stuff I can do at work is more restricted than what I can do as a reservist," Salazar said. As a reservist, Salazar must work at least one weekend a month in addition to the required two-weeks a year and he said this is not a problem with his employer. Fred Conley, Salazar's boss and head of the management information systems department at Lockheed, said the company holds the vast majority of its contracts with the U.S. Department of Defense and understands the responsibilities of men and women in uniform. "We as a company are supportive of all our (military people)," he said. "We will keep their job open as long as they are actively deployed. As for the more normal use of reservists, as policy we allow them to take three weeks with pay." Salazar's fellow soldiers in the Information Operations Command are employed by Microsoft, Dell, Cisco Systems, Symantec and Mitre among other companies, said unit commander Lt. Col. Darryl Hensley. The soldiers in the Camp Parks unit are clearly a source of pride for Hensley and he said he's hoping for a repeat of last year's performance when they won the first national competition. "The laptop is our rucksack," Hensley said. "I don't want to say that the laptop is our weapon because (our operations are) all defensive." From isn at c4i.org Wed Mar 8 02:11:01 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:11:01 -0600 (CST) Subject: [ISN] Citibank cards pulled after network breach Message-ID: http://www.networkworld.com/news/2006/030706-citibank-network-breach.html By Robert McMillan IDG News Service 03/07/06 Citigroup is reissuing MasterCard credit and debit cards used in the U.K., Russia and Canada, saying they may have become compromised following an unspecified breach of its network. "Last year, Citibank and our customers were the victims of a third-party business' information breach," the company said Wednesday in a statement. "In mid-February, we detected several hundred fraudulent cash withdrawals in three countries. We are currently reissuing cards, as appropriate, to affected customers." In an earlier statement, published in media outlets, Citigroup said that the accounts may have been compromised in "previous retailer breaches in the U.S.," and that the company was aware of fraudulent ATM cash withdrawals being made in the U.K., Russia, and Canada. The company did not say how many cards were affected by these breaches. Citigroup, which does retail banking under the name Citibank, did not provide any details on the retailer breaches that prompted this action, but it said it has blocked PIN-based transactions on some cards in those three countries. Last week Wal-Mart Stores' Sam's Club members-only retail chain confirmed that it was looking into a possible compromise of its fuel station point of sale system. But no PINs were used in any of the fraudulent transactions reported in this case, which involved about 600 cards, according to Wal-Mart. News of the Citigroup breach first surfaced over the weekend, when Boing Boing Web site contributor Jake Appelbaum reported that he had been unable to use a Citibank ATM card in Toronto. After calling Citibank customer service on Saturday night, Appelbaum was told that he would have to return to the U.S. to change his PIN number before the ATM component of his card would be useable again. "They told me by using my ATM card on the Canadian network it automatically locked the ATM portion of my card," he said in an interview Tuesday. The MasterCard portion of the card continued to work normally, but Appelbaum was left frustrated by the fact that he was unable to access the cash in his bank account as he waits for a reissued card, and that Citibank could not say whether the new card will work in Canada. "I was dumfounded by that," he said. "It was the worst customer service I've ever heard of from a bank." He had some advice for Citibank customers travelling abroad. "Cancel your account and get a new bank," he said. "I'm going to close my Citibank account, not just because of the security problems, but because of the way they deal with their customers when they're stranded." From isn at c4i.org Wed Mar 8 02:11:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 8 Mar 2006 01:11:17 -0600 (CST) Subject: [ISN] Mac OS X hacker tale rebuked Message-ID: http://www.macworld.co.uk/news/index.cfm?NewsID=14029 By Macworld staff March 07, 2006 A new Mac OS X hacker competition has been launched at the University of Wisconsin. The competition ends on Friday March 10. Hackers are being asked to change the front page of a website that's stored on a Mac mini: "Running Mac OS X 10.4.5 with Security Update 2006-001, two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open." The competition is a response to a report on ZDNet news this week, which claimed a hacker had managed to break into Mac OS X in under half an hour. What that report didn't explain was that anyone who wanted to try to hack that test Mac was given a local account on the machine which could be accessed using SSH. This effectively put the hacker in front of the machine and made the exercise much easier to accomplish. The organisers of the new Mac hack competition said: "Yes, there are local privilege escalation vulnerabilities for OS X; likely some that are 'unpublished'. But this machine was not hacked from the outside just by being on the internet. It was hacked from within, by someone who was allowed to have a local account on the box. That is a huge distinction." Most consumer Macs won't hold user accounts for unknown people, won't have any ports open and will most likely be behind a firewall, making the earlier Mac OS X hacking exercise unrepeatable. Macs cannot be hacked "just by being on the internet", the competition organisers stressed. From isn at c4i.org Thu Mar 9 01:33:10 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:33:10 -0600 (CST) Subject: [ISN] Blacklists Aren't for Everyone Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. St.Bernard Software http://list.windowsitpro.com/t?ctl=230B5:4FB69 8e6 Technologies http://list.windowsitpro.com/t?ctl=230C1:4FB69 ==================== 1. In Focus: Blacklists Aren't for Everyone 2. Security News and Features - Recent Security Vulnerabilities - Oracle Secures Search with Authorized Results - RedBrowser Trojan Targets J2ME-based Phones - Viruses Jump from PCs to Mobile Devices 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Limit User Privileges and Block Unwanted Apps ==================== ==== Sponsor: St.Bernard Software ==== The Next Generation in Patch Management At last, a unique solution that speeds the tedious tasks of system vulnerability management with automated patching and settings configuration features found in no other solution: - Manage an entire distributed network, including remote and disconnected machines, from a central console - Assign Roles and Rights for optimum IT staffing and security - Provide dual system security with integrated security settings management - Wake on LAN lets you successfully patch machines that are turned off - Low acquisition and renewal pricing and flexible licensing model Download your free trial today and find out how easy and cost- effective securing your systems can be. Download Now! http://list.windowsitpro.com/t?ctl=230B5:4FB69 ==================== ==== 1. In Focus: Blacklists Aren't for Everyone ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about blacklist services (the article is at the URL below), and I received some responses that I'll share with you this week. http://list.windowsitpro.com/t?ctl=230BA:4FB69 One reader wrote to say that, lately, Spam and Open Relay Blocking System (SORBS) "is blocking almost all email from Yahoo, Hotmail, and some other large ISPs." He has quit using SORBS because it caused problems for a few clients. Another reader also wrote about his problem with SORBS. He said that "one of our main mail servers received a piece of spam with a forged From address that went to one of [SORBS's] honeypots. We received an email to a nonexistent [email address] and sent a nondelivery response to the forged address at the honeypot. The result of a single email sent last November was that any [host on the Internet] using SORBS regarded our email server as a spam sender. The email had originated in Brazil and our email server was just the last link in the chain." He then described his ordeal in trying to get his server removed from SORBS's database. At the SORBS site (URL below), you'll read that "affected IPs [of the mail server which sent spam] will only be delisted when US$50 is donated to a SORBS nominated charity or good cause. The charities and good causes SORBS approves will not have any connection with any member of the SORBS administrators, either past or present." I have no problem with donating to charity, but trying to force that on people is unprofessional and unreasonable. The reader found an alternative way to have his IP address removed from the SORBS database, but SORBS doesn't make the alternative clear on its Web site. http://list.windowsitpro.com/t?ctl=230C2:4FB69 In my tests, the SORBS blacklist service was only marginally better than the service provided by dnsbl.net.au (DNS server: t1.dnsbl.net.au), so I might not continue using SORBS in light of what the two readers have revealed. A third reader wrote to "strongly disagree with your recommendation to use blacklists, even though they are effective. My opinion is based on the fact that it is very easy to get blacklisted even without reason and very difficult to get out of the blacklist. This can cause long delays with email delivery and sometimes businesses depend on it--even though they shouldn't. I also don't like the attitude of some of the service providers for blacklisting, it is very frustrating to contact them." What I recommend is that you do what works for your particular networks. If you find that blacklists work and aren't much of a management problem, then use them--they can be very effective. On the other hand, if you experience trouble with an entity such as SORBS, it might be best to drop that service in favor of another. Some readers also offered comments about filtering particular languages. I think that some readers took offense to such filtering. I truly meant no offense. My point is simply that if no one in your organization reads a particular language, then any inbound mail in that language can be dropped. For example, approximately 48 percent of the email received by the mail servers I tested appears to be written in Asian languages--in particular, Japanese, Korean, and Taiwanese. None of the people that those mail servers support read any Asian languages, so we set the filters to drop all Asian language mail. As a result, processing overhead is reduced. ==================== ==== Sponsor: 8e6 Technologies ==== Stop Spyware Now - Free White Paper! Spyware remains a problem for most companies, disrupting productivity, wasting time and money. Now 8e6 Technologies' free White Paper proposes breakthrough solutions to counteract the Spyware problem: recognize potential infections, stop unauthorized programs at the source. Get the Free White Paper: http://list.windowsitpro.com/t?ctl=230C1:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=230B0:4FB69 Oracle Secures Search with Authorized Results Oracle announced its new enterprise search engine, Secure Enterprise Search 10g. One difference between Oracle's solution and other search engines is that Oracle's will return only the results that a person is authorized to access. http://list.windowsitpro.com/t?ctl=230BB:4FB69 RedBrowser Trojan Targets J2ME-based Phones The first malware was discovered that intentionally targets mobile phones that use Sun Microsystems' Java 2 Platform, Micro Edition (J2ME). Dubbed RedBrowser, the Trojan horse program tries to send text messages to a high-cost toll number in Russia. According to Kaspersky Lab, the mobile phone owner is charged between $5 and $6 for accessing the toll number. http://list.windowsitpro.com/t?ctl=230B8:4FB69 Viruses Jump from PCs to Mobile Devices Docking your mobile device to your PC is no longer without considerable risk. The Mobile Antivirus Researchers Association (MARA) reported the first virus that can jump from a PC to a Windows CE or Windows Mobile device. The virus was sent to MARA anonymously. http://list.windowsitpro.com/t?ctl=230BD:4FB69 ==================== ==== Resources and Events ==== DevConnections Europe Early Bird Special extended through 15 March Four conferences for the price of one! Don't miss DevConnections Europe--coming to Nice, France, April 24-27, 2006. http://list.windowsitpro.com/t?ctl=230B6:4FB69 Use virtualization technology to leverage your IT assets, address critical business needs, and get the most out of your existing hardware with Windows Server 2003 R2. Live Event: April 4, 12:00 pm EST http://list.windowsitpro.com/t?ctl=230AB:4FB69 Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=230AE:4FB69 Efficiently replicate file changes across WANS without worrying about your remote server backups using the improved Distributed File System in WSS R2. Live Event: March 14, 12:00 pm EST http://list.windowsitpro.com/t?ctl=230AC:4FB69 SPECIAL PODCAST OFFER: Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient. http://list.windowsitpro.com/t?ctl=230AF:4FB69 ==================== ==== Featured White Paper ==== Manage your data growth, improve reliability, and speed data recovery using continuous data protection. http://list.windowsitpro.com/t?ctl=230AD:4FB69 ==================== ==== Hot Spot ==== Automate IT security compliance now! FREE White Paper demonstrates how you can reduce time spent on IT policy compliance by as much as 90%, while improving your security posture. Cambia's agentless software continuously discovers all changes to network assets, intelligently determines which changes pose a risk to security and compliance and works with administrators to fix breaches quickly. http://list.windowsitpro.com/t?ctl=230C0:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Network Security Toolkit 1.4.0 by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=230BF:4FB69 This excellent bootable toolkit has been updated with several useful enhancements, including an updated OS, new Web interfaces, and updates to included applications. Learn more in the blog article. http://list.windowsitpro.com/t?ctl=230BC:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=230BE:4FB69 Q: How can I delegate permission for a user or group to control certain services? Find the answer at http://list.windowsitpro.com/t?ctl=230B9:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Windows IT Pro Magazine Article Library--access available Sign up for a Monthly Online Pass and get INSTANT access to all articles, tools, and helpful resources published on WindowsITPro.com, including exclusive subscriber-only content. You'll get 24/7 access to the full Windows IT article library (includes more than 9,000 articles) and get the latest digital issue of Windows IT Pro delivered right to your inbox. Sign up now: http://list.windowsitpro.com/t?ctl=230B2:4FB69 Windows IT Pro Magazine--SAVE 58% Windows IT Pro is a must-have in 2006! Subscribe now and plug into the largest independent Windows IT community in the world. Along with loads of how-to articles, time-saving advice, and expert tips and solutions, you'll gain exclusive access to the entire online Windows IT Pro article library FREE. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=230B1:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Limit User Privileges and Block Unwanted Apps Winternals Software announced the release of Protection Manager, which enables granular control of user and application privilege levels and blocks all unauthorized executables. You install Protection Manager on a central console and deploy it to clients throughout the network. Then for each user role, you can specify one of four execution attributes for each application: denied from executing under any circumstances, allowed to execute with administrator privileges when required, allowed to execute in the user's context with limited user privileges, or allowed to execute normally. Protection Manager is licensed by server and workstation and works with Windows Server 2003, Windows XP, and Windows 2000 computers; for more information, go to http://list.windowsitpro.com/t?ctl=230B7:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=230C3:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=230B4:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu Mar 9 01:33:24 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:33:24 -0600 (CST) Subject: [ISN] Debit Card Fraud Tied to OfficeMax Breach Message-ID: http://www.eweek.com/article2/0,1895,1935677,00.asp By Paul F. Roberts March 8, 2006 Debit card fraud that has affected customers at a number of credit unions in central Massachusetts is linked to transactions at office supply retailer OfficeMax, according to investigators. Dozens of credit union members in the towns of Leominster and Fitchburg, Mass., have been defrauded of more than $45,000 in the last few weeks by criminals in the United States and abroad, according to law enforcement officials in those towns. The fraudulent transactions involve cloned Visa debit cards and may be linked to the theft of blocks of PINs from OfficeMax or an intermediary processor, sources familiar with the case said. In Leominster, police know of about 40 victims of incidents at a number of credit unions in the area, dating back to Feb. 28, said Detective Scott Wolfeasazder of the Leominster Police Department. New victims are turning up every day, he said. "Just today I found out that City Employees Federal Credit Union had seven accounts accessed, with funds withdrawn from five of them," he said, adding that Leominster Credit Union has had to close 500 debit accounts because of the fraud. Most of the withdrawals are small, up to $500, and many were conducted in Barcelona, Spain, though ATMs in the United States and Canada have also been used. In total, the damages are upwards of $30,000, he said. All the victims the police have reached at this point shopped at OfficeMax and used a Visa debit card, Wolfeasazder said. "That's the common denominator on this end," he said. In neighboring Fitchburg, police know of dozens of residents who have had debit cards used fraudulently, with totals of around $17,000 in damages, said Sgt. Glen Fossa of the Fitchburg Police Department. The transactions date back to mid-February and were linked to ATMs in Illinois, Turkey, Great Britain and Switzerland, he said. The random nature of the fraud and its geographic distribution indicate that the stolen information is being fenced on the Internet, investigators say. According to multiple sources, thieves may have made off with PIN blocks, or groups of encrypted debit card PIN information, as well as a key to decrypt the information. That information is being used to format "white cards," or blank magnetic stripe credit cards, according Fossa and Wolfeasazder. For the card accounts stolen from Leominster and Fitchburgh credit union customers, the stolen information appears to be tested in California first, then used for fraudulent transactions all over the world, Detective Wolfeasazder said. Law enforcement does not know if the PIN information was stolen from OfficeMax or a partner company, or whether it was taken in an electronic hack or leaked by an insider. At least one source familiar with the investigation, who asked to remain anonymous because of the ongoing investigation, named OfficeMax as the source of the PIN block information. However, OfficeMax, based in Itasca, Ill., maintains that its network has not been compromised, according to Bill Bonner, the company's spokesperson. "We have no knowledge of a security breach at OfficeMax," he said. Criminals have turned to debit card accounts because they are less well-protected by anti-fraud technology than traditional credit card accounts, said Mike Urban, director of fraud technology operations at FairIsaac, a Minneapolis, Minn., company that monitors ATM and banking fraud. FairIsaac is monitoring a number of ATM fraud incidents around the country and notifies card issuers when it identifies fraudulent activity on an account, Urban said. "We are seeing a significant increase in stolen PIN cards," he said. From isn at c4i.org Thu Mar 9 01:33:43 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:33:43 -0600 (CST) Subject: [ISN] Porn Billing Leak Exposes Buyers Message-ID: http://www.wired.com/news/technology/0,70356-0.html By Quinn Norton Mar, 08, 2006 Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers, security experts say. The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites -- providing billing services for such outlets as DominaBDSM and Top-Nude.com. The transactions documented in the database are dated between 1998 and 2003, spanning a period at the height of iBill's success. The company didn't respond to repeated e-mail and telephone inquires by Wired News. Two caches of stolen iBill customer data were discovered separately by two security companies while conducting routine research into malicious software online. Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information. Secure Science found that data in February 2005, and reported it to the FBI's Miami field office, the company says. The FBI declined comment. Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries labeled Ibill_1m.txt on a spamming website. That list appeared to date from 2003. IBill has a troubled history. Founded in 1997 by executives of a Florida-based BBS software developer, by 2002 iBill was a big player in internet billing, processing approximately $400 million in credit card transactions per year, according to SEC filings. The company took 15 percent off the top in fees. Todd Dugas, a former inside sales representative for iBill, estimates that pornography made up 85 percent of the business. But when Atlanta-based InterCept acquired iBill for $120 million in 2002, it immediately encountered problems. New rules from Visa made it more complicated and costly to process adult website transactions, and "accounts dropped like flies," says Dugas. Meanwhile MasterCard levied $5.85 million in fines against iBill for an unusually high volume of "charge backs" -- consumer-disputed charges -- though InterCept managed to recoup most of the fine from iBill's previous owners. In September 2004, iBill lost the contract with its upstream credit-card processor, First Data, which had grown wary of being associated with adult content. Website operators relying on iBill for payments had to wait months for their checks while First Data held the money in escrow. Roger Jacobs, who followed the story of iBill for adult industry publications AVN and XBiz, described low morale and a hemorrhaging of employees during this period. Lance James of Secure Science and Adam Thomas of Sunbelt Software speculate that the company's troubles may have left them vulnerable to information embezzlement: The breach, they say, has all the markings of an inside job. The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack attack. Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's internet connection. Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market. What happened with the records from there is anyone's guess. The 1 million addresses found by Sunbelt Software were being used for spamming. Sunbelt found the database by tracing malware-infected computers as they connected to the internet to refresh their list of spam targets. The target list turned out to be the iBill database, hosted on a rogue website. Secure Science's James says the 17 million database entries he found is prime data for spamming, phishing attacks, pretext phone calls and even possible hacking of vulnerable computers at the IP addresses listed. Independently, Wired News found that entries from the smaller cache are listed as mortgage leads on a spammer community site, specialham.com. (The website's homepage offered no contact information and Wired News was unable to reach the registered owner of the domain, one "Juice Wobble.") This suggests that the database was marketed as a lead list for outside businesses. "I can attest to the fact that this goes on with phishing groups," says James. "They break in and steal leads and then sell those leads to (black market) leads companies, who resell them to legitimate companies, and sometimes the same companies they stole them from." "The fact that a total of 17,781,462 iBill records have been found in the hands of criminal hackers is quite disturbing, be it an inside job or the successful work of criminal hackers," says Thomas. Contacted by Wired News, one of the victims of the breach expressed dismay that his information was in the hands of criminals. The 41-year-old San Diego man says he allowed a "business partner" to use his credit card on an adult website dedicated to finding resources in Tijuana's red light district, with discussion groups and locations of prostitutes. "Life is difficult enough," says the victim. "It makes the net that much less secure in my eyes.... I plan to not use any credit card information on any site." The man says that neither iBill nor the FBI notified him of the breach. Because the information didn't include Social Security, credit-card or driver's-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims. A year after the FBI first learned of the larger leak, they have also failed to issue any public warnings. In January of last year, iBill was purchased by Interactive Brand Development for $23.5 million. On Monday, IBD's stock closed at 8 cents a share in over-the-counter trading. From isn at c4i.org Thu Mar 9 01:34:01 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:34:01 -0600 (CST) Subject: [ISN] Security Researchers Terminate Sites Selling Trojans Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=181502074 By Gregg Keizer Mar 8, 2006 Several Web sites selling made-to-order Trojan horses to hackers have been shut down, the two cooperating security companies who led the investigation said Wednesday. U.S.-based RSA Security and Spain's Panda Software collaborated in the effort to identify, locate, and shutter five sites. Three were marketing la carte Trojans for launching targeted identity theft attacks against users of specific financial institutions, while two were sites where the buyers could monitor the infections the malware caused. Once installed on users' PCs, the Trojans would return data to the hackers, including systems' IP addresses and bank or brokerage passwords. "The collaboration between RSA Security and Panda Software has been key to rapidly dismantling these dangerous Web sites for creating and selling targeted malware," said Luis Corrons, director of PandaLabs, in a statement. Panda kicked off the investigation after it discovered a new Trojan, dubbed "Briz.a." Clues in Briz.a's code led Corrons' team to the scam; Panda then brought in RSA, which runs an around-the-clock anti-fraud center acquired during its December 2005 purchase of New York City-based Cyota. RSA contacted the ISPs hosting the sites to tell them that they were harboring illegal services. "It is critical to have industry collaboration and knowledge sharing such as Panda and RSA demonstrated in this complex case," said Chris Young, senior vice president of RSA Cyota, in an accompanying statement. From isn at c4i.org Thu Mar 9 01:34:22 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:34:22 -0600 (CST) Subject: [ISN] Internet "cloaking" emerges as new Web security threat Message-ID: http://www.gcn.com/online/vol1_no1/40075-1.html By Wilson P. Dizard III GCN Staff 03/08/06 Terrorist organizations and other national enemies have launched bogus Web sites that mask their covert information or provide misleading information to users they identify as federal employees or agents, according to Lance Cottrell, founder and chief scientist at Anonymizer of San Diego. The criminal and terrorist organizations also increasingly are blocking all traffic from North America or from Internet Protocol addresses that point back to users who rely on the English language, Cotrell told an educational seminar in Washington at the FOSE 2006 trade show's Homeland Security Center yesterday. FOSE is sponsored by PostNewsweek Tech Media, the parent company of Government Computer News. Among the risks of the terrorist cloaking practice are that the organizations can provide bogus passwords to covert meetings. By doing so they can pinpoint federal intelligence agents who attend the meetings, making them vulnerable to being kidnapped or becoming the unwitting carriers of false information, Cottrell said. Cloaking is just one means by which hostile intelligence organizations can exploit the ability of IP addresses to reveal the physical location - and frequently the organizational identity - of a user visiting a Web site. Another method Cottrell described was a case in which hackers set a number of criteria that they all shared using the Linux operating system and the Netscape browser, among other factors. When federal investigators using PCs running Windows and using Internet Explorer visited the hackers' shared site, the hackers' system immediately mounted a distributed denial-of-service attack against the federal system. Cottrell said his company had helped humanitarian activists in the former Yugoslav republic of Kosovo shield themselves from attacks by paramilitary goons employed by Serbian strongman Slobodan Milosevic. The Milosevic paramilitaries were using the activists' IP addresses to pinpoint their physical locations and follow up with attacks aimed at preventing the activists' campaigns against specific human rights abuses. "Imagine the kind of damage a mole at Google could do," Cottrell said, noting that Google keeps logs of the Web searches it provides, which provide a comprehensive picture of users' Web traffic patterns. In a similar fashion, Web-savvy intelligence specialists can use IP address data to analyze what types of information a particular federal user is seeking and, by inference, what types of intelligence or counterintelligence operations federal agencies are carrying out. Cottrell described a situation in which Anonymizer employees had worked on a Navy aircraft carrier that allowed sailors to access the Web. He noted that by analyzing Web traffic that could be traced back to that ship via the IP addresses of its public browsers, hostile intelligence services could determine the name of the ship, the port it was visiting and other information. Cottrell said his company, which sells technology to prevent the use of IP address information for such purposes, had shielded the identities of the providers of 25,000 tips to the FBI in one recent three-month period. Even as the use of IP address security technology is critical to maintaining Web security, Cottrell noted that the use of firewalls, antivirus software, measures to defeat social engineering and reduce human error are also essential. Anonymizer has received a contract from the Broadcasting Board of Governors, the foreign-policy agency that runs the Voice of America international radio service, to provide technology that the people of Iran can use to circumvent their government's Web censorship program. Anonymizer also soon will launch, at its own expense, a service that will allow the people of China to overcome Beijing's massive program to censor the Web, Cottrell said. From isn at c4i.org Thu Mar 9 01:34:40 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:34:40 -0600 (CST) Subject: [ISN] Hackers get inside province's system Message-ID: http://www.canada.com/vancouversun/news/story.html?id=20b74870-ceb9-4723-a6ee-cf55548e2001&k=21513 Miro Cernetig Vancouver Sun March 08, 2006 VICTORIA -- The RCMP is investigating how hackers cracked the B.C. government's computer network to place unauthorized software and movies on government hard drives, the provincial government disclosed Tuesday. The revelation, the latest in a spate of embarrassing security breaches, came from the New Democratic Party, which raised the issue in the legislature. "The opposition has been advised that at least one breach of security that involved a minimum of 78 government computers and access through [the] highest level of passwords and involving several ministries occurred," said NDP house leader Mike Farnworth. He did not name his source. "Apparently, the government found out on the sixth of February of this year that outsiders had been accessing the system for at least two months." Government officials, who are still investigating revelations by The Vancouver Sun that the province auctioned computer data tapes containing confidential records on thousands of British Columbians, initially suggested the NDP was exaggerating a minor breach in which no personal information was stolen. Less than an hour later, however, Labour Minister Michael de Jong released a Feb. 3 "security incident report" that warned government employees that 78 computers across various ministries were "heavily compromised . . . by an intrusion that has loaded 'hacker' programs and movie files onto them." The attack came from a service provider in the Netherlands. The NDP said it allowed round-the-clock use of government computers on weekends, and from 5 p.m to 6 a.m. on weekdays. De Jong said "this wasn't a privacy issue in the sense that somebody was trying to access personal information. "They [the hackers] were trying to make use of the network." The mystery is what for? De Jong did not say what type of material was being deposited onto the government network and skirted answering a question about whether it involved pornography. But experts have found hackers often try to infiltrate networks with large Internet bandwidth and storage capacity such as governments', then set up illegal mirror sites that allow them to distribute and store first-run movies and pornography for free. Hackers then sell passwords to enable people to access the network and the illegal material stored on it. It does appear that some government computers have been targeted by computer hackers, NDP researchers said. Their search of Internet sites commonly used by hackers dealing in pirated software, which hackers call Warez, found what appears to be at least two government computers listed. It wasn't clear if they are still actively being targeted by hackers. Farnworth said he does not know the extent of the hackers' penetration and has no evidence that people's privacy was compromised. But he is asking Privacy Commissioner David Loukidelis to carry out his own investigation to eliminate any concerns. "If [the allegations are] proven accurate, I further request that you report out on the causes of the breach, the magnitude of the breach and what files were at risk," Farnsworth asks the commissioner in a letter. From isn at c4i.org Thu Mar 9 01:32:32 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 9 Mar 2006 00:32:32 -0600 (CST) Subject: [ISN] University nixes Mac hacker contest Message-ID: http://news.com.com/University+nixes+Mac+hacker+contest/2100-7349_3-6047735.html By Joris Evers Staff Writer, CNET News.com March 8, 2006 A Mac OS X hacker challenge apparently got a systems engineer at the University of Wisconsin-Madison into trouble with university administrators. Dave Schroeder on Monday invited hackers to break into a Mac Mini he attached to the university network. The challenge would last until Friday, he announced. The contest was in response to an earlier challenge, which Schroeder criticized as too easy. But the event ended early--Tuesday night. On Wednesday, information emerged that the contest had drawn the scrutiny of the university's chief information officer, Annie Stunden. "The Mac OS X 'challenge' was not an activity authorized by the UW-Madison," Brian Rust, a university spokesman, said in an e-mailed statement. "Once the test came to the attention of our CIO, she ended it...Our primary concern is for security and network access for UW services." The same statement also appeared on Schroeder's challenge Web site Wednesday afternoon. "Dave was well-meaning, but he did the test pretty much on his own," Rust said in a phone interview. Universities are often the target of cyberattacks. The academic institutions face the challenge of balancing the need to share information on large networks with the need to secure data. The Mac OS X contest ended without a negative impact on the University of Wisconsin-Madison's network, Rust said. "We were able to handle the traffic, and there were no compromises to university systems," he said. The university apologized for any inconvenience its action caused to the Mac community. The university is distancing itself from the challenge. "If Dave wants to continue this test, he has to do that privately, not using university systems," Rust said. Schroeder had said he wants to publish some details on the attempts that were made to hack his Mac. The computer was connected to the Net for more than 30 hours, apparently without being compromised. In the earlier challenge, an anonymous hacker claimed he was able to compromise OS X within 30 minutes using an undisclosed vulnerability. However, attackers in that case had been given user-level access to the system rather than being shut out completely. These hacker challenges came after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a serious vulnerability. Security experts are also questioning the effectiveness of Apple's latest patch. From isn at c4i.org Fri Mar 10 01:17:39 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:17:39 -0600 (CST) Subject: [ISN] Apple: Finding the Root of the Problem Message-ID: http://www.businessweek.com/print/technology/content/mar2006/tc20060308_032391.htm By Arik Hesseldahl Byte of the Apple MARCH 8, 2006 To maintain public confidence in its operating system, Jobs & Co. should consider hiring a security czar. The second potentially major Mac security incident in as many weeks has thankfully been debunked. Earlier this week I wrote a blog entry about a Mac Mini owner in Sweden who configured his machine as a server and challenged hackers to gain access to it. The Mini was -- as hackers like to say -- "owned" only 30 minutes after the challenge started. By "owned," I mean rooted. An outside attacker, through a remote Internet connection, was able to get "root" access -- the highest and most powerful level of administrative access on a Unix-based computer (which Macs running OS X happen to be). Root access gives the bearer free reign on a machine, no questions asked. Files can be altered or deleted. Accounts assigned to other users can be changed or deleted altogether. The potential for misuse of the privilege has caused Apple to ship its machines with root access disabled by default. Root can be re-enabled only through a series of technical contortions understood by advanced users. Even so, the Swedish attacker said he succeeded with an "unpublished" exploit -- a method that hasn't been publicly documented. If your Mac is connected to the Internet all day, as mine is, you can see the fright such news might generate. It's like knowing a criminal gang has a master key to your home and thousands of others, and that the only defense you really have so far is that they haven't found you yet. BIASED STUDY. That is, if it were true. It turns out the original reports weren't forthcoming with all the facts. The person who "rooted" the Mac already had a user name and password, as if he were a regular day-to-day user. In fact, having an account on this Mac was a prerequisite to taking part in the challenge. From there, the person used some method -- most likely having to do with weaknesses in the Unix underpinnings of the Mac operating system -- to gain escalated access. These kinds of "privilege escalation" vulnerabilities have cropped up on the Mac over the years and date back decades to FreeBSD, the variant of Unix on which Mac OS X is based. But remember, you can't take advantage of this type of vulnerability unless you already have access to the machine -- which implies having been given permission for that access in the first place. The pseudo break-in and misleading reports didn't sit well with Dave Schroeder, a network systems engineer and Mac enthusiast at the University of Wisconsin in Madison. He's been outspoken on the issue of Mac security, portraying recent reports as overblown. So he set up his own challenge, inviting the world to hack a Web page -- the very page he used to tell the world about the challenge -- running on a Mac Mini he set up as a Web server. His challenge mirrored the one in Sweden, with one critical difference: No one would have an account on the machine. They'd be locked out and therefore would have to break in. His aim was to demonstrate the flaws in the Swedish test, and provide a more realistic test of Mac security. The tech news site Slashdot picked up news of the challenge and quickly spread the word. A NEW CHALLENGE. Attacks on the machine surged. It recorded more than 4,000 login attempts, and Web traffic to it spiked to 30 megabits per second. Half a million people visited the Web site (http://test.doit.wisc.edu/). That little Mac Mini was one busy server, but it remained online. Most of the network traffic conveyed attempts to break in: Web exploits seeking a wedge into the machine via the public page; dictionary attacks, which make repeated guesses at passwords at high speed; and a scanning tool known as Nessus, software that scans for known vulnerabilities. The machine even came under what's known as a denial of service attack, in which an attacker hammers a machine with thousands of requests for information in an attempt to overwhelm the server and thus create an exploitable weakness. For 38 hours, nothing worked. The Mac Mini held its ground against the worst that the multitudes could throw against it. The contest ended earlier than originally planned and even appears to have gotten Schroeder in trouble with his employer, since it wasn't sanctioned by the university. I'm hearing he may face some kind disciplinary action. The University of Wisconsin apparently isn't interested in such a real-world ad-hoc test, no matter how successful and harmless it proved to be. Schroeder wasn't available for comment. This illustrates changing perceptions about Mac security. The Mac is increasingly on the radar screen of people who have long ignored it and who, for whatever reason, want to find the chinks in as-yet virtually impregnable armor. And while it may indeed be a more secure system than anything put out by Microsoft (MSFT ) and its many hardware partners including Dell (DELL ), Hewlett-Packard (HPQ ), Gateway (GTW ) and others, the level of attention can only increase. Hackers love nothing more than a difficult challenge -- which Windows ceased to be a long time ago. SOWING FEAR And as Apple Computer (AAPL) gains attention for its innovation, superior software and so far relatively airtight security, people in the media -- including myself -- will be watching with interest and not a small amount of anxiety for the moment when the first really nasty and widespread Mac security vulnerability shows up. Until that happens, even little hiccups are going to trigger an avalanche of negative publicity. Uninformed media sources will do what they do best -- sow fear, uncertainty, and doubt. And the first time a really big Mac security incident occurs it will cause some people who are considering a Mac over a cheaper Windows-based system to change their minds. Vulnerabilities in Windows are so common they don't really make the news anymore. But a large-scale, widespread incident on the Mac could badly wound Apple's reputation. LOCK DOWN. It's for this reason that I think the time has come for Apple to consider doing what many other companies like IBM (IBM ) and Oracle (ORCL) have: create a position of chief security officer. This person would be a well-known computer security expert, ideally from outside Apple, who would wave the flag for all things related to Mac security, debunking myths, correcting the record, and providing a public face when issues crop up. And when something does go wrong -- and I think eventually something will -- he or she would be Apple's ombuds officer evaluating what failed, where, when and how, and then take responsibility for seeing that it's fixed, reporting on the matter to CEO Steve Jobs, Apple's board of directors, and (where appropriate) its shareholders and customers. I talked briefly with Apple's Bud Tribble, vice-president of software technology. He called my idea a "good suggestion" but said the company would be reticent to assign security issues to any single individual, and that the responsibility of a CSO instead tends to rest with everyone. "For pretty much all the senior people at Apple, security is one of the top jobs on their list," he says. "When we think about security and how we design software, the basic approach is to make it as secure as possible, because most people really aren't security experts. We try to make sure things are pretty well locked down out of the box." CONFIDENCE BUILDER. While the Mac's Unix underpinnings suffer from the occasional vulnerability, they still present a security advantage, Tribble says. "Unix is sort of a kid that grew up in a tough neighborhood," he says. That neighborhood was a networked environment where people were constantly trying to figure out tricks to log into the system. So over the decades, lots of holes have been plugged. You can't say that about Windows. And I admit, creating a CSO position may be viewed by some as an admission of weakness. Still, I say it would be a good way for Apple to inoculate itself against the perception -- warranted or not -- that Mac security may be eroding, and get ahead of the curve for any troubles that may be inevitable. That may not be the case, but in matters related to product marketing, it's the public perception, not the reality that really matters. And once you've lost a user's confidence, it's hard to get it back. Just ask Microsoft. From isn at c4i.org Fri Mar 10 01:18:13 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:13 -0600 (CST) Subject: [ISN] Former White House staffer named to head DHS policy committee Message-ID: http://www.govexec.com/dailyfed/0306/030706nj1.htm By Shane Harris National Journal March 7, 2006 The Bush administration has been excoriated for appointing politically well-connected but professionally inexperienced people to important positions at the Homeland Security Department. A recent appointment may do little to quiet those complaints: The department announced that a 28-year-old former White House staffer is heading a policy committee that gathers expert advice -- on behalf of the president and the Homeland Security secretary -- on key areas of homeland security, including threats to infrastructure and preventing terrorist attacks that use weapons of mass destruction. Douglas L. Hoelscher is the new executive director of the Homeland Security Advisory Committees and the "primary representative" of department Secretary Michael Chertoff in dealing with more than 20 advisory boards. Among them is the Homeland Security Advisory Council, which includes such high-powered figures as Gov. Mitt Romney of Massachusetts, former Lockheed Chairman Norman Augustine, and former Defense and Energy Secretary James Schlesinger. Hoelscher has no management experience, a review of his professional credentials shows. He came to government in 2001 as a low-level White House staffer, arranging presidential travel, according to news reports. He earned $30,000 a year, salary documents show. A department statement said that Hoelscher will provide "strategic counsel" to Chertoff and represent him before the committees. In so doing, Hoelscher will be contending with formidable voices in U.S. policy-making from the private sector, state and local government, and academia. Members of the boards are "titans in their fields," said Daniel Ostergaard, Hoelscher's predecessor. At 34, Ostergaard is young, too, but he is a former Coast Guard officer with two master's degrees, one of them from Harvard University's Kennedy School of Government. One group that Hoelscher will be coordinating with is the National Security Telecommunications Advisory Committee, which includes top executives from BellSouth, Boeing, and Microsoft. "The administration has named a qualified and talented professional to cultivate these partnerships," Stewart A. Baker, Homeland Security's assistant secretary for policy, said in a statement. "Doug will ... increase overall coordination between department leadership and our homeland-security partners." Homeland Security is reeling from a congressional report on its botched Hurricane Katrina response, which found poor coordination between the White House, the department, and the private sector. Hoelscher declined to be interviewed for this article; a Homeland Security spokeswoman said that he was on jury duty. But in a personal profile that Hoelscher created for the Web site Friendster.com, he offered some personal insights. He listed William Bennett's The Death of Outrage: Bill Clinton and the Assault on American Ideals among his favorite books and wrote, "I'm usually fairly quiet in a group setting -- I am not a talker but a pretty good listener." Hoelscher launched his political career after graduating from the University of Iowa in 1999. During the 2000 campaign, he worked for Wisconsin's Republican Party, campaign finance records show. In 2001, he was a political coordinator in the White House Office of Political Affairs, which was run by Ken Mehlman, who was Bush's Midwest regional political director in the 2000 campaign and is now the Republican National Committee chairman. (Mehlman didn't respond to an interview request.) In 2004, Hoelscher worked for the RNC. The following year he became Homeland Security's White House liaison, "obtaining information from the department," said Joanna Gonzalez, a department spokeswoman. During Katrina, he helped deploy volunteers from the department to the Gulf Coast, she said. The congressional report on Katrina noted that some of those employees had trouble making it to the region because of departmental miscommunications. Hoelscher also "made sure [that department political appointees] were all placed in the office where they were happiest and ... fit best," Gonzalez said. Controversial political appointments at the department include Michael Brown, the former FEMA director, who was a longtime friend of Bush's 2000 campaign director, Joe Allbaugh; Julie Myers, who's married to Chertoff's chief of staff and heads the Immigration and Customs Enforcement Bureau despite lacking law enforcement credentials; and Eduardo Aguirre Jr., a career Texas banker with Bush family ties, who was director of U.S. Citizenship and Immigration Services. One congressional staffer defended the appointment, noting that high turnover plagues the department and that Hoelscher has performed well. "He has been very proactive" in notifying Hill staffers of political appointments, the staffer said. Acknowledging Hoelscher's youth and limited experience, the staffer said that he wouldn't be left on his own: "There's plenty of adult supervision" at the department. From isn at c4i.org Fri Mar 10 01:18:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:56 -0600 (CST) Subject: [ISN] Shadowboxing With a Bot Herder Message-ID: http://blog.washingtonpost.com/securityfix/2006/03/post.html By Brian Krebs March 9, 2006 Security Fix had an interesting online conversation Tuesday night with a hacker who controls a vast, distributed network of hacked Microsoft Windows computers, also known as a "botnet." I went into the interview knowing very little about this individual, other than his online alter ego, "Witlog," and that he has infected close to 30,000 Windows PCs with his computer worm, which he claims is powered by code that he downloaded from a Web site, modified slightly, and set loose on the 'Net. I came away from the interview no more knowledgeable about his background, age, location or motivation, but perhaps with a stark reminder of how just a little bit of knowledge can be such a dangerous thing. Witlog claims he doesn't use his botnet for illegal purposes, only "for fun." I found that claim pretty hard to believe given a) the income he could make installing ad-serving software on each computer under his control, combined with b) the risk he is taking of getting caught breaking into so many computers. The kid I wrote about in the Post magazine story on the connection between botnets and spyware was making $6,000 to $10,000 per month installing adware on a botnet half the size of the one Witlog claims to have. I was introduced to Witlog through several security experts who are part of the Shadowserver.org crew, a group of talented volunteers who dedicate a great deal of their free time and energy toward making life more difficult for bot herders like Witlog. Shadowserver has been cataloging Witlog's every move for the past two months or so, and shared with me records showing Witlog seeding his botnet with adware from DollarRevenue.net, which pays distributors $0.30 for each install of their pop-up ad-serving software on a computer in the United States; distributors can earn $0.20 per install for Canadian PCs, and ten cents per install for computers based in the United Kingdom. Installs on PCs in other countries net the distributor two cents or less. Witlog admitted to me that he made at least $400 by installing adware on his bots and conducting a petty distributed-denial-of-service attack against a couple of Web sites that knocked them offline for a while. For all I know, that could be the extent of it. He also admitted that he lets his buddies use his botnet for their own purposes, which he claims not to know much about. But what blew me away was how he created the botnet, which is powered by a worm that spreads only through known network security holes in Microsoft Windows and which require no action on the part of the victim other that the failure to apply security patches and (maybe) use a simple firewall. Had he decided to spread his worm through more conventional means -- via Web links sent in instant message or as attachments in e-mail -- his botnet could probably have grown to twice its current size. In this snippet of our conversation, I asked Witlog how and why he got his botnet started: Witlog: why i did it? i've read an article on yahoo or smth like this Witlog: so when i've read that article, i thought "why not to make my own"? SecurityFix: so did you just download the source from some site and set it loose? Witlog: yes Witlog: changed settings, and started it Witlog: thats all Witlog: anyone could do that Witlog: you don't have to know many things to do a botnet like this Over the past month and a half, Witlog used freely available source code for SDBot and built his botnet to 45,000 PCs. That is, until botnet hunters like Shadowserver and others put enough pressure on Witlog's Internet service provider to shutter Witlog.com, the domain name he was using to control his bot herd. That was only a temporary setback for Witlog, however, who simply registered a new bot control channel at Witlog.net. So far his network is back up to about 65 percent of its original size and growing by several thousand newly infected machines per day. But again, Witlog says it's not about size, it's all about the fun of it. For guys like Witlog, building botnets can be akin to a kind of digital hide and seek. On Monday, he began using a new version of the code that runs his botnet (this is the sixth iteration). Less than 24 hours after he released it, the bot code was only detected as malicious by two out of more than a dozen or so of the major anti-virus scanners employed by the free virus-testing service over at VirusTotal.com; Two other anti-virus engines flagged it as "suspicious," but could not tell whether the file was overtly hostile. Witlog may in fact be the product of a new generation of "script kiddiez"; the chief distinguishing feature of this generation being that instead of using Web site flaws to deface as many Web sites as possible, these guys are breaking into thousands of home and work PCs and taking them for a virtual joyride, often times all the way to the bank. And it's not just hacked home PCs we're talking about either. According to stats released this week by computer security giant Symantec Corp., the most common computer operating system found in botnets is Microsoft's Windows 2000, an OS predominantly used in business environments. Indeed, the vast majority of bots in Witlog's network were Win2K machines, and among the bots I saw were at least 40 computers owned by the Texas state government, as well as several systems on foreign government networks. At least one machine that he showed me from his botnet was located inside of a major U.S. defense contractor. From isn at c4i.org Fri Mar 10 01:19:09 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:19:09 -0600 (CST) Subject: [ISN] Porn Biller Says It Was Framed Message-ID: http://www.wired.com/news/technology/0,70380-0.html By Quinn Norton Mar, 09, 2006 Online payment company iBill on Thursday said a massive cache of stolen consumer data uncovered by security experts did not come from its database. "I'm the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes to say 'we screwed up,' if that were the case," said iBill President Gary Spaniak Jr. Two caches of stolen data were discovered separately by two security companies while conducting routine research into malicious software online. Both had file names that purportedly linked them to iBill. Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information. Secure Science found that data in February 2005, and reported it to the FBI's Miami field office, the company says. An additional list of slightly over 1 million individual entries was uncovered on a spamming website by Sunbelt Software last month, where it was labeled Ibill_1m.txt. That list appeared to date from 2003. The databases, examined by Wired News, include names, phone numbers, addresses, e-mail addresses and internet IP addresses of customers making online purchases. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. But Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two. Additionally, some entries in the stolen databases were identified as purchases on Diner's Club cards, which iBill says it has never accepted in its nine year history. Spaniak says iBill recently passed a security audit that found its databases well secured. SunBelt Software couldn't immediately be reached for comment Thursday. But Secure Science's Lance James backed away from his conclusion that iBill, which processes most of its transactions on behalf of adult services, was the source of the leak. He says pornography transaction databases may be considered especially desirable to spammers, and that a criminal may have deliberately mislabeled a database taken from another source "This might be part of a new hacker establishing their reputation," says James. "They could say, 'I hacked iBill.'" Wired News found that entries from the smaller cache of one million consumers are listed as mortgage leads on a spammer community site, specialham.com. A Google search turns up scores of offers on specialham.com for purported iBill databases, one of them advertising "20mill ibill list w/Full data from 2003" for $300. But in one message, a spammer slams an underground vendor for selling him a fake iBill list. Other offers on the site purport to sell data from competing internet billing firm CCBill, which says that it isn't aware of having been breached either. Spaniak has his own theory on why a data thief might falsely link a database to iBill. He believes it's an outgrowth of animosity in the adult website community dating from the time when the trouble-plagued company was forced to suspend payments to its webmaster customers. He says as long as iBill stays in business, it will try to repay those webmasters. "Over $20 million has been paid back, we have plans for paying back another $18 million." James says the actual source of the stolen data remains a mystery. An FBI spokeswoman says the bureau wouldn't investigate the breach unless the source of the leak comes forward to make a complaint. From isn at c4i.org Fri Mar 10 01:17:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:17:57 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-10 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-03-02 - 2006-03-09 This week : 82 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Apple has release the first security update for 2006, which fixes multiple vulnerabilities. Among the fixes are also a partial patch for the "Extremely Critical" vulnerability, which was released on the 21st of February 2006. You can test whether or not your system is affected by this vulnerability here: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ For additional details about the other vulnerabilities fixed please refer to the referenced Secunia advisories below. References: http://secunia.com/SA19064 http://secunia.com/SA18963 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 2. [SA19064] Mac OS X Security Update Fixes Multiple Vulnerabilities 3. [SA19083] Linux Kernel Local Denial of Service Vulnerabilities 4. [SA19105] Joomla! Multiple Vulnerabilities 5. [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability 6. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 7. [SA19108] Fedora update for kernel 8. [SA19087] Avaya CMS / IR Multiple Vulnerabilities 9. [SA19073] Sun Solaris Multiple Apache Vulnerabilities 10. [SA19040] SecureCRT / SecureFX Potential Buffer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19119] RevilloC MailServer USER Command Buffer Overflow [SA19111] Sauerbraten Engine Multiple Vulnerabilities [SA19110] Cube Engine Buffer Overflow and Denial of Service [SA19079] Liero Xtreme Format String and Denial of Service Vulnerabilities [SA19157] Cilem Haber "haber_id" SQL Injection Vulnerability [SA19156] manas tungare Site Membership Script Cross-Site Scripting and SQL Injection [SA19112] Akarru Social BookMarking Engine SQL Injection Vulnerability [SA19103] Total Ecommerce "id" Parameter SQL Injection Vulnerability [SA19081] Microsoft Visual Studio ".dbp" File Handling Buffer Overflow [SA19163] Novell BorderManager Proxy Potential Denial of Service [SA19097] EMC Retrospect Client Denial of Service Vulnerability [SA19171] Symantec Ghost Multiple Vulnerabilities [SA19140] IM Lock 2006 Insecure Registry Permissions [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions [SA19082] NCP Secure Entry Client Two Vulnerabilities UNIX/Linux: [SA19130] SUSE Updates for Multiple Packages [SA19174] HP Tru64 UNIX IPSEC/ISAKMP Processing Denial of Service [SA19167] Red Hat update for mailman [SA19161] Red Hat update for squid [SA19152] Debian update for tar [SA19148] Gentoo update for zoo [SA19136] Lurker Multiple Vulnerabilities [SA19134] Tenes Empanadas Graciela Denial of Service Vulnerability [SA19133] Monopd String Parsing Denial of Service Vulnerability [SA19126] Ubuntu update for flex / gpc [SA19125] Gentoo update for teTeX / pTeX / CSTeX [SA19123] Gentoo update for wordpress [SA19114] Gentoo update for mplayer [SA19113] Gentoo update for up-imapproxy [SA19093] Red Hat update for tar [SA19092] Debian update for libtasn1-2 [SA19091] Debian update for xpdf [SA19086] Avaya PDS HP-UX TCP/IP "Rose Attack" Denial of Service [SA19080] Debian update for gnutls11 [SA19158] Red Hat update for spamassassin [SA19131] Fedora update for squirrelmail [SA19094] GNOME Evolution Email Handling Denial of Service [SA19090] Ubuntu irssi DCC ACCEPT Parameter Handling Denial of Service [SA19162] Red Hat update for initscripts [SA19160] Red Hat update for kernel [SA19087] Avaya CMS / IR Multiple Vulnerabilities [SA19159] Red Hat update for openssh [SA19128] Sun Solaris "/proc" Denial of Service Vulnerability [SA19108] Fedora update for kernel [SA19083] Linux Kernel Local Denial of Service Vulnerabilities [SA19078] Linux Kernel "die_if_kernel()" Potential Denial of Service Other: [SA19146] Xerox CopyCentre / WorkCentre Pro Multiple Denial of Service Vulnerabilities [SA19137] nCipher Products Multiple Vulnerabilities Cross Platform: [SA19154] Link Bank PHP Code Injection and Cross-Site Scripting [SA19142] Owl Intranet Engine "xrms_file_root" File Inclusion Vulnerability [SA19121] m-phorum "go" File Inclusion Vulnerability [SA19116] Php-Stats Multiple Vulnerabilities and Security Issue [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability [SA19106] LISTSERV WA CGI Script Buffer Overflow Vulnerabilities [SA19172] Loudblog Multiple Vulnerabilities [SA19151] sBlog Multiple Vulnerabilities [SA19147] bMail GBK Charsets SQL Injection Vulnerability [SA19144] Alien Arena 2006 Gold Edition Multiple Vulnerabilities [SA19141] Invision Power Board Cross-Site Scripting and SQL Injection Vulnerabilities [SA19135] Cyboards PHP Lite "parent" SQL Injection Vulnerability [SA19132] IPB D2-Shoutbox Module "load" SQL Injection [SA19127] phpBannerExchange "email" Directory Traversal [SA19120] Freeciv Packet Parsing Denial of Service Vulnerability [SA19117] NMDeluxe Script Insertion and SQL Injection [SA19115] Daverave Simplog File Inclusion Vulnerability [SA19109] Wordpress "User-Agent" Header SQL Injection Vulnerability [SA19104] Gallery Script Insertion and Session Handling Vulnerabilities [SA19102] Gregarius SQL Injection and Cross-Site Scripting Vulnerabilities [SA19101] bitweaver "title" Script Insertion Vulnerability [SA19100] vBulletin User Email Address Script Insertion Vulnerability [SA19096] Aztek Forum Message Body Script Insertion Vulnerability [SA19089] PluggedOut Nexus forgotten_password.php SQL Injection [SA19088] NZ Ecommerce Cross-Site Scripting and SQL Injection [SA19084] VUBB "pass" SQL Injection Vulnerability [SA19155] HitHost Cross-Site Scripting and Directory Deletion [SA19143] Game-Panel "message" Cross-Site Scripting Vulnerability [SA19124] phpArcadeScript Cross-Site Scripting Vulnerabilities [SA19105] Joomla! Multiple Vulnerabilities [SA19099] DVGuestbookV2.0 "page" Cross-Site Scripting Vulnerability [SA19098] DVguestbook "dv_gbook.php" Cross-Site Scripting Vulnerability [SA19085] SAP Web Application Server URL Handling Vulnerability [SA19095] Oreka RTP Handling Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19119] RevilloC MailServer USER Command Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 securma massine has discovered a vulnerability in RevilloC MailServer, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19119/ -- [SA19111] Sauerbraten Engine Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Luigi Auriemma has reported some vulnerabilities in Sauerbraten Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19111/ -- [SA19110] Cube Engine Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Luigi Auriemma has reported some vulnerabilities in Cube Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19110/ -- [SA19079] Liero Xtreme Format String and Denial of Service Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Luigi Auriemma has reported two vulnerabilities in Liero Xtreme, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19079/ -- [SA19157] Cilem Haber "haber_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-08 Mustafa Can Bjorn has discovered a vulnerability in Cilem Haber, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19157/ -- [SA19156] manas tungare Site Membership Script Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-08 Syst3m_f4ult has discovered two vulnerabilities in manas tungare Site Membership Script, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19156/ -- [SA19112] Akarru Social BookMarking Engine SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 A vulnerability has been reported in Akarru Social BookMarking Engine, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19112/ -- [SA19103] Total Ecommerce "id" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Mustafa Can Bjorn has reported a vulnerability in Total Ecommerce, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19103/ -- [SA19081] Microsoft Visual Studio ".dbp" File Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-07 ATmaCA has reported a vulnerability in Microsoft Visual Studio, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19081/ -- [SA19163] Novell BorderManager Proxy Potential Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-08 A vulnerability has been reported in BorderManager, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19163/ -- [SA19097] EMC Retrospect Client Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-03 A vulnerability has been reported in EMC Retrospect Client for Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19097/ -- [SA19171] Symantec Ghost Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Manipulation of data, Exposure of sensitive information, Privilege escalation Released: 2006-03-08 Three vulnerabilities have been reported in Symantec Ghost, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, modify certain data, and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/19171/ -- [SA19140] IM Lock 2006 Insecure Registry Permissions Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-07 fRoGGz has discovered a vulnerability in IM Lock 2006, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19140/ -- [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-06 RedXII1234 has discovered a security issue in AVG Anti-Virus, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19118/ -- [SA19082] NCP Secure Entry Client Two Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-02 Ramon 'ports' Kukla has reported two vulnerabilities in NCP Secure Entry Cilent, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19082/ UNIX/Linux:-- [SA19130] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, DoS, System access Released: 2006-03-06 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), bypass certain security restrictions, to cause files to be extracted to arbitrary locations on a user's system, to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar, and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19130/ -- [SA19174] HP Tru64 UNIX IPSEC/ISAKMP Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 HP has acknowledged a vulnerability in HP Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19174/ -- [SA19167] Red Hat update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for mailman. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19167/ -- [SA19161] Red Hat update for squid Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for squid. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19161/ -- [SA19152] Debian update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Debian has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19152/ -- [SA19148] Gentoo update for zoo Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-07 Gentoo has issued an update for zoo. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19148/ -- [SA19136] Lurker Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information, Cross Site Scripting Released: 2006-03-06 Some vulnerabilities have been reported in Lurker, which can be exploited by malicious people to conduct cross-site scripting attacks, and disclose and manipulate sensitive information. Full Advisory: http://secunia.com/advisories/19136/ -- [SA19134] Tenes Empanadas Graciela Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Tenes Empanadas Graciela (TEG), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19134/ -- [SA19133] Monopd String Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Monopd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19133/ -- [SA19126] Ubuntu update for flex / gpc Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-07 Ubuntu has issued an update for flex / gpc. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19126/ -- [SA19125] Gentoo update for teTeX / pTeX / CSTeX Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-06 Gentoo has issued updates for teTeX, pTeX, and CSTeX. These fix a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19125/ -- [SA19123] Gentoo update for wordpress Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Gentoo has issued an update for wordpress. This fixes a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19123/ -- [SA19114] Gentoo update for mplayer Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-06 Gentoo has issued an update for mplayer. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19114/ -- [SA19113] Gentoo update for up-imapproxy Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-06 Gentoo has issued an update for up-imapproxy. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19113/ -- [SA19093] Red Hat update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-02 Red Hat has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/19093/ -- [SA19092] Debian update for libtasn1-2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Debian has issued an update for libtasn1-2. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19092/ -- [SA19091] Debian update for xpdf Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-03-02 Full Advisory: http://secunia.com/advisories/19091/ -- [SA19086] Avaya PDS HP-UX TCP/IP "Rose Attack" Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-08 Avaya has acknowledged a vulnerability in Avaya Predictive Dialing System (PDS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19086/ -- [SA19080] Debian update for gnutls11 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Debian has issued an update for gnutls11. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19080/ -- [SA19158] Red Hat update for spamassassin Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-08 Red Hat has issued an update for spamassassin. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19158/ -- [SA19131] Fedora update for squirrelmail Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-06 Fedora has issued an update for squirrelmail. This fixes multiple vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19131/ -- [SA19094] GNOME Evolution Email Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-02 Alan Cox has discovered a vulnerability in Evolution, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19094/ -- [SA19090] Ubuntu irssi DCC ACCEPT Parameter Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-02 Scott Sinclair has reported a vulnerability in irssi, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19090/ -- [SA19162] Red Hat update for initscripts Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-08 Red Hat has issued an update for initscripts. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19162/ -- [SA19160] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-08 Red Hat has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19160/ -- [SA19087] Avaya CMS / IR Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass, Privilege escalation Released: 2006-03-04 Avaya has acknowledged some vulnerabilities in CMS and IR, which can be exploited by malicious, local users to gain escalated privileges and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19087/ -- [SA19159] Red Hat update for openssh Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-03-08 Red Hat has issued an update for openssh. This fixes a weakness, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/19159/ -- [SA19128] Sun Solaris "/proc" Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-06 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19128/ -- [SA19108] Fedora update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-03 Fedora has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19108/ -- [SA19083] Linux Kernel Local Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-02 Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19083/ -- [SA19078] Linux Kernel "die_if_kernel()" Potential Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-03-07 A vulnerability has been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19078/ Other:-- [SA19146] Xerox CopyCentre / WorkCentre Pro Multiple Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2006-03-08 Some vulnerabilities have been reported in Xerox CopyCentre and Xerox WorkCentre Pro, where one has an unknown impact, and others can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19146/ -- [SA19137] nCipher Products Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-07 Some vulnerabilities have been reported in nCipher products, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19137/ Cross Platform:-- [SA19154] Link Bank PHP Code Injection and Cross-Site Scripting Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-08 retard has discovered two vulnerabilities in Link Bank, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19154/ -- [SA19142] Owl Intranet Engine "xrms_file_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 rgod has discovered a vulnerability in Owl Intranet Engine, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19142/ -- [SA19121] m-phorum "go" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-08 uid0 has discovered a vulnerability in m-phorum, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19121/ -- [SA19116] Php-Stats Multiple Vulnerabilities and Security Issue Critical: Highly critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2006-03-06 rgod has reported some vulnerabilities and a security issue in Php-Stats, which can be exploited by malicious people to conduct SQL injection attacks, disclose system and sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19116/ -- [SA19107] PHP Upload Center File Extensions Script Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-03 Liz0ziM has reported a vulnerability in PHP Upload Center, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19107/ -- [SA19106] LISTSERV WA CGI Script Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-06 Peter Winter-Smith of NGSSoftware has reported some vulnerabilities in LISTSERV, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19106/ -- [SA19172] Loudblog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-03-08 kuze has reported some vulnerabilities in Loudblog, which can be exploited by malicious people to disclose sensitive information and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19172/ -- [SA19151] sBlog Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-08 Kiki has discovered multiple vulnerabilities in sBlog, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19151/ -- [SA19147] bMail GBK Charsets SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-07 A vulnerability has been reported in bMail, which potentially can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19147/ -- [SA19144] Alien Arena 2006 Gold Edition Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-08 Luigi Auriemma has reported some vulnerabilities in Alien Arena 2006 Gold Edition, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19144/ -- [SA19141] Invision Power Board Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-07 Two vulnerabilities have been reported in Invision Power Board, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19141/ -- [SA19135] Cyboards PHP Lite "parent" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Aliaksandr Hartsuyeu has discovered a vulnerability in Cyboards PHP Lite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19135/ -- [SA19132] IPB D2-Shoutbox Module "load" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-07 SkOd has reported a vulnerability in the D2-Shoutbox module for IPB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19132/ -- [SA19127] phpBannerExchange "email" Directory Traversal Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-03-08 Tix has discovered a vulnerability in phpBannerExchange, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19127/ -- [SA19120] Freeciv Packet Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-06 Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19120/ -- [SA19117] NMDeluxe Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-07 Aliaksandr Hartsuyeu has reported two vulnerabilities in NMDeluxe, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19117/ -- [SA19115] Daverave Simplog File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-06 retard and jim has discovered a vulnerability in Davrave Simplog, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19115/ -- [SA19109] Wordpress "User-Agent" Header SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-06 Patrik Karlsson has reported a vulnerability in Wordpress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19109/ -- [SA19104] Gallery Script Insertion and Session Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-03-03 James Bercegay has reported some vulnerabilities in Gallery, which can be exploited by malicious people to conduct script insertion attacks and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19104/ -- [SA19102] Gregarius SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-06 tzitaroth has reported a vulnerability in Gregarius, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19102/ -- [SA19101] bitweaver "title" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Kiki has discovered a vulnerability in bitweaver, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19101/ -- [SA19100] vBulletin User Email Address Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 imei addmimistrator has reported a vulnerability in vBulletin, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19100/ -- [SA19096] Aztek Forum Message Body Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 lorenzo has discovered a vulnerability in Aztek Forum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19096/ -- [SA19089] PluggedOut Nexus forgotten_password.php SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-03 Hamid Ebadi has discovered a vulnerability in PluggedOut Nexus, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19089/ -- [SA19088] NZ Ecommerce Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-02 r0t has reported some vulnerabilities in NZ Ecommerce, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19088/ -- [SA19084] VUBB "pass" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-02 KingOfSKa has discovered a vulnerability in VUBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19084/ -- [SA19155] HitHost Cross-Site Scripting and Directory Deletion Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-08 retard has discovered two vulnerabilities in HitHost, which can be exploited by malicious people to delete empty directories and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19155/ -- [SA19143] Game-Panel "message" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-07 A vulnerability has been reported in Game-Panel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19143/ -- [SA19124] phpArcadeScript Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 retard and jim have reported some vulnerabilities in phpArcadeScript, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19124/ -- [SA19105] Joomla! Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Unknown, Security Bypass, Manipulation of data, Exposure of system information Released: 2006-03-03 Multiple vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose system information and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19105/ -- [SA19099] DVGuestbookV2.0 "page" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Liz0ziM has discovered a vulnerability in DVGuestbookV2.0, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19099/ -- [SA19098] DVguestbook "dv_gbook.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-06 Liz0ziM has discovered a vulnerability in DVguestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19098/ -- [SA19085] SAP Web Application Server URL Handling Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-03 Arnold Grossmann has reported a vulnerability in SAP Web Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19085/ -- [SA19095] Oreka RTP Handling Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-03 A vulnerability has been reported in Oreka, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19095/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 10 01:18:27 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:27 -0600 (CST) Subject: [ISN] Microsoft Plans Two Patches Next Week Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=181502557 By Gregg Keizer Mar 9, 2006 Microsoft on Thursday said it would release just two security patches next week, five fewer than last month. A fix for Microsoft Office, the Redmond, Wash.-based company's business productivity suite, is on the calendar, as is a separate patch for Windows. The former will be labeled "critical," Microsoft's most serious warning, while the latter will be tagged as "important." Microsoft assigns "critical" to security bulletins when it believes an exploit of the vulnerability could be used to create a worm able to spread without any user interaction [1]. As is its practice, Microsoft gave no additional details. Its advance notifications [2] are meant only to "help customers plan for the deployment of these security updates more effectively," the company said in the alert. Although the warning didn't offer clues on the problems to be patched, eEye Digital Security [3] knows about one unfixed critical vulnerability in Windows, while Danish vulnerability tracker Secunia lists several unpatched Office problems. Because the latter, however, hark back to 2003 and 2004, it's likely the Office issue has either not yet been disclosed or has been kept quiet by its discoverer(s). A single non-security, high-priority update will also be released via Microsoft Update, said the alert, and the Windows Malicious Software Removal Tool will, as usual, be refreshed. Last month, Microsoft unveiled seven bulletins [4] for Windows, Internet Explorer, Media Player, and PowerPoint. Two of the seven were deemed critical. March's security bulletins, patches, and updates will be issued Tuesday, March 14. [1] http://www.microsoft.com/technet/security/bulletin/rating.mspx [2] http://www.microsoft.com/technet/security/bulletin/advance.mspx [3] http://www.eeye.com/html/research/upcoming/20051011.html [4] http://www.techweb.com/wire/security/180201607 From isn at c4i.org Fri Mar 10 01:18:42 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 10 Mar 2006 00:18:42 -0600 (CST) Subject: [ISN] Corporate IT needs to make bird-flu plans now Message-ID: http://www.networkworld.com/news/2006/031306-avian-flu-it-plans.html By Denise Dubie and Tim Greene NetworkWorld.com 03/09/06 If the avian flu hits the United States big time, the IS department for the Bloomberg School of Public Health at Johns Hopkins University in Baltimore could have a big-time problem. It sits across the street from the Johns Hopkins Hospital where a high number of infected patients could be treated and where a large percentage of the staff travel widely as part of their jobs, increasing the likelihood they could come back infected. "Our biggest fear is that we won't be able to get back to our data center for an extended amount of time, so we set up systems that would make it accessible remotely," says Ross McKenzie, the IS director for the school of public health. The school could have the problem covered, though, considering it has addressed remote control capabilities for PCs and server by buying 550 GoToMyPC licenses that lets network administrators log in via Web-based clients. "Every IT function, except maybe for the physical help desk, can be performed remotely at this point." Preparing corporate data center operations for an outbreak of the avian flu requires long-term planning, but not enough IT executives are planning far enough ahead, according to surveys. For instance, of 167 government workers across eight federal departments 44% don't know how they should react to a flu emergency, according to a poll by Telework Exchange, an online forum trying to quantify how much teleworking goes on in the federal government. A survey last month of 300 Minnesota business officials found most thought a flu pandemic would significantly affect their business, but only 18% had preparedness plans in place. The poll sponsored by the University of Minnesota Center for Infectious Disease Research and Policy found that close to two thirds said they were already prepared or somewhat prepared to move employees to remote locations or let them work at home, while 29% said they were not prepared. The H5N1 influenza virus, which originated in Asia, could hit the U.S. this fall, potentially causing an epidemic, the nation's chief avian flu coordinator warned. It can be transmitted from birds to humans via close contact, but not from human to human - yet. Flu experts say mutations are almost certain to create a strain that supports human-to-human transmission. The resultant pandemic will make 75 million and 90 million people sick in the U.S. with up to 2 million deaths, according to the U.S. Congressional Budget Office. Some businesses have the basics of plans in place, such as White Electronic Designs in Phoenix. "We've given consideration to the avian flu situation as part of our enterprise risk management program," says Jim Kritcher, vice president of corporate information technology for the firm. He says plans call for asking workers returning from areas where flu has struck to work from home for a period afterward to avoid infecting others at corporate sites. And the company would conduct as much work in general remotely. "We would certainly be susceptible, especially since we have employees traveling to Asia on a regular basis. We do a significant amount of manufacturing in China," he says. For many companies, VPNs are the mainstay for their disaster plans. "It's the lynchpin of our remote access," says Paul Beaudry, director of technical services for JRI, the largest agribusiness company in Canada based in Winnipeg, Manitoba. The company has dual Aventail SSL VPN gateways installed at its headquarters site that support 800 employees for accessing e-mail and about 25 work-at-home employees. But in the event of flu, that number would rise drastically, and the company would buy more VPN licenses and turn up more applications. The entire IT staff of 15 has been trained to increase the number of applications available through the gateway and to increase the resources employees are authorized to reach over the VPN, he says. So even if some of the IT staff is out of commission, someone will be able to set up the VPN for those able to work from home, Beaudry says. Similarly, Kritcher says White Electronic Designs will use its Cisco VPN concentrators to support remote access as well as thin clients to access applications remotely. The concentrators can scale to handle extra concurrent users, he says, but during an emergency, the number of people trying to connect via the VPN could strain WAN connections and result in slow response time or failure to connect altogether. "So we are testing procedures to reconfigure the WAN links such as wireless IP currently used for failover and redeploy them to support additional VPN traffic," Kritcher says. In the case of the Johns Hopkins health school, VPNs were too expensive for the needs, says McKenzie. "We didn't want something that could be open to everyone when we weren't entirely sure, considering the situation, who or how many would need to use it," he says. Such planning is essential, according to Gartner, which has published a report called Prepare Now for a Coming Avian Influenza Pandemic. "Enterprises should take the widespread agreement on the strong likelihood of a pandemic as a signal to take immediate action," says Ken McGee, the Gartner analyst who wrote the report. "By mid-2006, have in place completed pandemic/IT response plans." He recommends preparing lists of the most important knowledge workers on staff and figuring out how they can work from home for extended period. In addition to network access, they'll need the ability to conference with co-workers, customers and business partners, McGee says. Still, with all the planning in the world, there is only so much IT executives can do, Beaudry notes. "You've got a human fear factor, and you may have people reacting in a way you couldn't predict," he says. "You've may have a quarantine situation and business can be impacted - there's no question. But you have to keep the business running." All contents copyright 1995-2005 Network World, Inc. From isn at c4i.org Mon Mar 13 02:28:45 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Mar 2006 01:28:45 -0600 (CST) Subject: [ISN] Chinese Bank's Server Used in Phishing Attacks on US Banks Message-ID: http://news.netcraft.com/archives/2006/03/12/chinese_banks_server_used_in_phishing_attacks_on_us_banks.html By Rich Miller March 12, 2006 A web server belonging to a state-operated Chinese bank is hosting phishing sites targeting U.S. banks and financial institutions. Phishing e-mails sent on Saturday (March 11) targeting customers of Chase Bank and eBay were directed to sites hosted on ip addresses assigned to The China Construction Bank (CCB) Shanghai Branch. The phishing pages are located in hidden directories with the server's main page displaying a configuration error. This is the first instance we have seen of one bank's infrastructure being used to attack another institution. The attack on Chase offers recipients the chance to earn $20 by filling out a user survey which presents a series of questions about the usability of the Chase online banking site, followed by a request for user ID and password, so the $20 "reward" can be deposited to the proper account. The form also requests the victim's bankcard number, PIN number, card verification number, mother's maiden name and Social Security number. Any data submitted is then sent to a free form processing service on a server in India. The URL in the phishing email uses an IP address rather than a domain, typically a strong indicator of a phishing site. As a result, the Netcraft Toolbar assigns the site a high risk rating. The spoof site, a template of which has been in use since September, pulls images and style sheets from the chaseonline.chase.com web site. Many bank sites are configured to prevent logos and other images on their server from being displayed on other web sites - a practice known as "hot-linking" or "bandwidth leeching" - to prevent phishing sites from using the institution's own images and bandwidth to scam customers. Any third-party sites appropriating logos can be detected through web site referrer statistics. The same IP address at CCB Shanghai was used Saturday to host a page spoofing the eBay login screen. The China Construction Bank is a state-owned commercial bank with more than 14,000 branches across China. Last October CCB became the first of China's "Big Four" state-owned banks to be listed on the Hong Kong Stock Exchange. Both attacks have been blocked by the Netcraft Toolbar, a free phishing protection tool for Internet Explorer and Firefox users. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL. From isn at c4i.org Mon Mar 13 02:29:00 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Mar 2006 01:29:00 -0600 (CST) Subject: [ISN] Program Teaches Students About Cyber Security Message-ID: http://www.forbes.com/home/feeds/ap/2006/03/10/ap2587230.html By WILLIAM KATES 03.10.2006 A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country. The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security. Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security. "It's a great course. It's a littler harder than I expected," said Catherine Gudaitis, a junior interested in theater. "But I know in the world I'm going to live in, this will be necessary information, even common knowledge." President Bush made cyber security a focal point in February 2003 in his National Strategy to Secure Cyberspace, citing the importance of safeguarding America from crippling Internet-based attacks by terrorists against U.S. power grids, airports and other targets. The pilot program was developed with help from computer experts at the U.S. Air Force's Research Lab in Rome, who four years ago created a 10-week long Advanced Course in Engineering Cyber Security Boot Camp for the military's Reserve Officers Training Corps, said Kamal Jabbour, the lab's principal computer engineer. "Besides teaching teenagers to protect their digital assets, the course opens their imagination to the challenges in cyberspace, and seeks to excite them into a college education in computer engineering and a professional career in cyber security," Jabbour said. While computer courses are commonplace in American schools, the Rome program "is not just a little different. This is a step change," said Eric Spina, dean of Syracuse University's engineering and computer science programs, which also helped with the pilot's development. Spina said the material covered in the course is subject matter that college students - even engineering and computer science majors - typically don't receive until their junior year. "A high school student with this kind of background would be an asset anywhere they went," Spina said. Although young people are more technologically savvy than ever, they too frequently dabble in high-tech mischief. Rome's program is an effort to rechannel that native interest, said Principal Christopher Mominey. Thirteen students are enrolled in the 20-week elective course, which began with the start of the current semester Jan. 31. The class meets for 45 minutes after school four days a week, with two of the sessions devoted to lab time, said Ed Nickerson, one of three teachers who designed the curriculum. With financial support from Rome Lab and Syracuse University, the school transformed a one-time home economics classroom into a 12-station wireless computer lab. Nickerson said the students - sophomores, juniors and seniors - represent a wide spectrum of both academic ability and computer know-how. The school has approximately 400 students grades kindergarten through 12th, and a senior class this year of 18. The curriculum will be offered statewide beginning next year. On Friday, several dozen administrators and educators attended a workshop at the Rome school as an introduction. A weeklong course will be offered in August to prepare high school teachers to teach cyber security. If successful, the program could be offered nationwide in 2008, Jabbour said. The program was developed through a congressional grant obtained by U.S. Rep. Sherwood Boehlert, chairman of the House Science Committee. Boehlert said U.S. Air Force Secretary Michael Wynne offered assurances during his recent visit to Rome Lab that if the program is successful, it will be included in the budget as a permanent item. Copyright 2005 Associated Press. All rights reserved. From isn at c4i.org Mon Mar 13 02:29:11 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 13 Mar 2006 01:29:11 -0600 (CST) Subject: [ISN] Meet on creating computer security response team Message-ID: http://www.gulf-times.com/site/topics/article.asp?cu_no=2&item_no=76519&version=1&template_id=36&parent_id=16 Staff Reporter 12 March, 2006 THE Qatar Computer Emergency Response Team (Q-CERT) will host a workshop on Creating a Computer Security Incident Response Team (CSIRT) on March 26. The CSIRT is a team of information security personnel within an organisation. Establishing a CSIRT is essential to developing an awareness of the importance of information security to the normal stream of business and to developing the capability to respond to and resolve information security incidents in a timely manner. This workshop is designed for managers and project leaders who are considering implementing a CSIRT in their own organisations. It will provide a high-level overview of the key issues and decisions that must be addressed to establish a CSIRT. As part of the workshop, attendees will develop an action plan as a starting point in planning and implementing their CSIRT. The creation of a CSIRT is often the preliminary step to evolving an information security strategy that considers the business needs of the organisation. The capacity of this first Q-CERT offering will be limited. Those interested should contact the Q-CERT at register at qcert.org for additional information and registration. From isn at c4i.org Tue Mar 14 03:12:29 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:29 -0600 (CST) Subject: [ISN] Cryzip Trojan Encrypts Files, Demands Ransom Message-ID: http://www.eweek.com/article2/0,1895,1937408,00.asp By Ryan Naraine March 13, 2006 Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password. The Trojan, identified as Cryzip, uses a commercial zip library to store the victim's documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files. It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar. While this type of attack, known as "ransomware," is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware, said Shane Coursen, senior technical consultant at Moscow-based anti-virus vendor Kaspersky Lab. The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom. According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images. Once commandeered, the files are zipped and overwritten the text: "Erased by Zippo! GO OUT!!!" The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the "_CRYPT.ZIP" extension. A new directory named "AUTO_ZIP_REPORT.TXT" is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments. The instructions, which are marked by misspellings and poor grammar, contain the following text: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations)." The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesn't exist on the hard drive. "If you really care about documents and information in encrypted files you can pay using electonic currency $300," the note says. "Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back." The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in the advisory. Officials from E-Gold, which operates out of the Caribbean island of Nevis, were not available for comment. "Infection reports are not widespread, so it is not believed this is a mass threat by any means," LURHQ said. However, the company said social engineering malware is typically more successful when it is delivered in low volume to get around anti-virus detections. "[M]ore attention means the likely closing of the accounts used for the anonymous money transfer," LURHQ said. From isn at c4i.org Tue Mar 14 03:12:40 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:40 -0600 (CST) Subject: [ISN] ISO rejects China's WAPI wireless security protocol Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109519,00.html By Stephen Lawson MARCH 13, 2006 IDG NEWS SERVICE The International Standards Organization (ISO) last week rejected a security protocol that was backed by some Chinese representatives as an amendment to the group's wireless LAN standard. The ISO turned down the Chinese technology, called the WLAN Authentication and Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i security specification that was developed by the Institute of Electrical and Electronics Engineers Inc., according to a member of the IEEE 802.11 Working Group who asked not to be named because of working group rules. The ISO, a network of standards institutes that overlooks specifications in a wide variety of fields, routinely adopts IEEE 802.11 standards and incorporates them into its body of specifications, the IEEE working group member said. The Chinese government said that it would continue to support WAPI and that the rejection by the ISO would not affect use of WAPI in China, according to an online article by China's official Xinhua news service. Votes at the ISO on adopting amendments to IEEE 802.11 standards normally aren't controversial, the working group member said. "At least in 802.11, there's never been anyone who's brought in a proposal that wasn't developed in 802.11," he said. The IEEE approved 802.11i in 2004. China's government at one time proposed forcing foreign companies to license WAPI but later dropped those plans. A document from the IEEE 802.11 Working Group indicates that resistance to incorporating WAPI into an international wireless LAN standard has grown amid concerns about secrecy, namely the use of an undisclosed algorithm in the protocol. Last week, 22 Chinese companies announced the formation of a group called the WAPI Industrial Union to promote adoption of WAPI. The group claimed its protocol offers better security than 802.11i. From isn at c4i.org Tue Mar 14 03:12:15 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:15 -0600 (CST) Subject: [ISN] How to legislate against hackers Message-ID: http://news.bbc.co.uk/1/hi/technology/4799338.stm 13 March 2006 Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act. It makes many changes to the criminal law, but anyone considering writing a virus, hacking a bank system, launching a phishing or denial of service attack or installing some of the dodgier tools that can be used to 'test' network security should pay particular attention to clauses 33 to 36. These amend the 1990 Computer Misuse Act in line with recommendations made last year by the All Party Internet Group of MPs, and take on board Tom Harris MP's proposals from his recent private member's bill. If they go through then the maximum penalty for hacking will become 10 years for the most serious offences. The new act will also make it an offence to supply the software used to break into systems, and make it clear that denial of service attacks, where large numbers of requests are sent to a server, count as hacking. MPs from all parties have welcomed the changes, even though they do not much like the rest of the bill, and overall they seem an acceptable update of the original act. The All Party Internet Group has a reputation for being sensible when it comes to negotiating the interface between law and technology. In this case they refused to be bounced into proposing the sort of illiberal measures that often emerge when computer security and critical information infrastructure are being discussed. Lack of clarity I have been around long enough to remember the original Computer Misuse Bill back in 1990. It was proposed by a conservative backbench MP, Michael Colvin, and supported by the government at a time when viruses were spread by floppy disk and hackers used university systems to break into government and military installations. Mr Colvin knew little about computers or computing, and had proposed the bill as a result of lobbying after he came near the top in the ballot for private member's bills. Although it concerned computers and hacking, using a computer system without the owner's consent, it famously failed to define what a computer was. I pointed out to him that this would mean I was committing a criminal offence if I reprogrammed a video recorder at a friend's house without asking first, and he was happy to accept this. His argument was that the courts would not allow anything so foolish to proceed. He was right in his belief that the courts would be cautious about allowing prosecutions. However the lack of clarity in the act was almost certainly the reason why it was used so rarely in the last 15 years, since the chances of a defendant being able to wriggle out of a conviction are too high for it to be worth prosecuting. On the occasions when it has been applied rigidly it has sometimes produced results as bad as we feared it would. Law and knowledge Last October, Londoner Daniel Cuthbert was fined for probing a website set up to raise funds for victims of the Asian tsunami with a range of security tools after he failed to get a confirmation that his donation had been registered. The proposals in the new bill that deal with the possession of security software could easily be abused to make life difficult for researchers or those, like me, who want to understand what these tools do. Understanding the difference between a security tool, used to probe networks looking for holes that can be patched, and a hacker toolkit, used to probe networks looking for holes that can be exploited, is as much one of intention as implementation. We should be wary of laws which require judges to look into the mind of the accused, and not only because every philosopher of mind tells us that such access is impossible. Too few MPs really understand the issues at stake here. None on the front benches, apart perhaps from former computer consultant Stephen Timms, could describe why a port scan might be a legitimate activity or even, I suspect, what a network port is in the first place. And with the departure of Richard Allan from the House of Commons at the last election, Parliament lost its only serious programmer. This is a matter of growing concern. It is clear that the debate about the implementation of ID cards hinged on an assessment by MPs and peers of the technical arguments put forward on both sides, but few of those arguing were really competent to judge the issue. Complex issues This week I will be speaking at a seminar in London, organised by the Westminster eForum. We are talking about copyright and digital rights management and other issues which may well take up some serious parliamentary time in the next few years, especially when Andrew Gowers finishes his review of intellectual property law for the Treasury. Although it is reassuring that Derek Wyatt, one of the few MPs who does embrace the internet, is chairing, I suspect we will see few of his fellow members there even though this is another issue where technology and law are inextricably linked. MPs will argue that they are perfectly capable of being briefed on the most complex issues, but this assumes that they can get unbiased and comprehensible briefings. Some of the technical issues underlying ID cards, and DRM and computer crime may well not be amenable to this approach. So what are we to do? Do we let generalist MPs with no real comprehension of what they are doing make law based on the last piece of lobbying they received? We could call this the e-Lothian question, after the long-standing concern over letting MPs for Scottish constituencies vote on purely English matters even after the Scottish Parliament was set up. Perhaps we should limit voting on clauses 33 to 36 of the Police and Justice Bill to those MPs who can demonstrate that they have at least two e-mail addresses, know how to use an RSS reader and can download and install their own web browser. Somehow, I do not think they will go for it. Unless we recognise that MPs need a better understanding of technology we will continue to get bad law, just like we did in 1990. ----------------------------------------------------------------- Bill Thompson is a regular commentator on the BBC World Service programme Go Digital From isn at c4i.org Tue Mar 14 03:12:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:12:51 -0600 (CST) Subject: [ISN] Citibank ATM fraud 'just tip of iceberg' - analyst Message-ID: http://www.theregister.co.uk/2006/03/13/citibank_fraud_follow-up/ By John Leyden 13th March 2006 An ongoing ATM fraud problem that forced Citibank into reissuing an unspecified number of US credit and debit cards is only part of a larger ongoing threat, a leading analyst warns. Avivah Litan, a research director at Gartner, said that Citibank is only one of a number of victims and that the banking industry is "less than halfway through this latest scam, which will continue to affect large numbers of cardholders". Citibank said it blocked PIN-based transactions of Citi-branded MasterCard cards in the UK, Russia and Canada to protect US customer accounts. It blamed the problem on a security breach involving an unspecified US retailer. Litan, by contrast, suggests the theft of PIN data is the more likely cause of the security flap. She adds that other US banks have been forced to reissue ATM cards after customers' details were compromised. "Gartner believes that these combined bank actions reflect the largest PIN theft to date ? and point to a new wave of 'PIN block' card fraud," Litan writes. If hackers broke into retailer servers and steal PIN blocks that represent encrypted PIN data as well as terminal encryption keys (typically stored on retailers' terminal controllers), they might be able to determine a cardholder's PIN and create counterfeit cards that enable them to withdraw cash at ATM machines. Litan reckons that this - rather than a simple retailer breach - accounts for a recent rise in ATM fraud affecting US banks. "In this particular scam, the thieves probably also stole (likely from a retailer) magnetic-stripe data found on the back of ATM cards, which large banks typically validate," she adds. The Payment Card Industry (PCI) Data Security standard prohibits the storage of PIN blocks and covers terminal operations. Gartner advises card issuers to follow this guidance. The analyst firm also has advice for enterprises, payment vendors and regulators which can be reviewed here [1]. ? [1] http://www.gartner.com/DisplayDocument?doc_cd=138479 From isn at c4i.org Tue Mar 14 03:13:04 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:13:04 -0600 (CST) Subject: [ISN] The enemy within the firewall Message-ID: http://www.theage.com.au/news/breaking/the-enemy-within-the-firewall/2006/03/13/1142098393208.html By Louisa Hearn March 14, 2006 Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey. With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing. "People are becoming the weakest link. A fluid work force with diminished loyalty to organisations is being exacerbated by the fact that people do not always realise the value of information that they deal with," said Claudia Warwar, managing consultant at IBM BCS Security and Privacy Practice. Ms Warwar believes that the rise in internal security attacks has come about because outside criminal gangs realise that recruiting or tricking employees to hand over insider knowledge is less expensive and traceable than other forms of cybercrime. And it seems the perception of this phenomenon is even worse in Australia than elsewhere in the world, with 11 per cent more respondents here identifying internal staff as their greatest threat. Ms Warwar explained that one reason for this could be that in a larger country, where you might normally have ten staff working in team, here you might only have one, granting closer access to important information. "Employees here get to see more of the big picture and are closer to the whole business loop," she said. But in spite of the threat, companies still allocate more of their security budgets to external threats. While 32 per cent of survey respondents were intent on upgrading firewalls, only 15 per cent planned to invest in awareness and education training for employees and only 10 per cent restricted the use of mobile devices such as wireless handheld computers not specifically sanctioned by the IT staff. "Organisations need to understand what are the key pieces of information that need to be protected and be able to track who has had access to them," she said. Looking more broadly at the issue of cyber crime, the survey also found that regardless of who had caused it, 49 per cent of local businesses believed it represented a larger threat than physical crime. The three most common types of cyber crimes are hacking, denial of service attacks, and viruses and malware, which target different types of organisations. "One of our clients had a virus bouncing around network for quite a few days which did quite a bit of damage, whereas a denial of service attack is more likely to target those transacting and doing a lot of business online. If a hacker really knows where they are going within say a large financial company then they can also really hit the jackpot," said Ms Warwar. A recent security report from antivirus company Symantec said cybercrime represented today's greatest threat to consumers' digital lifestyle and to online businesses in general. "While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence," the company said. From isn at c4i.org Tue Mar 14 03:13:16 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:13:16 -0600 (CST) Subject: [ISN] CFP - 22nd Annual Computer Security Applications Conference Message-ID: Forwarded from: ACSAC Distribution Manager PDF versions at http://www.acsac.org/2006/cfp_2006.pdf http://www.acsac.org/2006/cfp_2006-a4.pdf --------------------------- Call For Participation --------------------------- 22nd Annual Computer Security Applications Conference December 11-15, 2006 Miami Beach, Florida http://www.acsac.org Submission Acceptance Deadline Notification Technical Track June 4, 2006 Aug. 13, 2006 Panels June 4, 2006 Aug. 13, 2006 Tutorials June 4, 2006 Jul. 20, 2006 Workshop June 4, 2006 Jul. 20, 2006 Case Studies June 4, 2006 Aug. 15, 2006 Works in Progress Sep. 8, 2006 Oct. 1, 2006 See http://www.acsac.org/cfp for detailed submission information! -------------------------------------------o------------------------------------------------ ACSAC is presented by a group of professionals who are working to facilitate information sharing among colleagues. We're an all-volunteer not-for-profit organization. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at http://www.acsac.org/list. We have moved to a new web host and are trying to remove duplicates from our mailing lists. If you receive duplicate messages, or simple want to be removed from our list, please reply with the word REMOVE in the subject. From isn at c4i.org Tue Mar 14 03:13:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 14 Mar 2006 02:13:28 -0600 (CST) Subject: [ISN] Free CDs highlight security weaknesses Message-ID: http://www.networkworld.com/news/2006/031306-free-cds-security-weakness.html By Jeremy Kirk IDG News Service 03/13/06 To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. Like flies to garbage, dozens of victims took the CD, unable to control the irresistible attraction of "free." Secret agents behind enemy lines, the CDs piggybacked through companies' physical security systems tucked in the bags and pockets of their couriers. The office workers dutifully took the CDs to their desks and plopped them in their employers' computers. The mission was complete. In the process, the CDs likely skirted an array of IT security systems in place to prevent malicious code from being installed. Although the CDs did not contain malicious code, the exercise accomplished the point Robert Chapman wanted to make: People are misinformed about what actions could damage their computers or expose them to malware, adware and viruses. "All these things are bypassed by human nature and curiosity and a level of ignorance and naivet?," says Chapman, director of The Training Camp Ltd., a computer training and consulting firm based in London, who came up with the idea. "The lure of a free holiday entices them more than the potential damage that they may make to their corporate network."c When a user ran the CD, the code on it prompted a browser window that opened a Web site, Chapman says. The site then tried to load an image from another Web site, Chapman says. The number of people who opened the CD could be tracked by the number of times the image was accessed, he says. Users saw only an error message saying the page could not be loaded, he says. "There is nothing clever about it or illegal," Chapman said of the CD's code. Although the front of the CD contained a written warning to users to check their company's internal security guidelines before running it, as many as 75 of the 100 CDs were played. Chapman says he was able to trace the IP addresses of those computers that tried to access the image and found that employees at two well-known insurance companies and a retail bank were among the duped. Chapman declines, however, to identify the names of those companies. The experiment underscores what experts say is the weakest point for IT security: people. Many companies have policies and make their employees sign legally binding documents containing the rules for using company computers, but it's doubtful users get specific training on why those rules are in place, Chapman says. Firewalls can block incoming hacking attempts, but most default firewall settings allow outbound traffic, Chapman says. If malicious code was already in the system, it might not be blocked by the firewall, allowing for the transmission of data from inside the computer, he says. Chapman says he surprisingly didn't get any angry calls from rankled systems administrators. "I was half-expecting something like that to happen, but I hope people realize that this is being done with a good heart," he says. From isn at c4i.org Wed Mar 15 03:21:22 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:21:22 -0600 (CST) Subject: [ISN] Man charged with hacking into GM database Message-ID: http://seattlepi.nwsource.com/business/1700AP_GM_Security_Breach.html By TOM KRISHER ASSOCIATED PRESS WRITER March 14, 2006 DETROIT -- A former security guard at General Motors Corp.'s Warren technical center is accused of taking employee Social Security numbers and using them to hack into the company's employee vehicle database. James S. Green II, 35, of Washington Township, found out what company cars the employees drove and sent them bogus e-mails asking them their thoughts on the vehicles, Macomb County sheriff's Capt. Anthony Wickersham said Tuesday. Green was arraigned Monday on eight counts of obtaining, possessing or transferring personal identity information, one count of using a computer to commit a crime and one count of stalking that was unrelated to the GM cases. He was released after posting 10 percent of a $50,000 bond. Wickersham said Green obtained the Social Security numbers of about 100 GM employees from the Detroit area and sent them e-mails posing as a representative of GM's company vehicle evaluation program. "It's frightening to know that this individual had all this personal information on a lot of people," Wickersham said. There was no telephone listing for Green. Employees became suspicious because the e-mails came from a Yahoo address. They notified a GM security firm, which in turn told Macomb County deputies, GM spokeswoman Geri Lama said. The security firm identified Green as a suspect, but deputies couldn't find him at his home, Wickersham said. They determined that the e-mails were sent from a library in Washington Township and found Green there, at a computer with the employee information, Wickersham said. Green apparently got the Social Security numbers while working for a private security firm at the tech center, although officials weren't sure exactly how. All affected workers have been notified. Although there's no evidence Green did anything else with the information, Wickersham said employees should check their credit reports and notify credit card companies to monitor for fraud. He said officials don't know why Green sent the e-mails. From isn at c4i.org Wed Mar 15 03:21:55 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:21:55 -0600 (CST) Subject: [ISN] Interview: Elonka Dunin Message-ID: http://www.whitedust.net/article/51/Interview:_Elonka_Dunin/ By Mark Hinge & Peter Prickett 14 Mar 2006 WD> So, tell us, how did you first get into the world of computing? Oh, I got involved with computers at a very young age, in the 1960s. My father was an early computer programmer, teaching mathematics and engineering at UCLA, and then later worked on a NASA project, on the team that launched the very first geosynchronous communications satellite, Syncom. Sometimes when he worked weekends, he'd take me in to his office with him, and as a kid I'd literally play with the big mainframe computers, like an IBM 360. It started off with him programming it to play simple number games with me, and then as I got older, I started doing some programming myself. My first language was Fortran. In my junior high school, one of my math teachers also gave an extra credit programming class, but it was kind of difficult since we didn't have any computers! What the school did was to give us paper punchcards, and we'd use #2 pencils to fill in the dots where the holes were supposed to be punched, then the cards would be shipped downtown to where the holes would be punched and the cards were processed, and our programs would be run. The output would be printed out, and they'd ship that back to us at the school so we could debug. It took days for a single roundtrip, so talk about lagged compile time! In high school (early 1970s), things were a tiny bit better, since the school had a teletype with real-time (ooh!) communication, even though it was all on hardcopy, and the thing was incredibly loud. If you've ever seen the movie 'Andromeda Strain' and remember the teletype machine in that one, that's what our system looked like. Then as I got older, I ran into the other early systems: A co-worker of mine in the USAF got a TRS-80, and then I had my own Osborne 1, and then I got a Mac Classic, and steadily upgraded to faster systems as computers became more and more powerful. I played pretty much every computer game that I could get my hands on, and in the 1980s I started getting involved with BBSes, logging on to systems in Colorado and California where I was working. In 1989, I started getting involved with online multiplayer games, like on the GEnie service, and a new career followed shortly thereafter. WD> Simutronics was founded in 1987. Where does the name come from? The company was founded by David Whatley, a teenager working out of his bedroom in his parents' home (he continues to be President and CEO today), and Tom & Susan Zelinski, a husband & wife team. David had earlier written some BBS software under a different company name, and when it came time to form a company with the Zelinskis, he just chose the name 'Simutronics' because he liked it. WD> How has the company evolved since 1987? I started getting involved with the company as a customer in 1989, and then moved to St. Louis in 1990 which is when I started working for Simutronics. We moved the base of operations out of the David's bedroom into an apartment loft in another part of town, and managed the games from there. We had the top products on the GEnie online service, like our text games GemStone III and DragonRealms. Then in 1993 our 3D graphical game CyberStrike won the very first 'Online Game of the Year' award from 'Computer Gaming World' magazine (they created the category so they could give us the award, the game was so ahead of its time), and the award started getting us more attention and more contracts. We moved into our own office, and opened up portals to our games from Prodigy, America Online, and CompuServe. In 1997, we launched our own website, play.net. Games that we've created over the years have included Orb Wars, GemStone II-IV, DragonRealms, Modus Operandi, and Alliance of Heroes (originally Hercules & Xena: Alliance of Heroes). Our next big game is going to be Hero's Journey, a graphical MMORPG. We showed a preliminary version at E-3 in 2005 and got a lot of attention -- for example, mmorpg.com listed us as 'Best of Show'. Our office right now is a 10,000 sq. foot location in St. Charles (a suburb of St. Louis), and we have another office in Maryland. WD> Like many of the people we have interviewed you worked in the military before computing. Why do you think that is? I can't speak for other people, but for me, being in the military definitely changed my work habits and made me much more disciplined in terms of complex projects. It also gave me a lot more confidence in my own abilities. Those factors may be an edge which helps entrepreneurs to marshal the focus and drive that's necessary to become personally successful, whereas some other people may have ideas that are just as good, but not be able to pull together the discipline, confidence, and persistence to make their ideas happen. WD> How long did you work for the US Air Force? Why did you leave? I first enlisted for 4 years in 1977, but without making a clear choice on which career I wanted. So they kind of put me where they needed me, and I ended up doing avionics repair, troubleshooting aircraft instrumentation on cargo and reconnaissance aircraft. I did okay at it, but I wasn't really stellar -- what I really wanted to do was something with computers. But every time I applied to cross-train, I was told that my job, 'Instrumentation,' was a 'shortage' career field, meaning that they didn't have enough people to fill it, and so I wasn't allowed to cross-train out unless it was into something that had even more of a shortage, like air traffic controller. I extended my enlistment for two years to try and push the paperwork through, but kept getting rejected, so when my final enlistment was up, I 'got out'. Oh well, their loss! WD> In what capacity where you involved with the SR-71 and U-2 reconaissance aircraft? Instrumentation repair. Testing, troubleshooting, and replacing the sensors that detected the altitude, engine pressure, fuel status, and other this?es and thats?es that the pilot needs to know about. Basically, picture all the dials that a pilot looks at when he (or she) is sitting in the cockpit. I maintained those instruments, the transmitters that sent signals to them, and the wiring in between. WD> What drew you into cryptography? I'd been interested in puzzles for as long as I could remember. My mother used to talk about when I was a toddler, she'd just put me down on the doorstep with a puzzle, and I'd be happy for hours. Then when I was a little older, a neighborhood boy was studying codes for some project (I think a Boy Scout merit badge or something), and I was constantly over at his house asking questions. He finally just gave me all of his books and notes on the subject. Most of my early involvement with cryptography was just as a hobbyist though. I didn't start getting involved with the public scene until I ran into the PhreakNIC v3.0 Code, while I was giving a talk on gaming at Dragon*Con in 2000. WD> You were the first person to crack the infamous PhreakNIC Code. Could you explain what said code is, and how you cracked it (without giving away the ending)? What was the prize you won for beating the code? It was a challenge created by JonnyX, the organizer of the PhreakNIC hacker convention in Nashville in 1999. He'd also done an easier code for PhreakNIC v2.0 in 1998, but he made something a lot harder for the next version. It was intended to be solved by the attendees at the conference, but no one could figure it out! He kept handing out flyers about it though, and used it to promote the upcoming 2001 convention. He said that the first person to figure it out, would get an all expenses paid trip to the con. I picked the code up with a bunch of other flyers at Dragon*Con 2000. Then, one weekend a bit after the convention, I was stuck at home, sick with the flu or something, and bummed out that I couldn't go to Def Con because I had a scheduling conflict (I'm friends with the lead singer of Blue Oyster Cult, who was playing in St. Louis that same weekend). So I channeled my energies into the Code, playing around with it to see what I could learn, and reading everything in the year's worth of discussion archives about it. I got pretty obsessed with it, and completely anti-social for awhile. Any of my friends who tried to talk to me, all I wanted to talk about was that Code. And, well, it paid off, because I cracked it! I had to completely come up to speed from scratch on several cryptographic techniques, but I learned them all and got to the center, and made the cryptic announcement that it requested (I had to post a certain kind of haiku message to a hacker mailing list), and I won the prize. Then I wrote a tutorial to the mailing list about how I'd cracked it, and included a bunch of cyberpunk humor and in-jokes. That tutorial is now on my website, if anyone wants to read it. It's a fun read, and teaches a lot about cryptography, from simple binary all the way up to some state-of-the-art stuff. WD> What other public recognition have you received for cryptography? Aside from the PhreakNIC Code, the next biggest event was probably the cracking of the Cyrillic Projector cipher. It was a 10-year-old challenge that was on a sculpture in the middle of the University of North Carolina at Charlotte, and it turned out to be extracts from classified KGB documents! I definitely didn't do that one alone -- it was a team effort that involved several different people, some of whom knew each other, and others who didn't. I've also gotten some recognition for a new method I came up with for solving Part 3 of Kryptos, as well as just the websites that I have, on both Kryptos and other of the world's most famous unsolved codes. It's a topic that people are fascinated with, and the webcounter just keeps climbing. This month it rolled over to more than 1.5 million page views, with several hundred thousand unique visitors. I've been invited to speak at several major universities on the subject of cryptography, and in mid-2005, a British book publisher, Constable & Robinson, contacted me and asked if I would write a book about codes. WD> What is your involvement with the CIA's Kryptos sculpture? How is it that you were able to see it in person? I first heard about Kryptos while I was working on the PhreakNIC v3.0 Code, since JonnyX had built some dead-ends into it, and one of them led to Kryptos. But I didn't really give Kryptos much thought at the time other than reading a few articles about it. Then in 2001 I was visiting my cousin in Washington DC (he'd had a really close call on September 11th), and after we visited the memorial at the Pentagon, he asked me if there was anything else that I wanted to see in town. I decided on Kryptos, but we couldn't figure out a way in to CIA (we were turned away by large men with guns, who kept saying, 'Official Business Only'). But then a few months later I was giving talks on steganography, and one of those talks got me an invitation to speak at CIA, so I was able to examine the sculpture up close. I also made some rubbings, and when I got back to St. Louis, I made a single webpage to post scans of the rubbings online -- little did I know that that webpage was going to change my life! WD> The Kryptos Group is working on the sculpture in the CIA headquarters courtyard in Langley, Virgina, attempting to decode the remaining characters. However, according to Time Magazine in May 1991, former CIA Director William Webster knows what the phrase is. Is the goal to actually crack the code or to develop further code breaking methodologies? The goal is to decrypt those last 97 or 98 characters at the bottom of the sculpture. We know what the top three sections say, but not that last fourth part yet. As for Webster, he was given a sealed enveloped by sculptor Sanborn at the sculpture's dedication in 1990, which supposedly contained the answers. But in a Wired interview in January 2005, Sanborn said that he didn't give Webster the full story. WD> You have also been working in conjunction with the FBI on Al Qaeda codes, and they requested you give a talk on steganography. What did you advise within that talk and to whom? The original request was that I put together a talk on steganography for the local St. Louis task force. We knew that there were agents in the main DC office who understood about steganography, but in the St. Louis field offices, they had a different mission and weren't crypto experts. So they were agreeing to let people from the private sector come in and help them get up to speed. I put together a 70-slide PowerPoint presentation that explained what steganography was, how it was used, and what the current rumors were about whether or not Al Qaeda had been using steganography to play the September 11th attack. I don't believe that they were, and I went into the detailed reasons why not. There was no proof anywhere that they were using steganography -- instead, they tended to use very simplistic codes, like if they were talking on a cellphone and needed to say 'FBI', they might instead say 'Food & Beverage Industry'. Or if they were referring to gas cutters, they were supposed to instead say 'gas stations.' And there was an extensive scan of images done by a team from the University of Michigan, looking through millions of internet locations, and then clustering computers together and running password dictionary attacks on anything that looked suspicious, but they never found a single thing. WD> Did the CIA pay you for this? You say that you will give your talk for free if we see you 'passing by with laptop in hand'? Yes, I made a bit of money from the CIA (even though I insisted I didn't want to be paid!). My main goal was just to get onsite so that I could see Kryptos. As for other locations, if they're nearby, I'll give the talk for free, but if they want me to fly to a different location, I normally ask for something nominal to cover expenses. WD> What do you consider your greatest code-cracking achievement? That's hard to answer. For emotional satisfaction, it has been helping out with the war on terrorism, and educating government agents about steganography and what types of codes that Al Qaeda might (or might not) be using. It gave me a deep sense of contributing my skills to a greater good, and helping to squash some of the rumors out there. Other things I'm particularly proud of would be my Kryptos website -- all the research I've done, people I've tracked down to interview, and the networking I've engaged in, in order to pull together so many disparate bits of information into one place. In terms of sheer personal code-cracking, the whole Cyrillic Projector project was a lot of fun, plus of course there's the PhreakNIC v3.0 Code that started the whole thing - I also enjoyed writing the tutorial for that one, as well as cracking some of the other hacker-con codes, like the Atlantacon ones. Plus it was quite an honor when a British publishing house asked me to write a book! WD> Which is more important to you, cryptography or Simutronics? Simutronics, definitely. It's my day job, and what pays the bills. I've poured my heart and soul into the company over the years, and I am very dedicated to our customers. But cryptography is definitely a hobby of mine that's taken on a life of its own! WD> What other projects are you working on right now? At Simutronics, we're working on a new 3D graphical MMORPG, Hero's Journey, which we'll be demoing at E-3 in May. We also have a related product called HeroEngine: It's a new way that we've come up with which would allow other people to license our technology and utilities and engine to have everything they need to create their own MMORPG, and we'll be demoing that one at the Game Developers Conference in March. Parallel with all of that, I've been spending some time on various MediaWiki databases, such as Wikipedia, and a new wiki we set up this year for the IGDA. I'm also still doing a lot of public speaking, with my next crypto talk being at NOTACON in Cleveland in April. And of course I have a book coming out soon! It's 'The Mammoth Book of Codes and Cryptograms' (in the U.S.), and 'The Mammoth Book of Secret Code Puzzles' in the UK. I've never written a book before, so it's been an interesting learning experience, navigating the world of publishers and bookstores and 'mainstream' marketing. The book has a very impressive list of contributors, as puzzles were submitted from cryptographers all over the world -- of most interest to your own audience, there's even a section by Scott Kim which presents a pencil and paper method of doing asymmetric key encryption. WD> Finally, which of your games do you play the most? Now *that* is a closely-guarded secret. When I'm playing a multiplayer game, I just want to play, and not let anyone know who I am -- I try to stay as incognito as possible! All Right Reserved, Copyright 2005 Whitedust.net From isn at c4i.org Wed Mar 15 03:22:12 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:22:12 -0600 (CST) Subject: [ISN] OfficeMax: No evidence of security breach Message-ID: http://news.com.com/OfficeMax+No+evidence+of+security+breach/2100-1029_3-6049758.html By Greg Sandoval Staff Writer, CNET News.com March 14, 2006 Following an extensive review of its security systems, OfficeMax says it has no reason to believe it was the company that suffered the data breach that resulted in thousands of cases of debit card fraud. On Tuesday, the office-supply chain said that an independent study by a security expert found no indication that the company's customer information was lost. An internal investigation came to the same conclusion. "OfficeMax takes the security of our customers' information with the utmost seriousness and is committed to protecting private customer information," the company said in a statement. "As we have stated consistently, we have no knowledge of a security breach at OfficeMax." But the company wouldn't explain why it was still involved in the investigation into the debit card thefts. "OfficeMax continues to work with the United States Secret Service and other federal law enforcement agencies in their investigation of ATM fraud," the company said. Debit card holders from San Francisco to Pittsburgh to Boston have reported cash was seized from their accounts via fraudulent withdrawals. Visa and MasterCard have said a merchant had suffered a data theft but wouldn't identify the company. During the past two weeks, law enforcement officials have noted that their investigations revealed that many of the fraud victims were OfficeMax shoppers. On Monday, Hudson County Prosecutor Edward DeFazio said his office had arrested 14 people in connection with the nationwide crime wave involving debit cards. In an interview with CNET News.com, DeFazio identified OfficeMax as among the victims of data theft. He said other companies were also ripped off. OfficeMax has said it has "not received information from any third party concluding" that it suffered a breach. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed Mar 15 03:22:36 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:22:36 -0600 (CST) Subject: [ISN] US Government Studies Open Source Quality Message-ID: http://www.osvdb.org/blog/?p=104 US Government Studies Open Source Quality "US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under Library, there is a link titled "NEW >> Open Source Quality Report". Clicking that, you are faced with "request information", checking the Open Source Quality Report box (one of seven boxes including Request Sales Call as the first option, and Linux Security Report is the default checked box), and then filling out 14 fields of personal information, 10 of which are required. So, let me get this straight. My tax dollars fund the Department of Homeland Security. The DHS opts to spend $1.24 million dollars on security research, by funding a university and two commercial companies. One of the commercial companies does research into open source software, and creates a report detailing their findings. To get a copy of this report, you must give the private/commercial company your first name, last name, company name, city, state, telephone, how you heard about them, email address, and a password for their site (you can optionally give them your title, and describe your project). Excuse me, but it should be a CRIME for them to require that kind of personal information for a study that I helped fund via my tax dollars. Given this is a study of open source software, requiring registration and giving up that kind of personal information is doubly insulting. Coverity, you should be ashamed at using extortion to share information/research that should be free. Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my "no plus" web page for not even understanding and following 24 year old RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?! Oh, if you dont want to go through all of that hassle, you can grab a copy of the PDF report anyway. http://osvdb.org/ref/blog/open_source_quality_report.pdf From isn at c4i.org Wed Mar 15 03:22:50 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:22:50 -0600 (CST) Subject: [ISN] Computer hacker pleads guilty Message-ID: http://www.nctimes.com/articles/2006/03/14/news/sandiego/19_49_343_13_06.txt By: North County Times News Service March 13, 2006 SAN DIEGO - A young man who was 17 when he hacked into the computer network at San Diego State University and compromised operations pleaded guilty Monday to federal charges. The defendant, who was not identified because he was a juvenile at the time of the offense, was immediately sentenced by U.S. District Judge Napoleon Jones Jr. to three years probation and ordered to pay $20,735 in restitution. "This young man has now learned the hard way that the Internet does not give anyone immunity from criminal prosecution and conviction," said U.S. Attorney Carol Lam. The defendant admitted knowingly and intentionally accessing various legally protected computers in the SDSU network and recklessly causing damage to those computers. Assistant U.S. Attorney Mitch Dembin said the defendant admitted that on Dec. 24, 2003, he scanned the university network looking for vulnerable computers and happened upon one in the Drama Department. He uploaded a variety of software tools and utilities to that computer for use in ferreting out other vulnerable computers within the SDSU network, cracking passwords and obtaining administrative privileges, Dembin said. Over the next several hours, the defendant located and compromised at least seven additional computers, including the Financial Services and Housing Department systems, according to Dembin. In mid-January 2004, the defendant uploaded a program to the Financial Services and Housing Department computers that would allow him to store, share and distribute music and software, including pirated video games, Dembin said. He said the computer breach was discovered on Feb. 24, 2004, when complaints were received from individuals who were getting unsolicited electronic mail originating from the Financial Services computer. That led to a full investigation by SDSU that revealed the larger scope of the hacker's work, according to Dembin. He said SDSU spent more than $20,000 investigating the extent of the compromise and repairing and restoring the damaged computers. The university also had to notify individuals whose personal information was located on the Financial Services computer that their data may have been accessed. The prosecutor said there is no evidence, however, that any data stored on the Financial Services computer was downloaded or used for identity theft. Steve Harshaw, an SDSU police detective, was involved in the case. "Without the assistance from San Diego State's Information Security Office, it would have been extremely difficult to track down this criminal," he said. "We're very happy that an arrest was made, especially in light of how difficult investigations into this type of crime can be." From isn at c4i.org Wed Mar 15 03:23:02 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:23:02 -0600 (CST) Subject: [ISN] Hacker gains access to Bisons fans' Web data Message-ID: http://www.buffalonews.com/editorial/20060314/1033934.asp By STEPHEN T. WATSON News Staff Reporter 3/14/2006 A computer hacker recently gained access to sensitive financial information - including credit card numbers - on the Buffalo Bisons' Web site, the team is warning its customers. The Secret Service, with the assistance of the FBI, is investigating the security breach, which occurred last month. So far, the Bisons say they have no indication that the intruder has misused any of the ill-gotten data. The team has set up a toll-free number for people to call for more information and has notified the four credit card companies that are involved. "We apologize for any inconvenience this situation has caused any of our fans," the team said in a statement. Choice One Online, which hosted the Bisons' Web site at the time of the breach, said that it has hired the VeriSign global Internet security firm to conduct its own investigation into the security breach. "VeriSign did confirm that we caught it early enough that damage, if any, will be next to nothing," said Keith Radford Jr., director of Choice One Online. Employees of the Bisons and Choice One noticed the breach about Feb. 13, according to the team and Radford. An intruder got into the Choice One system and uploaded a program that gave this person access to names, passwords, financial data and other information collected from customers who ordered items through Bisons.com, the Bisons said in a letter to customers. The intruder accessed the information on the Bisons' Web site, the Bisons said, but so far, there is no evidence that this information was misused in any way. The Bisons are cooperating in the investigation by the federal agencies and by VeriSign, according to the team's statement. The Bisons mailed out the letters to any potentially affected Web customers shortly after learning of the breach, said Mike Buczkowski, the team's general manager. He would not say how many customers might have been affected. The Bisons and Choice One changed their passwords and shut down the computer servers that were infiltrated, and the team notified American Express, Discover, MasterCard and Visa about the breach. The Bisons are warning their Internet customers to monitor statements from their financial institutions and notify their credit card or debit card companies that their accounts might have been compromised. The toll-free number the team set up for customers is (800) 380-1447. Choice One, a Buffalo Internet services company, said the VeriSign investigation will show the full extent of the damage caused by the breach, which Radford described as "minimal." The company is beefing up its security measures in response to the incident, he said. Choice One and the Bisons no longer are working together, a move that Buczkowski said is not related to the security breach. The team last July began talking with Major League Baseball Advanced Media about hosting the Bisons' Web site, he said, and the switch went into effect last month. From isn at c4i.org Wed Mar 15 03:23:41 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 15 Mar 2006 02:23:41 -0600 (CST) Subject: [ISN] REVIEW: "The CISM Prep Guide", Ronald L. Krutz/Russell Dean Vines Message-ID: Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" BKCISMPG.RVW 20051204 "The CISM Prep Guide", Ronald L. Krutz/Russell Dean Vines, 2003, 0-471-45598-9, U$60.00/C$92.95/UK#41,95 %A Ronald L. Krutz %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-45598-9 %I John Wiley & Sons, Inc. %O U$60.00/C$92.95/UK#41,95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471455989/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471455989/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471455989/robsladesin03-20 %O Audience i Tech 1 Writing 1 (see revfaq.htm for explanation) %P 433 p. + CD-ROM %T "The CISM Prep Guide" The CISM (Certified Information Systems Manager) is ISACA's (Information Systems Audit and Control Association) extension to its more widely known CISA (Certified Information Systems Auditor) (cf. BKCISAPG.RVW) designation. It basically covers the material addressed in the CISSP (Certified Information Systems Security Professional) security management domain, with additional material on incident response. The chapters in this book follow the five domains of the CISM. Chapter one deals with information security governance, also passing quickly over some of the areas of technical security controls. Risk management is addressed in chapter two, with a concentration on the NIST (US National Institute of Standards and Technology) risk assessment framework: an indication of the concentration on US standards in this work and certification. Information security program management, in chapter three, includes topics such as formal models, project management, and the system development life cycle. (There is a lack of clarity in some of the explanations of specific models that may lead readers into error.) Information security management, in chapter four, is even more of a grab bag, looking at US regulations, contracts, auditing, and security reviews. Chapter five covers incident response, disaster recovery, and forensics. The book also contains a set of questions. They are quite vague, and, if representative of the CISM itself, that certification is only looking for familiarity with topics. copyright Robert M. Slade, 2005 BKCISMPG.RVW 20051204 ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at sun.soci.niu.edu In a real dark night of the soul it is always three o'clock in the morning, day after day. - F. Scott Fitzgerald http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade From isn at c4i.org Thu Mar 16 05:03:04 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:03:04 -0600 (CST) Subject: [ISN] NIST sets FISMA standards for federal IT systems Message-ID: http://www.gcn.com/online/vol1_no1/40127-1.html By William Jackson GCN Staff 03/15/06 The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. Federal Information Processing Standard 200 [1] sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls. FIPS 199 [2], released two years ago, establishes standards for categorizing IT systems as low, moderate or high-impact, depending on the effect of a breach of confidentiality, integrity or availability of the system. Special Publication 800-53 [3] - "Recommended Security Controls for Federal Information Systems", lays out the tools to be used under FIPS 200 to secure IT systems. Agencies must be in compliance with FIPS 200 by March 2007. Requirements are spelled out for: * Access control * Awareness and training * Audit and accountability * Certification, accreditation and security assessments * Configuration management * Contingency planning * Identification and authentication * Incident response * Maintenance * Media protection * Physical and environmental protection planning * Personnel security * Risk assessment * System and services acquisition * System and communications protection * System and information integrity. Agencies must employ on each system the proper security controls in each of these areas depending on whether it is a low, moderate or high-impact system. NIST also is updating its standards for digital signatures. A draft of FIPS 186-3 [4], which would replace the current FIPS 186-2, has been released for comment. The original digital signature standard was released in 1994 and has been updated twice, in 1998 and 1999. The current version authorizes the use of key sizes of 512 and 1024 bits with approved algorithms. Key sizes of 1024 now are considered the minimum acceptable level for security of digital signatures. "With advances in technology, it is prudent to consider larger key sizes," NIST said. "Draft FIPS 186-3 allows the use of 1024, 2048 and 3072-bit keys." Comments on the proposed standard should be made by June 12 to elaine.barker at nist.gov, or mailed to the Chief, Computer Security Division, Information Technology Laboratory, Attention: Comments on Draft FIPS 186-3, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. [1] http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf [2] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf [3] http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf [4] http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3%20_March2006.pdf From isn at c4i.org Thu Mar 16 05:03:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:03:20 -0600 (CST) Subject: [ISN] FrSIRT Puts Exploits up for Sale Message-ID: http://www.eweek.com/article2/0,1895,1938511,00.asp By Ryan Naraine March 15, 2006 Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service). The 3-year-old company, which operates out of Montpellier, France, is considered the go-to place for finding exploit code for known software vulnerabilities and has been a thorn in the side of many vendors, including Microsoft. FrSIRT describes itself as the trusted center for the collection and dissemination of information related to network threats, vulnerabilities, exploits and incidents, but critics say the company's open approach to releasing harmful exploit code borders on "irresponsible disclosure." The new FrSIRT VNS offers round-the-clock monitoring of new vulnerabilities and threats, and promises real-time access to a Web-based security alerting service. The alerts are delivered through a Web portal, XML feeds and e-mail subscriptions. Subscribers will also get an online vulnerability scanner and scheduler with which to run security scans on a regular basis to check for security vulnerabilities. FrSIRT said pricing for the service will vary based on the number of users that will be licensed to receive the alerts and access the exploit code samples. The new service is part of a growing trend among third-party researchers to profit from code auditing work. Companies like iDefense and Tipping Point have found a lucrative business in purchasing the rights to information on vulnerabilities. Dutch security firm Frame4 Security Systems is also getting into the malware-for-sale market, launching a project called MD:Pro that offers access to thousands of downloadable malware samples. From isn at c4i.org Thu Mar 16 05:03:53 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:03:53 -0600 (CST) Subject: [ISN] Trojan spy couple are expected to be jailed Message-ID: http://www.computerweekly.com/Articles/2006/03/15/214829/Trojanspycoupleareexpectedtobejailed.htm By Antony Savvas 15 March 2006 A British-based Israeli couple are expected to be jailed in Israel for their part in an industrial espionage scandal involving the use of a Trojan data-tracking bug. Ruth Brier-Haephrati, 28, and her 44-year-old husband Michael Haephrati, have entered a plea bargain to be sentenced to four and two years in jail respectively, after confessing their involvement in the Trojan horse case. The plea, entered in a Tel Aviv court, also proposes that they should each have to pay one million New Israeli Shekels (?121,400) in compensation. The couple were extradited to Israel from Britain earlier this year. According to the court, the couple were managers of the firm Target-Eya. Michael Haephrati is said to have developed the spyware Trojan horse, while his wife, Ruth, marketed it to several private investigators who bought the code and installed it onto the computers of their clients' rivals. Graham Cluley, senior technology consultant at internet security software firm Sophos, said, "The Israeli authorities should be congratulated for bringing these cyber-criminals to justice - it sends a strong message that this kind of activity will not be tolerated." He added, "It remains to be seen however if the private investigators who deployed the Trojan horses on the computers of innocent businesses, and potentially made more money than this couple in the process, will also be officially held to account." The Haephrati's Trojan horse is said to have been used by private investigators to spy on both a PR agency, whose clients include Israel's second biggest mobile phone operator, Partner Communication, and a cable television station. Another alleged victim was Champion Motors, which imports Audi and Volkswagen motor vehicles. The Tel Aviv court will announce whether it accepts the Haephrati's plea bargain on 27 March. ? 2006 Reed Business Information Limited. All Rights Reserved. From isn at c4i.org Thu Mar 16 05:02:49 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:02:49 -0600 (CST) Subject: [ISN] Stop blaming Winny, fix the real problem Message-ID: http://www.yomiuri.co.jp/dy/editorial/20060315TDY04006.htm The Yomiuri Shimbun Mar. 15, 2006 Should all the blame fall on the Winny file-sharing software? Not quite. Anyone dealing with sensitive information has an extremely heavy obligation in this regard. A number of cases of large amounts of government secrets and personal information being accidentally disclosed on the Internet have come to light in recent weeks, and Winny has been singled out for criticism in all these incidents. Winny was created to enable computer users to exchange music and video files over the Internet. However, the development of the software has been followed by the emergence of computer viruses that can infect Winny, making it act in ways not intended. If infected, Winny can upload data from computers on which it is installed onto the Internet without the knowledge of users. In all the information disclosures reported, the victims had stored important data on personal computers that were running copies of Winny that had been infected with viruses. This has prompted many people to point a finger at the file-sharing software. The recent spate of Winny-related incidents includes the disclosure of information about investigations by the Okayama and Ehime prefectural police. The tendency to single Winny out for criticism can be seen in remarks made by senior officials at the National Police Agency, an organ charged with supervising prefectural police authorities. "Police personnel who use Winny on their personal computers have no awareness of their professional duties," NPA Commissioner General Iwao Uruma said. === Lax security true culprit But blaming Winny alone means blinkering oneself to the true culprit, and one needs to look further. It is disturbing to see that the organizations affected by the incidents were extremely lackadaisical in protecting information and secrets. Questions should be raised about why those responsible for the disclosures were able to copy sensitive information from their office computers onto their own computers, and take it home without permission from their superiors. The ease with which this was done means no measures had been taken to protect the confidentiality of information held by these offices. What if such massive amounts of information had been stored on paper, not computers, and disclosed? The spate of disclosures would be considered highly abnormal. We all have good reason to raise questions about how the organizations affected by the disclosures protect their secrets and data. Are personnel at their offices allowed to duplicate important documents and take them outside? Are they permitted to take such documents home? Are the central and local governments properly equipped to manage the many secrets and personal information entrusted to them? The government and other pertinent organizations must thoroughly reexamine their information-control systems. === Govt must accept responsibility The Defense Agency intends to buy all its personnel new computers to help them carry out their duties. The decision came after the agency had second thoughts about its standing practice of allowing employees to use their own computers for work. But this purchase must be complemented by efforts to ensure information stored on these computers is properly controlled. If agency officials are allowed to copy data from their office computers onto their personal computers and take them out, the agency will remain susceptible to the disclosure of secrets and data. Winny is not the only software that can be perverted to disclose data stored on computers, there are others. The Defense Agency must ban personnel from using the newly supplied computers for personal use. No government employee should be allowed to take data outside the workplace. Government information and data must be encoded if taken out from the office. Doing so would prevent the data from being understood if disclosed to an outsider. Thorough measures should be implemented to educate government employees about how to properly control data they handle. Furthermore, periodic inspection are needed to ensure these safeguards are being followed. Any organization that has a bitter experience of having secrets and data disclosed has already taken such measures. Government organizations must learn what it means to protect the confidentiality of their information and data. (From The Yomiuri Shimbun, March 15) From isn at c4i.org Thu Mar 16 05:04:11 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:04:11 -0600 (CST) Subject: [ISN] DHS Gets Another F in Computer Security Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589.html By Brian Krebs washingtonpost.com Staff Writer March 15, 2006 Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday. The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs. The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004. Several agencies saw a considerable drop in their scores. The Department of Justice went from a B-minus in 2004 to a "D" in 2005, while Interior earned failing marks after getting a C-plus in 2004. The scores are "unacceptably low," committee Chairman Tom Davis (R-Va.) said in a statement. "DHS must have its house in order and should become a security leader among agencies. What's holding them up?" The annual report bases the grades on the agencies' internal assessments and information they are required to submit annually to the White House Office of Management and Budget. The letter grades depended on how well agencies met the requirements set out in the Federal Information Security Management Act (FISMA). FISMA requires agencies to meet a wide variety of computer security standards, ranging from operational details -- such as ensuring proper password management by workers and restricting employee access to sensitive networks and documents -- to creating procedures for reporting security problems. As online attacks against consumers and businesses have skyrocketed, so have assaults against government information systems. Alan Paller, director of research for the SANS Institute, a group in Bethesda, Md., that trains and certifies computer security professionals, said a number of federal computer systems have been badly penetrated by hackers and viruses over the past several years, in part because many agencies do not adequately monitor their systems or apply software security updates in a timely manner. But Paller argues that the yearly FISMA grades force agencies to apply scarce funding and employee time toward the wrong priorities. "It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified." Davis said he is interested in examining ways to ensure that FISMA compliance does not become a paperwork exercise where agencies comply with the letter, but not the spirit, of the law. "We don't want them filling out forms to simply fill out forms, but in my experience, when it comes to information security, it is still difficult to get people -- even members of Congress -- engaged in the issue," Davis said. "An attack could originate anywhere at any time, and FISMA is the best tool we have to ensure that agencies are proactively securing themselves." While a number of agencies performed worse last year than in 2004, many showed marked improvement in meeting federal computer security requirements. The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively. ? 2006 Washingtonpost.Newsweek Interactive From isn at c4i.org Thu Mar 16 05:04:34 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:04:34 -0600 (CST) Subject: [ISN] Study Says Chips in ID Tags Are Vulnerable to Viruses Message-ID: http://www.nytimes.com/2006/03/15/technology/15tag.html By JOHN MARKOFF March 15, 2006 A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications. In a paper to be presented today at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chip, which can hold as little as 128 characters of information. Until now, most computer security experts have discounted the possibility of using such tags, known as RFID chips, to spread a computer virus because of the tiny amount of memory on the chips. The tracking systems are intended to improve the accuracy and lower the cost of tracking goods in supply chains, warehouses and stores. Radio tags store far more data about a product than bar codes and can be read more quickly. They have even been injected into pets and livestock for identification. The chips have already prompted debate over privacy and surveillance, given their tracking ability. Now the researchers have added a series of worrisome prospects, including the ability of terrorists and smugglers to evade airport luggage scanning systems that will use RFID tags in the future. In the researchers' paper, "Is Your Cat Infected With a Computer Virus?," the group, affiliated with the computer science department at Vrije Universiteit in Amsterdam, also describes how the vulnerability could be used to undermine a variety of tracking systems. The researchers said they realized that there are risks associated with publishing security vulnerabilities in computerized systems. To head off some of the possible attacks they described, they have also published a set of steps to help protect RFID chips from such attacks. The group, led by Andrew S. Tanenbaum, an American computer scientist, will make the presentation at the annual Pervasive Computing and Communications Conference sponsored by the Institute of Electrical and Electronic Engineers. The researchers asserted that the RFID demonstration had not used the commercial software that collects and organizes information from RFID readers. Rather, it used software that they designed to replicate those systems. "We have not found specific flaws" in the commercial RFID software, Mr. Tanenbaum said, but "experience shows that software written by large companies has errors in it." The researchers have posted their paper and related materials on security issues related to RFID systems at www.rfidvirus.org. The researchers acknowledged that inside information would be required in many cases to plant a hostile program. But they asserted that the commercial software developed for RFID applications had the same potential vulnerabilities that have been exploited by viruses and other malicious software, or malware, in the rest of the computer industry. One such standard industry problem is a software coding error referred to as a buffer overflow. Such errors occur when programmers set aside memory to receive data temporarily, but fail to require a check on the size of the value that is moved to the allocated space. A larger-than-expected value can cause the program to break and trick the computer operating system into executing a malicious program. "You should check all of your input all of the time, but experience shows this isn't the case," Mr. Tanenbaum said. Independent computer security specialists also said RFID systems were potential problem areas. "It shouldn't surprise you that a system that is designed to be manufactured as cheaply as possible is designed with no security constraints whatsoever," said Peter Neumann, a computer scientist at SRI International, a research firm in Menlo Park, Calif. Mr. Neumann is the co-author of an article to be published in the May issue of the Communications of the Association for Computing Machinery on the risks of RFID systems. He said existing RFID systems were a computer security disaster waiting to happen. He cited inadequate identification for users, the potential for counterfeiting or disabling tags, and the problem of weak encryption in a passport-tracking system being developed in the United States. But he said he had not previously considered the possibility of viruses and other malicious software programs. An industry executive acknowledged that the companies that make computerized tracking systems faced potential security problems. "We are very actively looking at the different way the technology is used," said the executive, Daniel P. Mullen, president of the Association for Automatic Identification and Mobility, an industry trade group. "It's an ongoing dialogue about protecting information on the tag and in the database." The association has a working group of experts assessing both security and privacy challenges, he said. There are many types of RFID tag, and some of the sophisticated versions include security features like encryption of the identifying number carried by the chip. But the Dutch research group warned that in a variety of situations it is possible for attackers to alter the information in an RFID tag to subvert its purpose. "RFID malware is a Pandora's box that has been gathering dust in the corners of our 'smart' warehouses and homes," they write in their paper. In one example they offered, a virus from an infected tag on luggage passing through an airport could be picked up when it is scanned by the luggage-handling control systems and then spread to tags attached to other pieces of luggage. Such an attack, they suggest, might spread luggage contamination to other airports. It might also be used by a smuggler to cause a piece of luggage to avoid security systems. They also described situations of counterfeit RFID tags possibly being be used to subvert pricing and other aspects of commercial sales systems, or a virus could be inserted into RFID tags used to identify pets. Copyright 2006 The New York Times Company From isn at c4i.org Thu Mar 16 05:05:06 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 16 Mar 2006 04:05:06 -0600 (CST) Subject: [ISN] Handheld Security Admin Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. GuardianEdge Technologies http://list.windowsitpro.com/t?ctl=23D89:4FB69 Scalable Software http://list.windowsitpro.com/t?ctl=23D87:4FB69 ==================== 1. In Focus: Handheld Security Admin 2. Security News and Features - Recent Security Vulnerabilities - Cisco Moving into Physical Security Arena - Firefox 2.0 to Gain Security Improvements - Crank Up Security with MBSA 2.0 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Better Security Event Reporting ==================== ==== Sponsor: GuardianEdge Technologies ==== Encrypt and Manage Data on Any Platform Sensitive data is everywhere: in email and on hard drives, removable storage devices, and PDAs. Encryption is the only way to protect that data from criminals and competitors while complying with regulators. But encrypting data on all those devices and managing them efficiently is a major challenge. Encryption Anywhere solves the problem with a single management tool that plugs directly into Microsoft Active Directory letting you distribute and manage encrypted Microsoft clients without changing your current processes. Click here to find out how you can protect corporate data and prevent identity theft. http://list.windowsitpro.com/t?ctl=23D89:4FB69 ==================== ==== 1. In Focus: Handheld Security Admin ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Laptops are great tools. They've allowed security administrators to take their tools on the road and freed them from relying on access to a storage server. For some security consultants, it might be nearly impossible to get any work done without a laptop. One downside of laptops is that sometimes they can be bulky to carry around. Plus when you need to use a laptop, you must take it out of the bag, find a place to set it (on your lap if necessary), and start it up. Then when you're done, you must reverse the whole process. A task that will take you 5 minutes on the computer winds up taking 10 minutes overall. Now, new mobile devices are poised to improve our situation once again. New handheld devices are powerful, flexible, and relatively easy to use. They can run a full-blown OS (as opposed to a scaled down, limited version), provide plenty of storage, are lightweight, and are ready to use almost instantly nearly any time and any place. New devices are coming to market. One that you might have already heard about is Microsoft's Ultra-Mobile PC (UMPC), code-named The Origami Project. UMPC runs Windows XP Tablet PC Edition, has a 7-inch display with a minimum of 800 x 480 dpi resolution, includes network connectivity, has a 40GB hard drive, and weighs about 2 pounds. UMPC won't fit in your pocket, but it would fit in some purses, and you'll be able to hold it in your hand to get work done when necessary. Microsoft's UMPC will cost under $1000. http://list.windowsitpro.com/t?ctl=23D99:4FB69 Some might think that UMPC is just another tablet PC. While that might be true in the most basic sense, tablet PCs have significant advantages over laptops, most notably the ease of use. One thing missing from UMPC is a keyboard. I must have a keyboard, even though I like handhelds' touch screens. A demo at Intel's site (first URL below) shows an ultra- mobile device that does have a keyboard (second URL below). I want this one! http://list.windowsitpro.com/t?ctl=23D8C:4FB69 http://list.windowsitpro.com/t?ctl=23D91:4FB69 Another new device is the DualCor cPC. This device weighs only 1.1 pounds and features two processors and two OSs: Windows XP Tablet PC Edition and Windows Mobile. The device also has a 40GB hard drive and 5-inch display with 800 x 480 dpi resolution. The price is $1500 retail, with discounts for volume purchases. http://list.windowsitpro.com/t?ctl=23D9E:4FB69 Another handheld computer comes from OQO. The OQO model 01+ has a 30GB drive, weighs only 14 ounces, and is small enough to put in your pocket. The screen size is 5 inches. The model 01+ has a mini-keyboard that slides out from under the display. Hold on to your hats for the price: the Windows Tablet PC Edition sells for $2099 retail! http://list.windowsitpro.com/t?ctl=23D9C:4FB69 For a decent comparison of several handheld computers, including some that I didn't have room to mention here and some that don't run Windows Tablet PC Edition, visit the handtops.com Web site at the URL below. http://list.windowsitpro.com/t?ctl=23D9A:4FB69 ==================== ==== Sponsor: Scalable Software ==== How much are you spending on IT compliance? Streamline and automate the compliance life cycle with this FREE white paper, and reduce your costs today! http://list.windowsitpro.com/t?ctl=23D87:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=23D8B:4FB69 Cisco Moving into Physical Security Arena With its latest acquisition, Cisco aims to bring its customers IP- enabled physical security. The company announced an agreement to acquire privately held SyPixx Networks, a company founded in 2002 to deliver video surveillance systems. http://list.windowsitpro.com/t?ctl=23D92:4FB69 Firefox 2.0 to Gain Security Improvements An alpha release of Firefox 2.0 is due out in the next few days, according to meeting minutes posted at Mozilla Foundation. A few important new security features will be included in the 2.0 version. Read about them in this news story. http://list.windowsitpro.com/t?ctl=23D93:4FB69 Crank Up Security with MBSA 2.0 The latest version of Microsoft's popular no-cost MBSA tool is more than a simple update; it includes new features and has been designed to integrate seamlessly with other update tools such as Windows Server Update Services (WSUS) and the Systems Management Server (SMS) Inventory Tool for Microsoft Updates (ITMU). Get the details at http://list.windowsitpro.com/t?ctl=23D94:4FB69 ==================== ==== Resources and Events ==== Windows Connections Conference, April 9-12, 2006 Don't miss the essential Windows technology conference. http://list.windowsitpro.com/t?ctl=23D9D:4FB69 When disaster strikes your servers, whether they are dedicated to Windows, SQL, or Exchange, you need answers. Make sure that if an emergency occurs, you're prepared. Get the full eBook and get started on your recovery plan today! http://list.windowsitpro.com/t?ctl=23D86:4FB69 Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=23D83:4FB69 Make sure your email server is secure. Learn everything from basic techniques to defense-in-depth strategies, including network-level access control lists, Web authentication, firewall protocol inspection, and perimeter filtering. Live Web seminar Thursday, March 23. http://list.windowsitpro.com/t?ctl=23D84:4FB69 Use Windows Server 2003 R2 as a platform for SQL Server 2005 to support large-database requirements, including clustering and multiple processors. Register for this free Web seminar today! http://list.windowsitpro.com/t?ctl=23D85:4FB69 ==================== ==== Featured White Paper ==== Use scripted deployments to ensure that all your Exchange servers are configured and deployed with exactly the same options and to maintain a record of your installation configurations. Learn how today! http://list.windowsitpro.com/t?ctl=23D8A:4FB69 ==================== ==== Hot Spot ==== Symantec Corporation A multi-tier approach to email security prevents unauthorized access and can stop spam, viruses, and phishing attacks. Learn to implement one today, and protect your network security and business systems! http://list.windowsitpro.com/t?ctl=23D88:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: L0phtcrack Retired by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=23D98:4FB69 After years as a password-cracking staple, L0phtcrack is apparently being put out to pasture--discontinued. However, there are alternatives, including Cain & Abel, LCP, Ophcrack 2, and the Openwall Project's John the Ripper. Find links to these alternatives in this blog article. http://list.windowsitpro.com/t?ctl=23D95:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=23D97:4FB69 Q: Can you use the Microsoft File Server Migration Toolkit (FSMT) to migrate shares between servers in different forests? Find the answer at http://list.windowsitpro.com/t?ctl=23D96:4FB69 Security Forum Featured Thread: Audit Tools Know of any good tools to audit a Windows Server 2003 domain environment, including password reports? If so, join the discussion at http://list.windowsitpro.com/t?ctl=23D82:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Windows IT Pro Magazine Article Library--access available Sign up for a Monthly Online Pass and get INSTANT access to all articles, tools, and helpful resources published on WindowsITPro.com, including exclusive subscriber-only content. You'll get 24/7 access to the full Windows IT article library (which includes more than 9,000 articles) as well as the latest digital issue of Windows IT Pro delivered right to your inbox. Sign up now: http://list.windowsitpro.com/t?ctl=23D8E:4FB69 Windows IT Pro Magazine--SAVE 58% Windows IT Pro is a must-have in 2006! Subscribe now and plug into the largest independent Windows IT community in the world. Along with loads of how-to articles, time-saving advice, and expert tips and solutions, you'll gain exclusive access to the entire online Windows IT Pro article library FREE. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=23D8D:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Better Security Event Reporting Astaro released Astaro Report Manager 4.2, which lets you collect and report on data from Astaro Security Gateway appliances and security gateways from other vendors such as Check Point and Cisco. New features include a Java-based console that provides information about critical security events in real time, a new forensics analysis tool that helps you search log data on multiple devices, and new reports designed to meet federal regulatory requirements. Pricing starts at $295 for systems running Astaro Security Gateway Software and at $395 for Astaro Security Gateway appliances. For more information, go to http://list.windowsitpro.com/t?ctl=23D9F:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=23D9B:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=23D90:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Mar 17 03:34:10 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:34:10 -0600 (CST) Subject: [ISN] State seizes newspaper's hard drives in leak probe Message-ID: http://www.yorkdispatch.com/pennsylvania/ci_3608667 MARYCLAIRE DALE The Associated Press 03/16/2006 PHILADELPHIA -- The Pennsylvania Attorney General's Office has seized four newsroom hard drives as part of a probe into alleged leaks by a county coroner, after the state Supreme Court denied the newspaper's challenge to the search. The attorney general's office, which is conducting a grand jury probe, rebuffed offers from the Intelligencer Journal of Lancaster to provide the information sought through less intrusive means or to search the computers in the newsroom, newspaper officials said. Harold E. Miller Jr., the president and chief executive of parent Lancaster Newspapers Inc., said the ruling dismayed his reporters and could have a chilling effect on newsgathering. "You get to the point where sources have confidence that we'll do the right thing and that our industry's protected. They'll talk to us," Miller said yesterday. "Without that confidence, we lose our ability to do our job." Kevin Harley, a spokesman for state Attorney General Tom Corbett, declined to comment, citing grand jury rules. The state Supreme Court, upholding a lower court ruling, last week rejected the paper's effort to quash the subpoena for the hard drives. The newspaper has not filed an appeal to the U.S. Supreme Court, in part because they were told the search would start the next morning, lawyer George C. Werner Jr. said. Under terms of the lower court's ruling, the newspaper had given the hard drives conditionally to the attorney generals' office before the Supreme Court ruling. The attorney general's office is investigating whether Lancaster Coroner G. Gary Kirchner gave reporters his password to a secure law-enforcement Web site, according to a brief filed in the case. Kirchner has denied doing so. The attorney general's office has pledged to limit its search to usage related to the Web site in question, which is run by the Lancaster County-Wide Communications' Computer Assisted Dispatch Web site. "Once you turn your hard drives over to a government entity and they have your computers, they essentially have access to the newsroom," said Lucy Dalglish, executive director of the Reporters Committee for Freedom of the Press in Washington. "It's not like it was in the days when we were all typing out on manual typewriters. It's like going into the brain of the newsroom and dissecting it. I find that horrifying," she said. ? 2005 Copyright The York Dispatch From isn at c4i.org Fri Mar 17 03:34:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:34:30 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-11 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-03-09 - 2006-03-16 This week : 56 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Again this week Apple has released a security update, which fixes multiple vulnerabilities. However, the "Extremely Critical" vulnerability released on the 21st of February 2006 remains only partially fixed, due to the fact that it is still possible to trick users into opening malicious shell scripts (masqueraded as a safe file type) in ZIP archives. You can test whether or not your system is affected by this vulnerability here: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ For additional details about the other vulnerabilities fixed please refer to SA19129, the first of the referenced Secunia advisories below. Details about the partial fixed vulnerability may be found in SA18963. References: http://secunia.com/SA19129 http://secunia.com/SA18963 -- Microsoft has released 2 security bulletins as part of their monthly patch release cycle. All users are advised to visit Windows Update and apply available patches. For additional details about the issues corrected, please refer to the referenced Secunia advisories below. References: http://secunia.com/SA19138 http://secunia.com/SA18756 -- Some vulnerabilities have been reported in Flash Player, which can be exploited by malicious people to compromise a user's system. See referenced Secunia advisory for a list of affected products as well as links to updated versions. Reference: http://secunia.com/SA19218 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19218] Flash Player Unspecified Code Execution Vulnerabilities 2. [SA19129] Mac OS X Security Update Fixes Multiple Vulnerabilities 3. [SA19138] Microsoft Office Multiple Code Execution Vulnerabilities 4. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 5. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 6. [SA19173] GnuPG Unsigned Data Injection Detection Vulnerability 7. [SA19175] Gallery "stepOrder[]" Local File Inclusion Vulnerability 8. [SA19189] Red Hat update for python 9. [SA19064] Mac OS X Security Update Fixes Multiple Vulnerabilities 10. [SA19150] Kerio MailServer IMAP LOGIN Denial of Service Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19247] ASP Portal Cross-Site Scripting and SQL Injection Vulnerabilities [SA19191] Hosting Controller "search" Forum SQL Injection [SA19229] Adobe Document/Graphics Server File URI Resource Access [SA19238] Avaya Modular Messaging Windows Privilege Escalation Security Issues [SA19217] AntiVir PersonalEdition Update Report Privilege Escalation UNIX/Linux: [SA19237] CrossFire "SetUp()" Buffer Overflow Vulnerability [SA19230] SGI Advanced Linux Environment Multiple Updates [SA19226] Debian update for metamail [SA19210] Debian update for bomberclone [SA19199] Gentoo cube Buffer Overflow and Denial of Service [SA19244] Fedora update for gnupg [SA19241] Apache Log4net Denial of Service Vulnerability [SA19236] Gentoo update for tar [SA19234] Debian update for gnupg [SA19232] Gentoo update for gnupg [SA19228] Gentoo update for flex [SA19227] Debian update for freeciv [SA19203] Slackware update for gnupg [SA19197] SUSE update for gpg [SA19196] Trustix update for mailman [SA19194] Debian update for crossfire [SA19193] SCO OpenServer Updates for Multiple Packages [SA19192] Debian update for ffmpeg [SA19190] Red Hat update for kdegraphics [SA19189] Red Hat update for python [SA19240] Debian update for webcalendar [SA19225] sa-exim "greylistclean.cron" File Deletion Vulnerability [SA19221] glFTPd IP Address Check Bypass Vulnerability [SA19211] CGI::Session Insecure Default Session File Permissions [SA19205] Gentoo update for squirrelmail [SA19187] Debian update for libcrypt-cbc-perl [SA19239] Apache mod_python FileSession Handling Vulnerability [SA19235] AIX "mklvcopy" Command Unspecified Vulnerability [SA19220] Ubuntu update for kernel [SA19200] Ubuntu Installer Log Files Exposure of User Credentials Other: [SA19233] Funkwerk X2300 ISAKMP IKE Message Processing Vulnerabilities Cross Platform: [SA19218] Flash Player Unspecified Code Execution Vulnerabilities [SA19246] Horde "url" Disclosure of Sensitive Information Vulnerability [SA19245] Drupal Multiple Vulnerabilities [SA19224] @1 File Store Script Insertion and SQL Injection [SA19222] GuppY "pg" Arbitrary File Overwrite Vulnerability [SA19219] Vegas Forum "postid" SQL Injection Vulnerability [SA19215] Jupiter Content Manager "image" BBcode Script Insertion [SA19214] Zeroboard Multiple Script Insertion Vulnerabilities [SA19209] DSPoll "pollid" SQL Injection Vulnerability [SA19208] ENet Library Two Denial of Service Vulnerabilities [SA19207] DSNewsletter "email" SQL Injection Vulnerability [SA19206] DSCounter "X-Forwarded-For" SQL Injection Vulnerability [SA19202] DSDownload Multiple SQL Injection Vulnerabilities [SA19201] DSLogin Multiple SQL Injection Vulnerabilities [SA19195] PHP SimpleNEWS "admin" Authentication Bypass [SA19216] vCard Cross-Site Scripting Vulnerabilities [SA19212] GGZ Gaming Zone XML Handling Denial of Service [SA19204] WMNews Cross-Site Scripting Vulnerabilities [SA19188] UnrealIRCd Server Link TKL Command Denial of Service [SA19186] DokuWiki Mediamanager EXIF Data Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19247] ASP Portal Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-15 CodeScan Labs have reported some vulnerabilities in ASP Portal, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19247/ -- [SA19191] Hosting Controller "search" Forum SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-10 "nope" has discovered a vulnerability in Hosting Controller, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19191/ -- [SA19229] Adobe Document/Graphics Server File URI Resource Access Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of sensitive information, System access Released: 2006-03-15 Secunia Research has discovered a vulnerability in Adobe Document Server and Adobe Graphics Server, which can be exploited by malicious people to gain knowledge of potentially sensitive information, overwrite arbitrary files, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19229/ -- [SA19238] Avaya Modular Messaging Windows Privilege Escalation Security Issues Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-15 Avaya has acknowledged some security issues in Avaya Modular Messaging, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19238/ -- [SA19217] AntiVir PersonalEdition Update Report Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-13 Ramon 'ports' Kukla has discovered a vulnerability in AntiVir PersonalEdition Classic, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19217/ UNIX/Linux:-- [SA19237] CrossFire "SetUp()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-14 landser has discovered a vulnerability in CrossFire, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19237/ -- [SA19230] SGI Advanced Linux Environment Multiple Updates Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-03-14 SGI has issued a patch for SGI Advanced Linux Environment. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to cause a DoS (Denial of Service), conduct cross-site scripting attacks, and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19230/ -- [SA19226] Debian update for metamail Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Debian has issued an update for metamail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19226/ -- [SA19210] Debian update for bomberclone Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-14 Debian has issued an update for bomberclone. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19210/ -- [SA19199] Gentoo cube Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Gentoo has acknowledged some vulnerabilities in cube, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19199/ -- [SA19244] Fedora update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-14 Fedora has issued an update for gnupg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19244/ -- [SA19241] Apache Log4net Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-14 Sebastian Krahmer has reported a vulnerability in Log4net, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19241/ -- [SA19236] Gentoo update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Gentoo has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19236/ -- [SA19234] Debian update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Debian has issued an update for gnupg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19234/ -- [SA19232] Gentoo update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Gentoo has issued an update for gnupg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19232/ -- [SA19228] Gentoo update for flex Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-13 Gentoo has issued an update for flex. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19228/ -- [SA19227] Debian update for freeciv Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-13 Debian has issued an update for freeciv. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19227/ -- [SA19203] Slackware update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-14 Slackware has issued an update for gnupg. This fixes a vulnerability and a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19203/ -- [SA19197] SUSE update for gpg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-13 SUSE has issued an update for gpg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19197/ -- [SA19196] Trustix update for mailman Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-10 Trustix has issued an update for mailman. This fixes two vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19196/ -- [SA19194] Debian update for crossfire Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-15 Debian has issued an update for crossfire. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19194/ -- [SA19193] SCO OpenServer Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-15 SCO has issued updates for multiple packages. These fix various vulnerabilities, which can be exploited by malicious people to potentially cause a DoS (Denial of Service) and to compromise a user's system or vulnerable system. Full Advisory: http://secunia.com/advisories/19193/ -- [SA19192] Debian update for ffmpeg Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-13 Debian has issued an update for ffmpeg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19192/ -- [SA19190] Red Hat update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-10 Red Hat has issued an update for kdegraphics. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19190/ -- [SA19189] Red Hat update for python Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-10 Red Hat has issued an update for python. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19189/ -- [SA19240] Debian update for webcalendar Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-15 Debian has issued an update for webcalendar. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information and conduct SQL injection attacks, and by malicious people to conduct HTTP response splitting attacks. Full Advisory: http://secunia.com/advisories/19240/ -- [SA19225] sa-exim "greylistclean.cron" File Deletion Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Chris Morris has reported a vulnerability in sa-exim, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19225/ -- [SA19221] glFTPd IP Address Check Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-15 A vulnerability has been reported in glFTPd, which potentially can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19221/ -- [SA19211] CGI::Session Insecure Default Session File Permissions Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-13 Joey Hess has reported some security issues in CGI::Session, which potentially can be exploited by malicious, local users and by malicious people to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/19211/ -- [SA19205] Gentoo update for squirrelmail Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-13 Gentoo has issued an update for squirrelmail. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19205/ -- [SA19187] Debian update for libcrypt-cbc-perl Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-13 Debian has issued an update for libcrypt-cbc-perl. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19187/ -- [SA19239] Apache mod_python FileSession Handling Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-14 A vulnerability has been reported in mod_python, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19239/ -- [SA19235] AIX "mklvcopy" Command Unspecified Vulnerability Critical: Less critical Where: Local system Impact: Unknown Released: 2006-03-15 A vulnerability has been reported in IBM AIX, which has an unknown impact. Full Advisory: http://secunia.com/advisories/19235/ -- [SA19220] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: Exposure of sensitive information, DoS Released: 2006-03-13 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19220/ -- [SA19200] Ubuntu Installer Log Files Exposure of User Credentials Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-13 Karl ?ie has reported a security issue in Ubuntu, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19200/ Other:-- [SA19233] Funkwerk X2300 ISAKMP IKE Message Processing Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2006-03-15 Some vulnerabilities have been reported in Funkwerk X2300, which potentially can be exploited by malicious people to cause a DoS (Denial of Service), and with an unknown impact. Full Advisory: http://secunia.com/advisories/19233/ Cross Platform:-- [SA19218] Flash Player Unspecified Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-15 Some vulnerabilities have been reported in Flash Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19218/ -- [SA19246] Horde "url" Disclosure of Sensitive Information Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-15 Paul Craig has discovered a vulnerability in Horde, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19246/ -- [SA19245] Drupal Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-03-14 Some vulnerabilities have been reported in Drupal, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and manipulate outgoing mails. Full Advisory: http://secunia.com/advisories/19245/ -- [SA19224] @1 File Store Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported some vulnerabilities in @1 File Store, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19224/ -- [SA19222] GuppY "pg" Arbitrary File Overwrite Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 trueend5 has reported a vulnerability in GuppY, which can be exploited by malicious people to manipulate certain information. Full Advisory: http://secunia.com/advisories/19222/ -- [SA19219] Vegas Forum "postid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-14 Aliaksandr Hartsuyeu has reported a vulnerability in Vegas Forum, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19219/ -- [SA19215] Jupiter Content Manager "image" BBcode Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 Nomenumbra/[0x4F4C] has discovered a vulnerability in Jupiter Content Manager, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19215/ -- [SA19214] Zeroboard Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 dong-houn yoU has reported some vulnerabilities in Zeroboard, which can be exploited by malicious people to conduct script-insertion attacks. Full Advisory: http://secunia.com/advisories/19214/ -- [SA19209] DSPoll "pollid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported a vulnerability in DSPoll, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19209/ -- [SA19208] ENet Library Two Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-13 Luigi Auriemma has reported two vulnerabilities in ENet Library, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19208/ -- [SA19207] DSNewsletter "email" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported a vulnerability in DSNewsletter, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19207/ -- [SA19206] DSCounter "X-Forwarded-For" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has reported a vulnerability in DSCounter, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19206/ -- [SA19202] DSDownload Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-13 Aliaksandr Hartsuyeu has discovered some vulnerabilities in DSDownload, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19202/ -- [SA19201] DSLogin Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-14 Aliaksandr Hartsuyeu has discovered multiple vulnerabilities in DSLogin, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19201/ -- [SA19195] PHP SimpleNEWS "admin" Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-10 Aliaksandr Hartsuyeu has reported a vulnerability in PHP SimpleNEWS and PHP SimpleNEWS MySQL, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19195/ -- [SA19216] vCard Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 Linux_Drox has reported some vulnerabilities in vCard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19216/ -- [SA19212] GGZ Gaming Zone XML Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-13 Luigi Auriemma has reported a vulnerability in GGZ Gaming Zone, which can be exploited by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/19212/ -- [SA19204] WMNews Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-13 R00T3RR0R has reported some vulnerabilities in WMNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19204/ -- [SA19188] UnrealIRCd Server Link TKL Command Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-10 A vulnerability has been reported in UnrealIRCd, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19188/ -- [SA19186] DokuWiki Mediamanager EXIF Data Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-10 A vulnerability has been reported in DokuWiki, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19186/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 17 03:34:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:34:45 -0600 (CST) Subject: [ISN] Security Experts Warn of Devastating Web Attack Message-ID: http://www.foxnews.com/story/0,2933,188102,00.html Paul Wagenseil Fox News March 16, 2006 WASHINGTON - A powerful new twist on the most common kind of Internet attack could overwhelm even the most popular and well-fortified Web sites and disrupt e-mail traffic by enlisting the network infrastructure servers that manage Internet traffic worldwide, security experts warn. First detected as early as 2002, the assault, known as a distributed reflected denial-of-service (DRDoS) attack, bombards targeted Web servers with such massive amounts of spurious data that even flagship technology companies would not be able to cope. In one case examined, an unknown assailant used an Internet domain-name server in South Africa to unknowingly bombard targeted computers with overwhelming floods of amplified data. Domain-name servers are specialized computers that help direct Internet traffic. Computers see Web addresses as a string of numbers called an IP address; a domain-name server translates a user's request for, say, "www.yahoo.com" into the IP address "68.142.226.34." Experts traced at least 1,500 attacks that briefly shut down commercial Web sites, large Internet providers and leading Internet infrastructure companies during a period of weeks beginning late last year. The attacks were so targeted that most Internet users did not notice widespread effects. Like a standard "denial-of-service" (DoS) attack, a DRDoS attack exploits the standard TCP/IP "three-way handshake" between a client and server machine. Typically, a "client" PC looking up a Web site sends a request for acknowledgement, including its own return IP address, to the Web site's server. The server acknowledges the request, and in turn asks the client for a confirmation the request was made. The client sends its own acknowledgement, and data then flows freely between the two machines. In a standard DoS attack, a malicious machine takes down a Web site by flooding it with requests containing false IP return addresses, which the server will acknowledge. But since it the acknowledgement goes to a non-existent IP address, the server will get no reply, and will keep trying again and again. Enough false requests will overload a server and make a Web site unavailable. In in the case of a distributed denial-of-service (DDoS) attack, a hacker, having secretly taken command of hundreds or thousands of "zombiefied" ordinary PCs by infecting them with computer viruses, enlists them all in bombarding the targeted Web server. A DRDoS attack takes the concept to a new level. The malicious requests, again coming from countless "zombie" machines, contain a legitimate return IP address ? in this case, the IP address of the server being targeted. The requests go not to the target, but to hundreds of intermediate infrastructure servers, often owned by large technology companies, which help direct Web traffic. The infrastructure servers, which are innocently doing their jobs and can easily handle huge numbers of requests, "return" the acknowledgements to the target machine, which is quickly overwhelmed. Ken Silva, chief security officer for VeriSign Inc., compared the scale of a possible DRDoS attack to the damage caused in October 2002 when nine of the 13 computer "root" servers that make up the core of the Internet were crippled by a powerful straight-on DDoS attack. VeriSign operates two of the 13 root server computers, but its machines were unaffected. "This is significantly larger than what we saw in 2002, by an order of magnitude," Silva said. Silva said the attacks earlier this year used only about 6 percent of the more than 1 million domain-name and other infrastructure servers across the Internet to flood victims' servers. Still, the attacks in some cases exceeded 8 gigabits per second, indicating a remarkably powerful electronic assault. "This would be the Katrina of Internet storms," Silva said. The U.S. Computer Emergency Readiness Team, part of the Homeland Security Department, warned network engineers in December to properly configure their domain-name servers to prevent hackers from using them in attacks. It called the attacks "troublesome" because domain-name servers must operate to help direct Internet traffic. FOXNews.com's Paul Wagenseil and The Associated Press contributed to this report. From isn at c4i.org Fri Mar 17 03:35:09 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:35:09 -0600 (CST) Subject: [ISN] Lost Ernst & Young laptop exposes IBM staff Message-ID: http://www.theregister.co.uk/2006/03/15/ernstyoung_ibm_laptop/ By Ashlee Vance in Mountain View 15th March 2006 Exclusive - Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk. Ex-IBM employees are also affected. The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed. The husband of one IBM employee has provided The Register with an exclusive copy of the letter Ernst & Young mailed out to the affected parties. This particular letter did not arrive until 8 March - two months after the theft. Neither IBM nor Ernst & Young have returned calls seeking comment. Last month, The Register revealed that another Ernst & Young laptop theft had exposed the social security number and other personal information of Sun Microystems CEO Scott McNealy and an unknown number of other people. Since our story ran, a Cisco employee informed us that his data was on the same laptop as the one containing McNealy's information. The loss of the IBM data outraged Jeff Moran, the husband of the IBM worker told of the data breach. "Ernst & Young has a policy that this type of information is not supposed to be on a laptop," Moran said. "Yet, these guys download the data because it's convenient for them." "All of our information is out there, and they didn't bother to tell us until March. By that time, the thief would have already used the information. This is an outrage, but until Congress starts punishing these guys, nothing will happen." The letter from Ernst & Young states that the company does tax work for current and former overseas workers of IBM. In this role, the auditing firm needs information such as an employee's address, family size, US social security number and tax identification number. It then holds onto this information for at least seven years. "The employee whose laptop was stolen is part of a group in our tax practice that works regularly with historical data files, assisting our Global Mobility and other tax professionals with data conversion, formatting and analysis," Ernst and Young wrote in the letter. "In connection with his job, the employee ran reports, which result in files being created on the laptop. "We have determined that the laptop contained various personal information for a select number of IBM employees. Among the items of information included for some or all of these employees were name, address, US social security number, email address, and country where stationed." Nothing short of a nirvana for an identity thief. Ernst & Young has offered those affected a free, 12 month credit monitoring service provided by Experian. The service includes a hotline that IBM employees can call. Moran made such a call and found the staffer to be most unhelpful. "I left my name and number and no one called me back for ages," he said. "Then the guy says that this will never happen again in the future. So, I pointed out that they had lost McNealy's information after our thing happened. He didn't have a response to that." We called the Ernst and Young hotline for IBM employees and asked if it was the right place to ask about the IBM workers who had their data exposed via the laptop theft. The employee responded with a curt, "yes" but would provide no other information. Following the Sun/Cisco incident, Ernst & Young filed a police report in Miami, noting that it had lost four more laptops. Its employees left the systems in a conference room when they went out for lunch. A security camera at the conference center showed that it took all of about five minutes for two people to steal the laptops. Ernst & Young maintains that the laptops are password protected and do not pose a significant security risk. But such statements have not impressed security experts following the story. "For a big four firm consisting of auditors and compliance professionals to say such a thing is very revealing of their lack of understanding and ignorance of security controls (and how to defeat them)," wrote one Register reader. "I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc." Other readers backed up this sentiment, saying that their experience with the big four accounting firms shows that the companies rarely encrypt data on laptops or use sophisticated security measures. Ernst & Young continues to avoid copping to these incidents in public, preferring for us and police blotters to expose the details. It's unclear how many more laptops have gone missing and have not been reported, and the company's security measures seem disconcerting to say the least for a company that specialises in accounting and auditing. Ernst & Young often gets paid to assess how well clients are complying with government policies around data protection and how forthcoming these clients are with discussing data breaches. Ernst & Young has yet to return our calls seeking information about what is being done to prevent future losses, whether this data should have been on laptops in the first place and if anyone has been held accountable for the string of breaches. ? From isn at c4i.org Fri Mar 17 03:33:01 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:33:01 -0600 (CST) Subject: [ISN] No security in security stocks? Message-ID: http://money.cnn.com/2006/03/15/technology/security_stocks/index.htm By Amanda Cantrell CNNMoney.com March 15, 2006 NEW YORK (CNNMoney.com) - The rise in online scams such as identity theft and phishing is bad news for consumers -- but is it good news for investors in companies who make products designed to stop these attacks? Not necessarily. Some security stocks such as Symantec, Cogent and McAfee have gotten nicked this year, owing to both company-specific issues and to the fact that Microsoft announced it is entering the consumer security space, which spooked some investors. Also, some markets within the security sector have matured and no longer offer the attractive growth opportunities they once did -- such as the market for fire wall products that protect corporate networks. And companies such as Cisco and Juniper have also announced new or improved offerings in the space, posing a longer-term threat to so-called "pure play" security companies. Finally, some companies have experienced phenomenal growth in their share prices, leading investors to take some of their winnings off the table. These factors have caused some investors, such as Sunil Reddy, senior portfolio manager at Cincinnati-based Fifth Third Asset Management, to steer clear of the space altogether for now. But theft of consumer and corporate data for profit continues to increase, which is why some investors and analysts still think security stocks will pay off in the long run. These investors and analysts feel that companies make "authentification" products designed to verify a user's identity as well as encrypt data have enjoyed growth in recent months and still have potential to do so. "The security industry as a whole is talking about hackers that are motivated by profit," said Horacio Zambrano, a securities analyst with Wedbush Morgan Securities. "Enterprises are putting a higher attention on identity (verification) products." Here's a look at how some players in the security sector have fared in recent weeks: Cogent Systems (up $0.17 to $19.26, Research) Shares of Cogent, which makes fingerprint ID systems, took a nasty 17 percent dive and suffered a slew of analyst downgrades when the company reported its fiscal fourth quarter earnings Feb.28. That's because, despite doubling earnings and recording a 46 percent sales increase, the company revealed it isn't sure when it will be able to book revenue on certain contracts. If there's one thing investors don't like, it's a lack of transparency where sales are concerned, and the stock hasn't recovered since. Ken Allen, investment analyst with T. Rowe Price, said because the contracts Cogent signs are so large, the stock price moves based on announcements of those deals. Wall Street analysts had been expecting a better sales outlook for 2006 given the announcement that the company has won some important contracts in recent months from rivals such as Motorola. But on the bright side, the company will likely have a bigger 2007 than expected, if it books revenue for some of those contracts then instead of this year. Allen's firm owns shares of Cogent in some of its funds. Joel Fishbein, an analyst with Janny Montgomery Scott, said he thinks companies will increasingly want to monitor who has access to what in their networks and added that he thinks Cogent is well-positioned to take advantage of this. RSA Security (down $0.05 to $17.71, Research) Shares of RSA, which makes authentification software and hardware, such as the "SecurID" system log-in tokens that corporate and government workers use, have had a remarkable run, appreciating 58 percent this year. That rise alone has led some investors to take their winnings off the table. Gary McDaniel, an equity analyst at Standard & Poor's, said his firm recently downgraded the stock from a buy to a hold because of concerns the share price has topped out for the near term. Allen of T. Rowe Price said a series of negative events in December, including the abrupt departure of the company's CFO, caused an unduly big drop in the stock. But strong fourth-quarter earnings, followed by the strategic acquisition of software maker Cyota to boost RSA's position in the consumer market, led to the recovery. Allen, whose firm owns shares of RSA, thinks the shares have more to gain, as 2006 should be a strong year for the renewal of SecurID contracts from corporate customers. But Zambrano of Wedbush Morgan said RSA has been his top pick. He still likes the stock, given its position as a market leader in the authentication area, but he acknowledges that the company needs to position itself to sell higher-cost data protection solutions to corporate customers. Internet Security Systems (up $0.04 to $23.87, Research) Shares of Internet Security Systems have enjoyed a solid 2006 to date, with shares rising 14 percent this year. The company makes products that protect corporate networks from attacks and has primarily specialized in devices that detect and prevent attacks. McDaniel of Standard & Poor's said the company is poised to gain market share from its competitors, in part because it's coming out with complete platforms that are easy for corporate customers to configure. He expects the company to grow revenues 13 percent this year and net income about 15 over the next five years. Zambrano agrees, saying that larger vendors such as ISS are able to offer "one-stop shop" solutions that will allow IT managers to work with fewer vendors and get more done with less. Of course, no discussion of security stocks would be complete without mentioning Symantec (down $0.28 to $15.79, Research) and McAfee (up $0.41 to $24.73, Research), two of the biggest makers of anti-virus software for consumers. Shares of those companies have depreciated eight and 10 percent, respectively, since the start of the year. McAfee shares slid in January after the company pre-announced disappointing results for its December quarter, and investors and analysts had also expressed some concern about Symantec's acquisition of storage firm Veritas. Going forward, both face increased competition from Microsoft, which recently announced it will formally launch its Windows Live OneCare service, which it bills as an all-in-one "PC health service" for consumers to help them detect and prevent viruses and spy ware, among other functions. The service will cost $49.95 per year for up to three PCs and will be available from retailers in June in the U.S. That product will be available in beta form for free later this year, and customers who sign up now qualify for discounts later. But both Symantec and McAfee have fans in the analyst community despite this threat. Rick Summer, equity analyst at Morningstar, acknowledged that his endorsement of Symantec is a "contrarian play" in the current environment, but said he thinks Symantec has the best sales and distribution of its competitors and is still "the best horse to bet on in the consumer space." Fishbein of Janney Montgomery Scott said that while he currently rates McAfee a hold, he's becoming more encouraged about the company's prospects due to a combination of factors, including the fact that he thinks viruses and malware will proliferate on mobile devices in the future, and he believes McAfee is best equipped to handle those problems. From isn at c4i.org Fri Mar 17 03:35:26 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:35:26 -0600 (CST) Subject: [ISN] Security flaws could cripple missile defense network Message-ID: http://www.fcw.com/article92640-03-16-06-Web By Bob Brewin Mar. 16, 2006 The network that stitches together radars, missile launch sites and command control centers for the Missile Defense Agency (MDA) ground-based defense system has such serious security flaws that the agency and its contractor, Boeing, may not be able to prevent misuse of the system, according to a Defense Department Inspector General's report. The report [1], released late last month, said MDA and Boeing allowed the use of group passwords on the unencrypted portion of MDA's Ground-based Midcourse Defense (GMD) communications network. The report said that neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on unencrypted communications and monitoring systems. Even though current DOD policies require such automated network monitoring, such a requirement "was not in the contract." The network, which was also developed to conform to more than 20-year-old DOD security policies rather than more recent guidelines, lacks a comprehensive user account management process, the report said. Neither MDA nor Boeing conducted required Information Assurance (IA) training for users before they were granted access to the network, the report stated. Because of this poor information security, the DOD IG report said, MDA and Boeing officials "may not be able to reduce the risk and magnitude of harm resulting from misuse or unauthorized access or modification of information [on the network] and ensure the continuity of the system in the event of an interruption." David Wright, a senior scientist with the Union of Concerned Scientists, said he was surprised by the network flaws outlined in the report. It "sounds like the kind of stuff routinely done with this kind of network," he said. "It's hard to imagine they would design one without it." Stephen Young, an MDA analyst at UCS, said the security flaws could affect operation of the entire GMDS project. "The network is absolutely essential to GMD without it, the system can't work." President Bush directed DOD in 2002 to develop GMD to counter missile threats from countries such as North Korea as well as terrorists, and Boeing on its Web site describes the project as "the first missile defense program deployed operationally to defend the homeland against ballistic missile attacks conducted by terrorists or rogue states" GMD consists of missile interceptors based in underground silos at Fort Greely, Alaska and Vandenberg Air Force Base, Calif., and high-powered sea- and land-based radars to track incoming missiles, a Boeing fact sheet said. Spokesmen for MDA, Boeing and Northrop Grumman, contractor for the unencrypted portion of GCN, all declined to answer questions from Federal Computer Week on the security flaws in the GMD network. Boeing and Northrop Grumman deferred to MDA, and an MDA spokesman said his agency would not answer any press questions until it responds to the IG report on March 24. Harris Corp., a GCN subcontractor, described the network on its Web site as "the largest synchronous optical networking ring in the world that includes more than 20,000 miles of fiber crossing 30 states and will connect all GMD sites." MDA budget documents describe the GCN as a fiber-optic network interconnected with military satellites. These budget documents said the GCN connects the two missile silo sites with control and communications nodes at Fort Greely and Shriever Air Force Base and the Cheyenne Mountain Operations Center, both in Colorado, as well as radars in Alaska and a test bed in Huntsville, Ala. [1] http://www.dodig.mil/audit/reports/FY06/06-053.pdf From isn at c4i.org Fri Mar 17 03:35:39 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 17 Mar 2006 02:35:39 -0600 (CST) Subject: [ISN] Microsoft goes public with Blue Hat hacker conference Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109606,00.html By Robert McMillan MARCH 16, 2006 IDG NEWS SERVICE Microsoft Corp. is going public with some of the hacking information discussed at its Blue Hat Security Briefings event. Just days after the end of its third Blue Hat conference, the software vendor today posted the first blog entries at a new Web site. Microsoft is also promising to publish more details on the secretive invitation-only event. The Web site will include Microsoft staffer's "reflections on BlueHat 3" as well as photos, podcasts and video interviews with some of the presenters, said Security Program Manager Kymberlee Price in a blog posting. "We sincerely hope that our BlueHat 3 speakers (and BlueHat 1 & 2 speakers) will post their comments to the site as well and share their BlueHat experience," she wrote. Presentations given during the latest conference, held last week on Microsoft's campus in Redmond, Wash., covered topics such as "exploiting Web applications" and "breaking into database systems," according to the Web site. Microsoft started the Blue Hat briefings a year ago to begin a dialogue between the company's security team and external security researchers, many of whom have been critical of the company's approach to security. A handful of outside security researchers spent a few days at Blue Hat discussing Microsoft's security vulnerabilities with several hundred of the company's engineers and executives. There were more than 650 attendees at Blue Hat 3, which was also broadcast to Microsoft employees worldwide, according to Alexander Kornbrust, a business director at Red-Database-Security GmbH in Neunkirchen, Germany, who attended the event. One Microsoft blogger praised the open dialogue at the event. "Everything was fair game," wrote SQL Server engineer Brad Sarsfield in a blog posting. "Hearing senior executives say things like, 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event." The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The "blue" part comes from the color of badges that Microsoft staffers wear on campus. Last year, Black Hat organizers were sued by Cisco Systems Inc. after a conference presenter disclosed vulnerabilities in the company's Internetworking Operating System router software. That lawsuit was eventually settled with Black Hat agreeing not to further disseminate the presentation. Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said. From isn at c4i.org Mon Mar 20 03:46:03 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:03 -0600 (CST) Subject: [ISN] Experts refute RFID virus claims Message-ID: http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=183700485 John Walko EE Times 03/17/2006 LONDON . The trade association for automatic identification and mobility, AIM Global, attempted to refute key findings of an IEEE conference paper presented this week that suggested RFID tags could be used to corrupt databases and even spread computer viruses. The paper, by Melanie Rieback, a third-year PhD student at Amsterdam's Vrije University, was presented at the IEEE conference in Pisa, Italy, on Wednesday (March 15), sent shock waves through the RFID industry. Titled "Is Your Cat Infected with a Computer Virus?" the paper suggested computer viruses could spread from RFID tags through readers into poorly written middleware applications and backend systems and databases. "Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design," asserted AIM Global President Dan Mullen. Mullen suggested that researchers built a system with a weakness and then proceeded to show how the weakness could be exploited. "Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data, will create vulnerabilities." The association said it recognizes the efforts of university researchers is designed to highlight RFID security issues. "But the methodology of this particular research is questionable,. added Mullen. Responding to the paper, RFID experts and International Organization for Standardization scientists, meeting this week in Kyoto, Japan, to debate RFID standards, emphasized that fixed data RFID tags, such as those used to identify pets, cannot be changed and therefore are immune to infection by a virus. They skirted the issue of whether other types of tags, such as those where data can be changed, are prone to attacks. The experts did note that specific attributes in RFID systems can protect the overall system. For instance, they stressed that most RFID applications, including EPC Gen2, look for specific kinds of data. Poor reader design might allow detection of a "rogue" tag, but a secure system will verify data against predefined parameters, as do current bar code systems. The ability to insert a virus implies that a tag contains executable code that is recognized by software. This, they assured, is impossible with most RFID applications since specific kinds of data are sought and systems will either flag or reject anything that doesn't fit the data template. Other industry reaction to the paper was mixed, but many agree it presented a wake-up call. "With respect to the students involved, the paper as presented is rather weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real' virus they claim to demonstrate in the paper is not a virus, just a self-replicating piece of SQL code." The paper, however, does call attention to an obvious problem the software industry has faced for years, suggested Julie England, vice president at Texas Instruments. "Companies need to provide multilevel security and take responsibility for testing before releasing applications to the market," said England. Last month, cryptographers reported weaknesses in the underlying RFID chips and hashing algorithms. In a panel discussion during the RSA Conference, Adi Shamir, professor of computer science at the Weizmann Institute, disclosed that he had recently applied power analysis techniques to crack passwords for the most popular brand of RFID tags. At the same panel, Ron Rivest, who co-developed the RSA algorithms with Shamir, called for an industry effort to create a next-generation hashing algorithm to replace SHA-1, which is used broadly for computer security. From isn at c4i.org Mon Mar 20 03:46:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:15 -0600 (CST) Subject: [ISN] Beware The Wardriver at Your Next Conference Message-ID: http://www.internetnews.com/wireless/article.php/3592361 By Sean Michael Kerner March 17, 2006 Every tech conference put on today is swimming in Wi-Fi signals. Some are meant to provide public Internet access to attendees, and some are meant to be private for exhibitors connecting to corporate networks. According to research conducted by Russian security firm Kaspersky Lab, most of those Wi-Fi signals are wide open. Kaspersky conducted its "wardriving" research at the recent CeBIT show in Hanover, Germany, that bills itself as the world's largest IT trade fair. Wardriving is the act of scanning Wi-Fi signals to access open bandwidth that isn't necessarily supposed to be open. Kaspersky Senior Virus Analyst Alexander Gostev and Senior Research Engineer Roel Schouwenberg discovered at the show nearly 300 access points, which they collected data on. According to Kaspersky, "the researchers did not attempt to intercept or decrypt any traffic." They did, however, discover a number of interesting things about the nature of Wi-Fi networks. More than half (approximately 56 percent) of the detected access points offered no WEP (define) protection. Alex Gostev, senior virus analyst at Kaspersky wasn't surprised by the finding. "We expected that access points without traffic encryption will be less than in global statistics," Gostev told internetnews.com in a translated e-mail. "And it was as expected, 56 percent against 70 percent in other countries. Although we expected less unprotected networks, 20 to 30 percent." CeBIT access points for the most part were apparently not left in their default modes, either. SSIDs (define), which stands for Service Set Identifier, were in most cases changed from their factory settings, which typically are a combination of the manufacturer's name and/or device model number. A factory default SSID is an indication that the administrator has not changed the default setting and may well not have changed the default username/password, either. The Kaspersky researchers detected only two access points out of their scan of 300 that still had the factory default SSID configuration. "The fact that there were only two access points with default SSIDs was very good to see," Schouwenberg told internetnews.com. "We expected that number to be quite a bit higher." SSIDs are also typically set to broadcast their availability, which more easily enables users, both legitimate and malicious, to locate the access point. By disabling SSID broadcasting, the idea is that it is harder for malicious users to discover an access point and attempt to infiltrate it. Kasperksy's CeBIT research found that only 8 percent had disabled SSIDs and of those, 89 percent had enabled WEP encryption. Schouwenberg advised that for WLANs that need to be treated as private, tradeshow participants should disable SSID and use the best encryption. "If you want to be really secure, you should use authentication to prevent unauthorized access to the access point," Schouwenberg said. "And use a tunnel (VPN for instance) to make sure others can't intercept/decrypt traffic." Gostev warns of another threat that could potentially affect conference Goers: mobile viruses. "Creation and implementation of automatic traps of the viruses combined with Bluetooth scanners seems to me expedient," Gostev said. He suggests that the mobile equivalent of airport metal detectors is needed to help prevent mobile virus transmission. That way, he said, it will be possible to discover infected phones the minute they enter the building. From isn at c4i.org Mon Mar 20 03:46:26 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:26 -0600 (CST) Subject: [ISN] DHS Gets Another F in Computer Security Message-ID: Forwarded from: security curmudgeon : http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589.html : : By Brian Krebs : washingtonpost.com Staff Writer : March 15, 2006 : : Most federal agencies that play key roles in the war on terror are doing : a dismal job of protecting their computers and information networks from : hackers and viruses, according to portions of a report to be released by : a key congressional oversight committee Thursday. Taken from another list I am on. We have all seen these A - F type grades for various agencies over the years. I'm surprised there hasn't been a big public article tracking the grades year to year with commentary. Federal Computer Security Grades, 2001-2005 Agency 2005 2004 2003 2002 2001 ------------------------------------------------------------------------------ Department of Agriculture F F F F F Agency for International Development A+ A+ C- F F Department of Commerce D+ F C- D+ F Department of Defense F D D F F Department of Education C- C C+ D F Department of Energy F F F F F Environmental Protection Agency A+ B C D- D+ General Services Administration A- C+ D D D Department of Health and Human Services F F F D- F Department of Homeland Security F F F Department of Housing and Urban Development D+ F F F D Department of the Interior F C+ F F F Department of Justice F B- F F F Department of Labor A+ B- B C+ F National Aeronautics and Space Administration B- D- D- D+ C- Nuclear Regulatory Commission D- B+ A C F National Science Foundation A C+ A- D- B+ Office of Personnel Management A+ C- D- F F Small Business Administration C+ D- C- F F Social Security Administration A+ B B+ B- C+ Department of State F D+ F F D+ Department of Transportation C- A- D+ F F Department of the Treasury D- D+ D F F Department of Veterans Affairs F F C F F ------------------------------------------------------------------------------ All Agencies D+ D+ D F F From isn at c4i.org Mon Mar 20 03:45:48 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:45:48 -0600 (CST) Subject: [ISN] Linux Advisory Watch - March 17th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 17th 2006 Volume 7, Number 12a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for zoph, bluez-hcidump, curl, zoo, ffmpeg, GnuPG, freeciv, metamail, CBC, bomberclone, libextractor, lurker, crossfire, webcalendar, xpvm, vlc, net-tools, tcsh, shadow-utils, db, tar, flex, squirrelmail, zoo, php, python, kdegraphics, squid, vixie-cron, the Red Hat kernel. Distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. ---- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi ---- Preventing DDoS Attacks By: Blessen Cherian Introduction In this article I am trying to explain what DDOS is and how it can be prevented. DDOS happens due to lack of security awareness of the network/server owners. On a daily basis we hear that a particular machine is under DDOS attack or NOC has unplugged the machine due to DDOS attack . So DDOS has become one of the common issues in this electronics world. DDOS is like a disease which doesn't have an anti-viral developed. So we should be carefull while dealing with it. Never take it lightly. In this article i am trying to explain the steps/measures which will help us defend from DDOS attack, up to a certain extend. What is a DDOS attack? Simply said, DDOS is an advanced version of DOS attack. Like DOS, DDOS also tries to deny the important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/ host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised. Normally, DDOS consists of 3 parts . One is the Master ,Other the slave and atlast the victim. The master is the attack launcher ie the person/machine behind all this,sound's COOL right. The slave is the network which is being compromised by the Master and Victim is the target site/server. Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence its also called co-ordinated attack. In my term, Master is said to be the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target. How do they Do it? DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase that they install DDOS tools and starts attacking the victims machines/site. This Phase is called Distributed DoS attacks phase. Read Full Paper http://www.linuxsecurity.com/content/view/121960/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zoph packages fix SQL injection 9th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121857 * Debian: New bluez-hcidump packages fix denial of service 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121875 * Debian: New curl packages fix potential security problem 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121876 * Debian: New zoo packages fix arbitrary code execution 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121877 * Debian: New ffmpeg packages fix arbitrary code execution 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121878 * Debian: New GnuPG packages fix broken signature check 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121891 * Debian: New freeciv packages fix denial of service 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121898 * Debian: New metamail packages fix arbitrary code execution 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121899 * Debian: New Crypt::CBC packages fix cryptographic weakness 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121900 * Debian: New GnuPG packages fix broken signature check 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121903 * Debian: New bomberclone packages fix arbitrary code execution 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121910 * Debian: New libextractor packages fix several vulnerabilities 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121912 * Debian: New lurker packages fix several vulnerabilities 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121914 * Debian: New Apache2::Request packages fix denial of service 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121915 * Debian: New crossfire packages fix arbitrary code execution 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121916 * Debian: New webcalendar packages fix several vulnerabilities 15th, March, 2006 Several security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities. http://www.linuxsecurity.com/content/view/121926 * Debian: New xpvm packages fix insecure temporary file 16th, March, 2006 Eric Romang discoverd that xpvm, a graphical console and monitor for PVM, creates a temporary file that allows local attackers to create or overwrite arbitrary files with the privileges of the user running xpvm. http://www.linuxsecurity.com/content/view/121949 * Debian: New vlc packages fix arbitrary code execution 16th, March, 2006 Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. The vlc media player links statically against libavcodec. http://www.linuxsecurity.com/content/view/121951 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: net-tools-1.60-52.fc4.2 10th, March, 2006 The update adds two new options for netstat; T stops trimming remote and local addresses; Z shows selinux context, and fixes doublefree bug in route and netstat. http://www.linuxsecurity.com/content/view/121882 * Fedora Core 4 Update: tcsh-6.14-1.fc4.2 11th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121894 * Fedora Core 4 Update: shadow-utils-4.0.12-8.FC4 13th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121909 * Fedora Core 4 Update: gnupg-1.4.2.2-1 13th, March, 2006 Tavis Ormandy discovered a flaw in the way GnuPG verifies cryptographically signed data with inline signatures. It is possible for an attacker to add unsigned text to a signed message in such a way so that when the signed text is extracted, the unsigned text is extracted as well, appearing as if it had been signed. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0049 to this issue. http://www.linuxsecurity.com/content/view/121911 * Fedora Core 4 Update: db4-4.3.27-5.fc4 14th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121922 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: GNU tar Buffer overflow 10th, March, 2006 A malicious tar archive could trigger a Buffer overflow in GNU tar, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121884 * Gentoo: flex Potential insecure code generation 10th, March, 2006 flex might generate code with a buffer overflow, making applications using such scanners vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/121892 * Gentoo: GnuPG Incorrect signature verification 10th, March, 2006 GnuPG may erroneously report a modified or unsigned message has a valid digital signature. http://www.linuxsecurity.com/content/view/121893 * Gentoo: SquirrelMail Cross-site scripting and IMAP command injection 12th, March, 2006 SquirrelMail is vulnerable to several cross-site scripting vulnerabilities and IMAP command injection. http://www.linuxsecurity.com/content/view/121895 * Gentoo: Cube Multiple vulnerabilities 12th, March, 2006 Cube is vulnerable to a buffer overflow, invalid memory access and remote client crashes, possibly leading to a Denial of Service or remote code execution. http://www.linuxsecurity.com/content/view/121897 * Gentoo: Freeciv Denial of Service 16th, March, 2006 A memory allocation bug in Freeciv allows a remote attacker to perform a Denial of Service attack. http://www.linuxsecurity.com/content/view/121944 * Gentoo: zoo Buffer overflow 16th, March, 2006 A buffer overflow in zoo may be exploited to execute arbitrary when creating archives of specially crafted directories and files. http://www.linuxsecurity.com/content/view/121945 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated php packages fix vulnerability 9th, March, 2006 A flaw in the PHP gd extension in versions prior to 4.4.1 could allow a remote attacker to bypass safe_mode and open_basedir restrictions via unknown attack vectors. http://www.linuxsecurity.com/content/view/121871 * Mandriva: Updated gnupg packages fix signature file verification vulnerability 14th, March, 2006 Another vulnerability, different from that fixed in MDKSA-2006:043 (CVE-2006-0455), was discovered in gnupg in the handling of signature files. http://www.linuxsecurity.com/content/view/121913 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: python security update 9th, March, 2006 Updated Python packages are now available to correct a security issue. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121869 * RedHat: Important: kdegraphics security update 9th, March, 2006 Updated kdegraphics packages that fully resolve a security issue in kpdf are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121870 * RedHat: Moderate: initscripts security update 15th, March, 2006 Updated initscripts packages that fix a privilege escalation issue and several bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121930 * RedHat: Moderate: squid security update 15th, March, 2006 Updated squid packages that fix a security vulnerability as well as several bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121931 * RedHat: Low: vixie-cron security update 15th, March, 2006 An updated vixie-cron package that fixes a bug and security issue is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121932 * RedHat: Updated kernel packages available for Red Hat 15th, March, 2006 Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the seventh regular update. This security advisory has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121933 * RedHat: Important: gnupg security update 15th, March, 2006 An updated GnuPG package that fixes signature verification flaws as well as minor bugs is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121934 * RedHat: Critical: flash-plugin security update 15th, March, 2006 An updated Macromedia Flash Player package that fixes a security issue is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121943 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: gpg signature checking problems 10th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121883 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Mar 20 03:46:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:38 -0600 (CST) Subject: [ISN] Muslim Hacker Attack Feared on War Anniversary Message-ID: http://times.hankooki.com/lpage/200603/kt2006031917321610220.htm By Kim Tae-gyu Staff Reporter 03-19-2006 Korean firms are running risks of being attacked by Muslim extremist hackers on occasion of the third anniversary of the U.S.-led invasion to Iraq that falls Monday, police said Sunday. The National Police Agency issued a warning about politically motivated cyber attacks against Korea, which is regarded as one of main enemies by some Muslim crackers due to the nation's dispatch of forces to Iraq. ``Among countries that sent troops to Iraq, Korea is thought of as one of few countries, along with the United States, which do not consider pulling out its soldiers,'' said an official at the law enforcement agency. At the request of Washington, Seoul dispatched up to 3,600 troops to Iraq in August 2004, representing the third largest foreign force after the U.S. with 155,500 and Britain with 8,500. Korea looks to substantially cut down on the number to just higher than 2,000. But the country is not considering pulling out all soldiers _ mainly construction and medical staffs _ from the war-torn Iraq. ``That appears to encourage some Muslim extremists to vandalize Korean companies' Web sites as a measure of revenge. We have intelligence regarding that,'' he said. AhnLab, Korea's foremost online security company, cautions that ``defacement,'' which means replacing the normal content of a site with a specific political or social message or erasing the content entirely, might happen Monday. ``Defacement attack is not difficult technology. Korean outfits are required to prepare for any potential (defacement) vandalizing attempts, timed with the third anniversary of the Iraqi war,'' AhnLab chief executive Kim Chul-soo said. Microsoft Korea, an affiliate here of the world's biggest producer of software, said more severe threat of denial-of-service (DoS) attacks might be on the line. DoS attackers are attempting to bring corporate networks to their knees by flooding them with useless traffic, thus shutting down the networks. ``There is a possibility that viruses are lurking in cyber space, which are programmed to activate DoS attacks on Korean sites, on the war anniversary,'' Microsoft Korea chief security officer Cho Won-young said. ``We are keeping a tab on things. In (an) emergency, our task force team will immediately convene,'' he continued. Cho worried that those who do not patch up their security holes periodically are under constant hazards of being victimized by DoS attacks. ``Big corporations are well prepared by paying much attention to security woes but small-sized ones are not. That causes concerns,'' Cho added. From isn at c4i.org Mon Mar 20 03:46:56 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 20 Mar 2006 02:46:56 -0600 (CST) Subject: [ISN] Visa warns software may store customer data Message-ID: http://news.com.com/Visa+warns+software+may+store+customer+data/2100-1029_3-6051261.html By Greg Sandoval Staff Writer, CNET News.com March 17, 2006 A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa. Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers. A Visa representative confirmed that the warning was sent. Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed. Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts. Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months and have told customers that thieves obtained vital debit-card information as a result of a security breach at a large merchant. One commonality among the fraud victims, according to law enforcement and banking officials, is that most had shopped at one of Fujitsu's clients: OfficeMax. The office-supply retailer has said that it has found no indication that it suffered an illegal intrusion. Fujitsu, which did not return repeated phone calls from CNET News.com on Friday, denied that its software has had anything to do with any alleged security breach. A representative for the company told the Journal that customer data, such as PIN codes, could not be stored using just its software. Other software tools would have to be added. Major credit-card companies have banned the storing of customer data and can fine merchants who do store such data. The fear is that customer information may be a sitting duck for hackers should it be left in a company's computer system. What may be more worrisome for consumers is that it's not uncommon for merchants to accidentally stockpile their customers' data, says Branden Williams, a principal consultant at computer-infrastructure firm VeriSign. One of VeriSign's offerings is that it will assess a company's computer systems to ensure they meet security standards required by the big credit-card firms. During his white-glove inspections, Williams said, he has often found software that would trap customer data, including PIN information, without the retailer's knowledge. Big companies working with complex systems are more prone to such slipups he said. "You could totally understand how they could forget to turn off some switch," he said. But Williams said there's no reason for the problem to go unchecked. Not only are there companies like VeriSign that will monitor system security, but Visa also offers a list of software products proven not to store data. Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn't mean that the software doesn't meet industry standards. It only means that the software hasn't undergone the review process needed for sanctioning by the group, according to a note on Visa's site. "It's really the responsibility of a company doing business to protect their customers," said Williams. "Especially when you consider what's at stake: identity theft, bad public relations and potential fines. Software vendors should also have their applications checked for any vulnerabilities that could lead to a security breach." From isn at c4i.org Tue Mar 21 04:11:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:28 -0600 (CST) Subject: [ISN] Recon 2006: Guest speakers announcement. Call for papers and early registration ending in less than 2 weeks. Message-ID: Forwarded from: Hugo Fortier Recon 2006 - 16th 17th 18th June 2006 - Plaza Hotel, Montreal - http://recon.cx ------------------------------------------------------------------------ We are pleased to announce the guest speakers of Recon 2006 : Anthony de Almeida Lopes: Multi-cavity NOP-infection Operating System- Independent x86 Virus David Hulton (h1kari): Breaking Wi-Fi... Faster! (with FPGA) Joe Stewart: OllyBone - Semi-Automatic Unpacking on IA-32 Spoon: IDARub (IDARub is an IDA plugin that wraps the IDA SDK for access from the Ruby programming language) Early registration ends in less than two weeks so if you want a cheap ticket register now! visit http://recon.cx/en/reg.html for more details. ------------------------------------------------------------------------ The Call For Papers deadline is 31st of March, 2006 so if you want to present at Recon 2006 you have less than two weeks left submit your paper. For more details on the CFP please visit http://recon.cx/en/cfp.html. ------------------------------------------------------------------------ Recon 2005 videos : http://2005.recon.cx/recon2005/papers/ ------------------------------------------------------------------------ We are offering three training courses this year. * Advanced Reverse Engineering Learn how to unpack Packers and Protectors, and how to analyse Polymorphic viruses Instructor: Nicolas Brulez Dates: 13-15 June 2006 Availabilty: 18 seats * Introduction to Reverse Engineering Learn how you can reverse engineer programs to understand their inner workings Instructor: Nicolas Brulez Dates: 19-21 June 2006 Availabilty: 18 seats * Packet Mastering the Monkey Way Learn how to write scanners, sniffers and packet flooders using libpcap, libdnet, and libevent. Instructor: Jose Nazario and Marius Eriksen Dates: 14-15 June 2006 Availabilty: 18 seats For more details on the trainings go to http://recon.cx/en/training.html ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 21 04:10:42 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:10:42 -0600 (CST) Subject: [ISN] Police data on 4,400 uploaded via Winny Message-ID: http://www.yomiuri.co.jp/dy/national/20060321TDY02008.htm The Yomiuri Shimbun Mar. 21, 2006 Ehime prefectural police have announced that confidential personal information on 4,400 people was included in files accidentally uploaded to the Internet via Winny file-sharing software. The investigation data was leaked through the computer of a 42-year-old police inspector of the criminal investigation department and included information on crime suspects, victims and investigation informants, as well as statements from suspects. The announcement was the first by the police on how much data had been compromised. The police, however, had not publicized details about the data in an effort to protect the people concerned. According to the Ehime police, the oldest bit of leaked data dated back to 1984. The police began searching for the data on the Internet after they were notified of the leak on March 5. After recently obtaining the leaked files, they confirmed the contents were identical to material the police inspector had transferred from his personal computer to several compact discs. The police will apologize to people whose personal information was leaked and launch a free telephone consultation service concerning the incident in a few days. The police are requesting that providers and managers of Internet bulletin boards delete the leaked data if it is uploaded onto their Web sites. In a similar case that surfaced earlier this month, Okayama prefectural police investigation data, including personal information of about 1,500 crime victims and suspects, was leaked through the software From isn at c4i.org Tue Mar 21 04:11:02 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:02 -0600 (CST) Subject: [ISN] Forgotten password clues create hacker risk Message-ID: http://www.theregister.co.uk/2006/03/20/forgotten_password_security_risk/ By John Leyden 20th March 2006 Security flaws in the "forgotten password" feature of ecommerce websites leave half the UK's online retailers open to attack, according to security consultancy SecureTest. It warns that the log-in process of many transactional websites can be subverted by a "brute force" or enumeration attack. In a survey of 107 popular online retail websites in the UK, SecureTest found that 54 of the sites (or 50.5 per cent) are potentially vulnerable to this type of hack attack. Differences in responses by applications when valid and invalid user account names can give clues to hackers and form the basis of enumeration attacks. If a valid user name (or registered email address) is entered on a "forgotten password" page, a web application might respond stating that a password will be sent to the user by email. If an invalid user name is entered, the application could respond with "invalid account name". Using this information, a script can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process it does create a means to create a list of valid user names. Armed with this list, a hacker might apply a similar brute force attack to target the application and crack account passwords. Once sets of user names and passwords are established a hacker would be able to log into an account, make purchases or extract confidential data, such as a user's postal addresses and credit card details. "We test web applications daily and repeatedly find that enumeration is possible. This problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks," SecureTest managing director Ken Munro said. A self-confessed ecommerce user, Munro said he looked into the issue after becoming concerned about the way sites he used handled users with forgotten passwords. Hack attacks targeting the forgotten passwords of ecommerce websites are something neither Munro or ourselves can cite examples of. However, Munro maintains that the risk is real and worth considering, especially because defending against enumeration attacks on passwords is a simple coding exercise. Some etailers have implemented a "lock out" feature that restricts access to accounts after a fixed number of failed password attempts. SecureTest reckons this approach, while it might appear to be a good idea, leaves open other forms of abuse such as a risk that the attacker will bombard valid accounts with bad passwords, thus locking out the retailers' customers. In effect this creates a Denial of Service (DoS) attack with the application blocking bona fide users through its own aggressive lock out policy. SecureTest advises retailers to consult their application developer about alternative countermeasures. The security consultancy has developed a list of recommendations that can be taken to help prevent brute force attacks against ecommerce sites: * Instigate a 'time out' feature on the log-in form. This will slow down a brute force attack to such an extent that it will render it ineffective. * Avoid applying a permanent lock-out on the log-in form: an attacker could deliberately lock out valid users by trying bad passwords on their accounts. * Make sure the error message on the log-in form is generic; don't distinguish between a valid/invalid username and valid/invalid password. "Incorrect credentials entered" is a suitable response. * Consider implementing a second authentication factor on the forgotten password feature, e.g. a memorable date. * Ensure you are logging HTTP POST requests from the log-in form and forgotten password feature as this may not be enabled by default. * Inspect logs to monitor attacks particular accounts and take appropriate action if any such hacking attack is identified. ? From isn at c4i.org Tue Mar 21 04:11:43 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:43 -0600 (CST) Subject: [ISN] Internet untouchable for FBI agents in city Message-ID: http://www.nydailynews.com/front/story/401323p-339883c.html BY TRACY CONNOR DAILY NEWS STAFF WRITER March 20, 2006 It seems as if every Manhattan prep schooler has one, but many of New York's FBI agents are fighting crime and terrorists without an Internet-ready phone or even an e-mail account, the Daily News has learned. Mark Mershon, the assistant director in charge of the FBI's 2,000-employee city office, blamed the technology gap on Washington budget constraints. He said there's a cost attached to assigning an agent or analyst an e-mail address with the official domain name - ic.fbi.gov. "And as ridiculous as this might sound, we have real money issues right now, and the government is reluctant to give all agents and analysts dot-gov accounts," he said when asked about the gap at a News editorial board meeting. "We just don't have the money, and that is an endless stream of complaints that come from the field." Mershon also revealed that only about 100 agents in New York have BlackBerry devices, which allow users to send and receive e-mail and access the Internet from their phone. And just a few weeks ago, the New York office was notified that funding for its BlackBerry pilot program - designed to help the FBI better communicate with city, state and federal law enforcement - was being cut. "I, with the help of others, raised a stink," Mershon said, adding that BlackBerry funding has been restored. Sen. Chuck Schumer (D-N.Y.) decried the penny-pinching. "The FBI should have the tools it needs to fight terrorism and crime in the 21st century, most of all in New York City, and one of the most effective means of communications is e-mail and the Internet," he said. "FBI agents not having e-mail or Internet access is much too much a pre-9/11 mentality." FBI officials in Washington, however, insisted that agents are not at a disadvantage because of cost-cutting. Spokeswoman Cathy Milhoan said about half the FBI employees don't have official accounts because e-mail addresses are still being assigned. By the end of the year, the entire bureau should have dot-gov mailboxes, she said. As for the BlackBerry devices, she conceded funding for the pilot program was put in jeopardy because a lawsuit over the technology had threatened to make the machines obsolete. Now that the issue has been resolved, the FBI intends to keep the 100 wireless gizmos in the budget - though there are no plans to issue them to more agents. Those who don't have them can use their regular cell phones, pagers and secure radios to communicate internally and with other agencies. "BlackBerrys do cost money," she said. "It's the newest high-tech gadget, but it's not the only way to communicate." From isn at c4i.org Tue Mar 21 04:11:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:11:59 -0600 (CST) Subject: [ISN] Users of SELinux now have a choice on security Message-ID: http://www.gcn.com/print/25_6/40117-1.html By Joab Jackson GCN Staff 03/20/06 The release of a new open-source security package has sparked debate over how many Mandatory Access Control applications Linux really needs, and if more than one would just dilute volunteer efforts. Novell Inc. of Provo, Utah, recently released the source code for its recently acquired Linux security application, AppArmor. It also set up a project site in hopes of attracting outside developers to further refine the program. MAC software tackles the growing problem of applications executing malicious tasks on their host systems. It keeps profiles of routine actions that each application on a computer usually takes. When a program starts behaving in an unusual fashion, the MAC software can call on the operating system to halt that errant operation. Novell has stressed that AppArmor is easier to use than SELinux, another MAC program first developed by the National Security Agency. Novell admits that SELinux tackles mandatory access control with more rigor than AppArmor, but questions if most users really need that degree of protection. "There needs to be a better way to deploy [MAC] so that the average systems administrator doesn't need to go through three weeks of training," said Frank Rego, products manager for Novell. Some observers fear that the AppArmor project will fracture the open-source development community around the demanding science of MAC. SELinux has a vibrant user community, with input from companies such as Red Hat Inc. of Raleigh, N.C., Mitre Corp. of Bedford, Mass., and Tresys Technology LLC of Columbia, Md., as well as support from NSA itself. "In my opinion, Novell wants to split the market," said Dan Walsh, the principal software engineer of Red Hat. Both Red Hat and Novell offer enterprise-class Linux distributions. "Rather than working with the open-source community [on SELinux], Novell has thrown out its own competing version." Novell acquired AppArmor last May when it purchased Immunix Inc. The chief component of AppArmor is a module that must be added to the Linux kernel. Those who don't want to recompile the kernel can install Novell's SuSE Linux 10 desktop Linux distribution, as well as SuSE Linux Enterprise Server 9 Service Pack 3, both of which have AppArmor preinstalled. "The biggest difference between App-Armor and SELinux is in the ease of deployment," Rego said. NSA designed SELinux to address highly classified documents for sensitive environments, according to Rego. And while it executes this job well, it may be too powerful for most everyday deployments. In fact, Rego speculated, SELinux's complexity may have been an obstacle to wider deployment. Administrators may turn off security privileges in an effort to facilitate smooth operations. "Is this the beginning of the Unix wars all over again?" Walsh asked on a blog he created to express his views on the subject. In the early 1990s and late 1980s, different Unix vendors developed tools and applications that would only work with their own versions of Unix. By introducing a second MAC application into the open-source landscape, Novell is splintering the development community, Walsh charged. On his blog, Walsh also cast aspersions on the viability of AppArmor itself, pointing out that the program is easier to use because it doesn't control as many low-level aspects of system operation as SELinux does - aspects that are necessary to consider when setting up a secure environment. At a recent SELinux Symposium held in Baltimore, many participants disparaged the AppArmor announcement. Still, several of the conference's presentations were of applications designed to ease the deployment of SELinux. In most implementations, SELinux must be configured from the command line, which involves changing attributes in a configuration file over 70,000 lines long. Although the latest version of Red Hat's own enterprise Linux distribution, as well as its volunteer-led Fedora offshoot, lets users enable SELinux for the prepackaged applications, they must write policies for new applications - or make changes to any existing application policies - by hand. Tresys Technology Chad Sellers said the security company was working on a higher-level policy language for SELinux that should be easier to understand, as well as a related compiler and an Eclipse-based graphical user interface called Slide. Even SELinux adherents admit it can be a tough program to work with. "There is a steep learning curve," Sellers said. "Once you have that higher-level language, you could reach new users." From isn at c4i.org Tue Mar 21 04:12:14 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:12:14 -0600 (CST) Subject: [ISN] DOD removes missile defense system report from Web site Message-ID: http://www.fcw.com/article92668-03-20-06-Web By Bob Brewin Mar. 20, 2006 The Defense Department has removed from the DOD inspector general's Web site a critical report that states that the network that links radar systems, missile sites and command centers for the Missile Defense Agency's (MDA) ground-based defense system has serious flaws in the security technologies, policies and procedures needed to protect the integrity, availability and confidentiality of information on the network. Federal Computer Week published a Web article [1] March 16 and a follow-up print article [2] today about the report, which states that MDA and Boeing, the prime contractor for the Ground-based Midcourse Defense (GMD) system and the GMD Communications Network (GCN) have allowed the use of group passwords on the unencrypted portion of the GCN rather than requiring individual passwords. The report also faults MDA and Boeing for the lack of automated audit trails -- essential to catch inside or outside threats -- on the network. The report, "Select Controls for the Information Security of the Ground-based Midcourse Defense Communications Network," vanished from the DOD IG audit report this past weekend. A DOD spokesman said he was working on getting an explanation from the IG office on why the report was removed from the Web site, but he said he was not optimistic about getting back to FCW today. An MDA spokesman did not return calls from FCW asking for an explanation. MDA is holding its annual conference today in Washington, D.C., at the Ronald Reagan Building and International Trade Center, named after the president who first advocated a missile defense system nicknamed "Star Wars" to counter perceived missile threats from the now-defunct Soviet Union. FCW saved a digital version of the DOD IGN report [1] on the security flaws in the GCN system and posted the report on its Web site. [1] http://www.fcw.com/article92640-03-16-06-Web [2] http://www.fcw.com/article92665-03-20-06-Print [3] http://www.fcw.com/images/st_images/MDADODIGReport.pdf From isn at c4i.org Tue Mar 21 04:12:53 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:12:53 -0600 (CST) Subject: [ISN] Linux Security Week - March 20th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 20th, 2006 Volume 7, Number 12n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "An introduction to Elliptic Curve Cryptography," "The 7 myths about protecting your web applications," and "Wi-Fi Security's Personal Problems." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Cryptography in the Database: The Last Line of Defense 14th, March, 2006 Excerpt: This chapter discusses how cryptography can address the concerns raised in the previous chapter. After explaining what cryptography is and providing a general idea of how it works, we dig into the various types of cryptographic algorithms and see where the strengths and weaknesses of each lie. http://www.linuxsecurity.com/content/view/121920 * Philip Zimmermann releases Zfone for Linux 15th, March, 2006 Phil Zimmermann thinks Zfone is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. http://www.linuxsecurity.com/content/view/121925 * An introduction to Elliptic Curve Cryptography 17th, March, 2006 Elliptic Curve Cryptography (ECC) has been gaining momentum as a replacement for RSA public key cryptography largely based on its efficiency, but also because the US National Security Agency (NSA) included it, while excluding RSA, from its Suite B cryptography recommendations. Suite B is a set of algorithms that the NSA recommends for use in protecting both classified and unclassified US government information and systems. Public key cryptography is the basis for tools like ssh as well as Secure Sockets Layer (SSL) for encrypting web traffic. For readers who would like more information, a nice introduction to public key cryptography and the RSA algorithm can be found on Wikipedia. http://www.linuxsecurity.com/content/view/121963 * Linux Dictionary 19th, March, 2006 (SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP has been very well perceived by the market. Throughout the last couple of years, SWP becomes the top leading OSS training and service provider in Hong Kong. And in fact we are leading the market direction in some ways. http://www.linuxsecurity.com/content/view/121977 * Febuary's Security Streams 11th, March, 2006 It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January. http://www.linuxsecurity.com/content/view/121888 * SC Magazine CSO of the Year: Thomas Dunbar, Global Chief Security Officer, XL Capital 15th, March, 2006 As the global chief security officer at a leading multinational insurance company, Thomas Dunbar has a lot of data to protect, a range of regulations with which to comply and a huge number of employees whose access to corporate IT assets he must manage. The efforts he undertakes on a daily basis to achieve these and other mandates are the primary reasons why the SC Magazine Awards U.S. for 2006 saw him walk away with the title of CSO of the Year. http://www.linuxsecurity.com/content/view/121939 * 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) 16th, March, 2006 The newest contender on the block of course is BackTrack, which we have spoken about previously. An innovative merge between WHax and Auditor (WHax formely WHoppix). BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions Whax and Auditor, combining the best features from both distributions, and paying special attention to small details, this is probably the best version of either distributions to ever come out. http://www.linuxsecurity.com/content/view/121946 * US Government Studies Open Source Quality 17th, March, 2006 "US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. http://www.linuxsecurity.com/content/view/121967 * FrSIRT Puts Exploits up for Sale 17th, March, 2006 Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service). http://www.linuxsecurity.com/content/view/121969 * Social Engineering Reloaded 15th, March, 2006 The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program. http://www.linuxsecurity.com/content/view/121941 * Anti Phishing Toolbars - Can You Trust Them? 12th, March, 2006 A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive. How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? http://www.linuxsecurity.com/content/view/121890 * VM Rootkits: The Next Big Threat 13th, March, 2006 Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. http://www.linuxsecurity.com/content/view/121906 * Useful Firefox Security Extensions 18th, March, 2006 Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here's a roundup of some of the more useful ones I've found. http://www.linuxsecurity.com/content/view/121975 * Kids Learn About Cyber Security 13th, March, 2006 A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country. The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security. Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security. http://www.linuxsecurity.com/content/view/121907 * Skype Branded Danger To Enterprise IT Security 16th, March, 2006 Although cost savings and improved communications are luring enterprises to Skype, the popular voice over IP service may violate security policies, industry experts have warned. Burton Group recommended enterprises assess the risks vs. rewards of Skype as the simplest solution for evaluating its use. http://www.linuxsecurity.com/content/view/121942 * The Enemy Within The Firewall 16th, March, 2006 Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey. http://www.linuxsecurity.com/content/view/121958 * How to Create RFID Access for Your Front Door 17th, March, 2006 There are many uses for RFID such as supply chain management, but access control is one of the most relevant applications for personal use. Many people use RFID access cards to get into buildings, use elevators, or even open the doors to those special penthouse type hotel suites. Setting up your own front door (or any door for that matter) with an RFID enabled access mechanism is pretty easy. http://www.linuxsecurity.com/content/view/121974 * Digital Forensics and Hacking Investigations 13th, March, 2006 We discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts. http://www.linuxsecurity.com/content/view/121901 * Security Podcasts Roundup 13th, March, 2006 We at PaulDotCom security weekly listen to many podcasts in an attempt to assimilate as much information as possible. Each podcast we listen to has its own strengths, and there are few on this list that I would dismiss altogether, but I'll let you be the judge. There have been a few other blog postings related to security podcasts. http://www.linuxsecurity.com/content/view/121902 * Photoshop Concepts For Law Enforcement 13th, March, 2006 With its comprehensive suite of powerful digital imaging products, Adobe software provides the solutions law enforcement agencies need to conduct enhanced forensic investigations. With its unmatched set of image management tools, Adobe Photoshop software is widely used by law enforcement agencies to make digital phtots of suspects and crime scenes clearer for positive identification. http://www.linuxsecurity.com/content/view/121904 * Married Couple Indicted for Corporate Espionage 14th, March, 2006 An Israeli couple has been charged with corporate espionage after the two were discovered engineering and distributing a Trojan horse application found to be responsible for several cases of data theft. The Tel Aviv District Attorney filed the 65-page indictment Sunday and announced that prosecutors had entered into a plea bargain agreement with the two defendants. The couple, formerly residents of London, were extradited to Israel. Prosecutors consider Ruth Haephrati, 29, the ringleader and principal party responsible for the couple's criminal enterprise. According to the indictment, Haephrati was the one who sought out new clients to increase business. http://www.linuxsecurity.com/content/view/121917 * 'Security pro' - an oxymoron? 14th, March, 2006 The term 'infosec professional' is almost a contradiction in terms, according to analyst group Gartner, which warns the field of IT security is still finding its feet. The analyst house said there is little agreement on what constitutes professionalism. This means hiring decisions are complicated by a lack of consensus on the skills needed and, as a result, many security problems will remain unsolved until specialists pool their knowledge and experience, Gartner said in a briefing note. http://www.linuxsecurity.com/content/view/121919 * The 7 myths about protecting your web applications 15th, March, 2006 Web applications are currently proving to be one of the most powerful communication and business tool. But they also come with weaknesses and potential risks that network security devices are simply not designed to protect. http://www.linuxsecurity.com/content/view/121923 * Basketball Social Engineering 15th, March, 2006 On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win. Enter "Victoria." Victoria was a hoax UCLA co-ed, created by Cal's Rally Committee. For the previous week, "she" had been chatting with Gabe Pruitt, USC's starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends. http://www.linuxsecurity.com/content/view/121927 * Study Says RFID Tags Are Vulnerable To Viruses 15th, March, 2006 A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications. In a paper to be presented Wednesday at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chip, which can hold as little as 128 characters of information. http://www.linuxsecurity.com/content/view/121938 * LAMP lights the way in open-source security 16th, March, 2006 The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible. The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday. http://www.linuxsecurity.com/content/view/121947 * Top 50 malicious code samples reveals secrets 16th, March, 2006 While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence, the company said. In its previous report, Symantec cautioned that malicious code for profit was on the rise, and this trend continued during the second half of 2005. http://www.linuxsecurity.com/content/view/121948 * BS7799 Ver 3 Security Standard Published 17th, March, 2006 The new security standard from BSI, BS7799 3, has been published today. This is titled "Guidelines for Information Security Risk Management", and supports the more general security management standard, ISO27001, which was published last year. http://www.linuxsecurity.com/content/view/121962 * Report: 80 percent of emails out to manipulate 14th, March, 2006 Four out of five inbound emails are designed to deceive the recipient, according to a new report studying the scope of abusive online messages. The Messaging Anti-Abuse Working Group's (MAAWG) Email Metric Report, which analyzed data from more than 127 million mailboxes during last year's fourth quarter, found that more than 142 billion emails either were tagged or blocked before they reached the end user. Another 61.3 billion emails were the victims of dropped connections, the study showed. Nearly 37 billion emails were unaltered before reaching their destination. http://www.linuxsecurity.com/content/view/121918 * Human Rights and Wrongs Online 14th, March, 2006 A government's position on censorship used to protect its citizenry is dictated by who they are. The well-popularized censorship of Internet content in China by Google and other big players, and criticism of this by the U.S. government, is really just the tip of the iceburg. On Febrary 15, the United States Congress held hearings on the role of U.S. Internet companies like Google, Microsoft, Yahoo and Cisco in suppressing free expression and therefore encouraging repressive tactics by countries like China. The hearings explored the role and the responsibility of these companies for deliberately filtering communications, assisting in the interception of citizen's communications, and using technology to restrict access by citizens to information. http://www.linuxsecurity.com/content/view/121921 * Search firms surveyed on privacy 15th, March, 2006 We asked the same seven questions of each company. Their answers are reproduced below, with the responses sorted by the companies' names in alphabetical order. What information do you record about searches? Do you store IP addresses linked to search terms and types of searches (image vs. Web)? Weinstein: Any time a search is done on the AOL service or AOL.com, the left rail on the results page offers a list of the most recent searches conducted by that user. http://www.linuxsecurity.com/content/view/121928 * Federal Budget For 2007 To Boost Cybersecurity 11th, March, 2006 Although President Bush's proposed budget for fiscal 2007 (starting Oct. 1, 2006) increases spending for key cybersecurity programs, it is not clear how that money would be spent, raising concerns in the information security industry. One of the biggest security-related boosts would be a $35 million infusion to the "critical infrastructure outreach and partnerships" initiative within the Department of Homeland Security. The goal of that effort is to increase cooperation and information sharing among DHS, state and local governments and infrastructure providers. Thirty million dollars of that allocation would go toward implementing partnership plans for private industry verticals like information technology, finance and electrical utilities. http://www.linuxsecurity.com/content/view/121887 * How To Legislate Against Hackers 16th, March, 2006 Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act. http://www.linuxsecurity.com/content/view/121952 * NIST sets FISMA Standards For Federal IT Systems 17th, March, 2006 The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. Federal Information Processing Standard 200 [1] sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls. http://www.linuxsecurity.com/content/view/121968 * Linux Zero IP ID Vulnerability? 15th, March, 2006 I've recently stumbled upon an interesting behaviour of some Linux kernels that may be exploited by a remote attacker to abuse the ID field of IP packets, effectively bypassing the zero IP ID in DF packets countermeasure implemented since 2.4.8 (IIRC). http://www.linuxsecurity.com/content/view/121940 * Trojan Cryzip Extorts Decryption Fee 18th, March, 2006 A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989. http://www.linuxsecurity.com/content/view/121976 * Wi-Fi Security's Personal Problems 13th, March, 2006 With security such an important concern for wireless networks, most new Wi-Fi gear has long supported Wi-Fi Protected Access 2 (WPA2), the latest standard for encrypting data sent over the air. As of this month, all Wi-Fi gear will, as the Wi-Fi Alliance is making WPA2 compatibility a mandatory part of its interoperability tests. But there are two kinds of WPA2, and most Wi-Fi phones and many other gadgets support only the lesser version, which was originally designed for home networks. http://www.linuxsecurity.com/content/view/121908 * ISO Rejects China's WAPI Wireless Security Protocol 16th, March, 2006 The International Standards Organization (ISO) last week rejected a security protocol that was backed by some Chinese representatives as an amendment to the group's wireless LAN standard. The ISO turned down the Chinese technology, called the WLAN Authentication and Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i security specification that was developed by the Institute of Electrical and Electronics Engineers Inc., according to a member of the IEEE 802.11 Working Group who asked not to be named because of working group rules. http://www.linuxsecurity.com/content/view/121953 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 21 04:13:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:13:31 -0600 (CST) Subject: [ISN] Security Experts Warn of Devastating Web Attack Message-ID: Forwarded from: security curmudgeon : http://www.foxnews.com/story/0,2933,188102,00.html : : Paul Wagenseil : Fox News : March 16, 2006 : : WASHINGTON - A powerful new twist on the most common kind of Internet : attack could overwhelm even the most popular and well-fortified Web : sites and disrupt e-mail traffic by enlisting the network infrastructure : servers that manage Internet traffic worldwide, security experts warn. : : First detected as early as 2002, the assault, known as a distributed : reflected denial-of-service (DRDoS) attack, bombards targeted Web : servers with such massive amounts of spurious data that even flagship : technology companies would not be able to cope. The following comments are courtesy of Dave Dittrich, reworded a bit here with his permission: There are some news stories starting to break in which VeriSign claims to have "discovered" a "new DDoS" attack (two below, at least two more on the way). http://software.silicon.com/security/0,39024655,39157301,00.htm http://www.theinquirer.net/?article=30361 If anyone wants to set the record straight on all of this, the first public mention of these kinds of attacks was Vern Paxson in 2001. The first public mention of a distributed reflected DDoS attack involving DNS was against futuresite.register.com in 2001. The Honeynet Project "Reverse Challenge" binary turned out to be a DDoS agent, and it implemented several DNS related attacks *including* a distributed reflected DNS attack. That was in 2002. Dittrich and his co-authors mentioned reflection attacks (including the above) in their book "Internet Denial of Service: Attack and Defense Mechanisms", which was published just over a year ago. So if 5 years old is "new".. Dittrich just updated his DDoS web page to include references to the above information, as well as other references, history and more: http://staff.washington.edu/dittrich/misc/ddos/ From isn at c4i.org Tue Mar 21 04:13:50 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 21 Mar 2006 03:13:50 -0600 (CST) Subject: [ISN] AT&T spotlights disaster recovery Message-ID: http://telephonyonline.com/telecomnext/news/ATT_TelecomNext_NDR_031706/ By Carol Wilson Mar 17, 2006 AT&T doesn't normally train for disasters when "it's 75 degrees and sunny outside," according to Ken Smith, team lead of AT&T's Network Disaster Recovery unit. But next week, the unit will make an exception, putting its 16 years of disaster recovery experience on exhibit as part of the TelecomNext trade show in Las Vegas. The company will have 20 of the 150 self-contained trailers it uses in real-life disaster recovery on display at the trade show and will run a demonstration that shows part of what goes on behind-the-scenes at AT&T four times a year, when the company does its real disaster recovery training. Begun in the early "90s, AT&T's disaster recovery training program is unique in the industry, Smith said, because of the resources it devotes to preparing on a national scale for almost any type of disaster, manmade or natural. The company houses the 150 trailers and other NDR vehicles as well as another 250 trailers that provide backup and logistical support in four undisclosed locations around the country, ready to mobilize at a moment's notice, as they did in the fall for 2005 for Hurricanes Katrina and Rita. The main trailers are designed provide full Central Office functionality with everything from Class 5 switching to digital cross-connect, ATM and frame relay gear and electrical power equipment. More importantly, however, the response effort can be configured to provide exactly the capability of the specific CO affected by the disaster, Smith said. "We have proprietary software developed by our labs that contains information about every one of our AT&T COs," he said. "For example, for Jacksonville, Fla., [our team] can tell me what is in the office, what trailers I would need, the closest trailers stored, and all of the cabling needed to recover that office. That allows me to show up at a site and recover an office, regardless of the size, within seven days or less." After the September 11, 2001 attacks on the World Trade Center, AT&T had its NDR trailers up and running in New Jersey within 48 hours to replace the switch it lost under the collapsing towers, Smith said. AT&T also has emergency communications vehicles that it supplies to local emergency services personnel to help them maintain their communications. In response to Hurricane Katrina, the company provided five such vehicles - its maximum - for the first time ever, Smith said. "Normally, when we see a situation developing, like Katrina, we will have two vehicles in position ready to deploy - one for us and one for emergency services," he said. "For Katrina, we deployed all five for the first time." Among other services provided was the capability for local law enforcement to check on the prior records of individuals arrested while looting, to determine if they had previous criminal histories and should be held. AT&T puts its NDR capabilities to use for its corporate customers as well, doing disaster recovery assessments for them, to determine how prepared they are in case of major problems. In Las Vegas, AT&T will have a total of 29 trailers, including its command center, a Lucent 5ESS class 5 switch, digital cross connect capability, other technology trailers and those providing power and other support. The company will be conducting tours and demonstrations of its disaster recovery capability. "My hope is that they walk away understanding that AT&T takes reliability very seriously and has probably the best disaster recovering program in the industry," Smith said. "Whether they are an AT&T customer or they are not, they can ask themselves about their company's disaster recovery program. Individual customers need to ask themselves about their own plan. We have seen the devastation that can happen." AT&T's NDR includes both full-time workers and other AT&T employees who have other jobs in addition to disaster recovery. While the program is a major financial investment, Smith considers it to be insurance. "You either pay it up front and then you recover, or if you don't pay it up front, you wind up paying later," he said. From isn at c4i.org Wed Mar 22 02:37:38 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:37:38 -0600 (CST) Subject: [ISN] Book Review: High-Tech Crimes Revealed Message-ID: Forwarded from: security curmudgeon http://attrition.org/~jericho/works/security/review/book_review.high-tech_crimes_revealed.html High-Tech Crimes Revealed Cyberwar Stories from the Digital Front Steven Branigan ISBN: 0-321-21873-6 Addison-Wesley, Copyright 2005 I found this book just after Christmas (Dec 2005) and grabbed it hoping for a decent read about computer crimes and sociology, backed by real world experience and first hand tales from the 'digital front'. Instead, I got the worst collection of naive and inexperienced crap I have read in a long time. After paying money for this book, I feel as if I have fallen victim to a lame phishing scam. It is important to note that this book is copyright 2005, and says the first printing was in August 2004. It puts the entire book into perspective and quickly makes you question the author's credentials. In fact, if this book wasn't written in the mid to late 90's, shelved for almost ten years, and eventually printed, then Branigan should never claim any affiliation with the computer security industry/community. [..] From isn at c4i.org Wed Mar 22 02:37:58 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:37:58 -0600 (CST) Subject: [ISN] Arrest over 'high profile hacking' Message-ID: http://finance.news.com.au/story/0,10166,18562649-31037,00.html AAP March 22, 2006 A VICTORIAN man has been charged over a series of high profile international internet hacking attacks. The 22-year-old was arrested in Melbourne early today after a joint state and federal investigation into the sophisticated attacks on internet relay chat (IRC) servers in Australia in 2005, the federal police said. The Belgian Federal Computer Crime unit tipped Australian authorities off to the attacks, which used remotely controlled computer networks known as botnets. The US, Singapore and Austria also were affected by the hacking attacks on Australian IRC servers. Botnets are made up of bots, which spread by taking advantage of common vulnerabilities on unprotected computers, and can attack servers in their tens of thousands. Once on a host computer, most often personal home machines, they lay dormant and wait for a remote command. NSW, Victorian and Australian Federal Police, as well as the Australian High Tech Crime Centre (AHTCC) carried out the investigation. The man was charged with using a telecommunications network with intention to commit a serious offence, which carries a maximum penalty of 10 years in prison. He will face Melbourne Magistrate's Court on Friday. AHTCC director Kevin Zuccato said botnets had been linked to unlawful activity. "Bots and bot networks continue to be of concern and are linked ... to a range of other malicious activity including identity theft and spam," Mr Zuccato said. He urged people to safeguard their computers with anti-virus software and firewalls. From isn at c4i.org Wed Mar 22 02:38:33 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:38:33 -0600 (CST) Subject: [ISN] It's raining IT security surveys Message-ID: http://www.techworld.com/security/features/index.cfm?FeatureID=2350 By Cara Garretson and Ellen Messmer Network World March 20, 2006 If it feels like you're getting bombarded with surveys about network security threats, that's because you are. Leading security vendors, looking to scare up interest in their products, pumped out more than twice as many of these surveys last year as in 2004, and this year are on an even more aggressive pace. Such surveys have shown that 25 percent of corporate e-mail users send personal messages, that there were 2.9 million phishing attacks in February and that 65 percent of ISPs consider distributed denial-of-service (DoS) attacks a main concern. The factoids go on and on and on. According to our informal review of 20 leading security vendors, they made public 34 such surveys last year, most of which were conducted by third parties on behalf of the vendors. In addition, the vast majority of them issued reports - some as frequently as monthly - derived from information that their products collect regarding distributed DoS attempts, spam blasts, phishing attacks and the like. While vendors say these surveys and reports are meant to alert IT professionals to growing security threats and to help vendors determine what sorts of products customers need, in fact they're creating a thick layer of fear, uncertainty and doubt, or FUD, that helps sell products in a market that IDC says totalled US$32.6 billion last year and is headed toward $38.4 billion this year. For example, a survey of 603 consumers conducted last October by Momentum Research Group on behalf of RSA Security showed the French are more fearful than Germans about the possibility of fraudulent access to personal information at banking sites. But when it comes to fear of identity theft, no one beats Americans; nine out of 10 have heard of it, as compared with only one in three in France and Germany. RSA, which provides products and services for authentication and anti-phishing, says in its press release about the survey: "The key to online confidence lies at the door of the business community - meaning that it is imperative for online vendors to be seen taking appropriate measures to protect their customers' interests." "There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year. "But we really are trying to educate markets and share interesting data that helps people make really intelligent decisions about their technology investments." It's not surprising that vendors use survey results to help sell their products, often paying tens of thousands of dollars per survey with the hopes the results will support the need for their offerings. (Those that contracted professional firms said they did so because the size and quality of each sample would be superior to what the vendor itself could come up with, and therefore produce more accurate results that would be less likely perceived as biased.) But security vendors seem to be particularly fond of publicizing surveys these days, perhaps because there are very few ways to gauge just how secure a PC or network is - the FUD created by survey results sends the message that you're never secure enough. IBM, which offers a number of hosted security services, this week released results of a survey it sponsored, conducted by Braun Research, that shows 84 percent of the 600 IT managers surveyed said they believe organized criminal groups with technical sophistication are replacing lone hackers as the main threat from the outside. But the press release describing the survey questions respondents' ability to protect themselves. According to IBM, 83 percent of respondents "boast that they have adequate safeguards in place to combat organized cybercrime." The message? You're not as secure as you think you are. Be afraid One security company recently attempted to quantify just how worried IT managers should be. Antimalware vendor WebSense's sixth annual Web at Work survey, conducted by Harris Interactive and released last May, revealed that "one-quarter of IT decision-makers feel that the test of protecting their company against malicious Internet security threats is more stressful than a minor car accident." It's difficult to ignore the steady stream of magazine and newspaper headlines announcing these survey findings, Network World not excluded. Some publications, including ours, conduct their own surveys as well to gauge readers' opinions and actions regarding security. This flood of security headlines has led some to discount many surveys as marketing material. Bill Boni, vice president and chief information security officer at Motorola, says he will pay some attention to surveys if they appear to show validated data from responsible sources. No one expects a vendor to issue a press release touting a survey that negates the need for its product, but this selective practice underscores the requirement to consider the source. "Surveys are one of the only benchmarks you can use to make decisions . . . you'd be foolish if you didn't at least read them," says Jim Hite, supervisor of network services and central operations with Virginia's Prince William County schools. "But you have to consider that the manufacturer wants you to buy their product, so you have to weigh that." If a vendor sponsors a survey that contradicts its own product plans, it's unlikely we'll ever know about it. Vericept, a small company with products focused on preventing internal threats, last December commissioned its first-ever survey, conducted by Enterprise Management Associates. The survey asked how concerned corporations are about internal threats; 74 percent said the risk of sensitive corporate information leakage because of internal personnel is moderate to very high. And so, the company publicised its findings. "If we found people said 'internal risk is never a problem,' or that 'it will go away in six months,' then we may not have published it," says Brett Schklar, vice president of marketing with Vericept. Decisions, decisions Some IT managers use these surveys to help open the company purse strings to fund new security projects. "Reluctantly, I support the points many of these surveys are making, even though some of them make you cringe," because they're so blatantly oriented toward selling products, says Michael Dean, director of IT security for the 200 K-12 schools in the Palm Beach County School District in Florida, which support a high-speed network of 50,000 computers for 175,000 students and teaching staff. Surveys are designed to help the sponsoring vendors make decisions, too. In 2004, Proofpoint considered bringing to market an outbound e-mail compliance product. But first the company sponsored a survey conducted by Forrester Research that showed 43 percent of companies sampled used employees to scan outbound e-mail for confidentiality breaches or intellectual property leaks. Imagine the time and cost savings of automating this process? A few months later, Proofpoint released an outbound compliance product. "The volume of response to the survey showed us there was a great deal of interest," Crosley says. "If there was no interest in outbound e-mail compliance, we would have definitely changed our plans with respect to how quickly we created the product." Sometimes surveys show that security threats perpetuate despite the widespread use of preventive products. For example, ISCA Labs conducts an annual survey of 300 companies and government agencies to find out how much antivirus software they use on desktops and servers, and how many "virus disasters" they experienced over the course of the year. Every year, as in last year's 10th Annual Virus Prevalence Survey, the costs of cleaning up after a virus disaster seem to rise - last year showed a 23 percent increase over the year before to $130,000 per disaster - while companies keep buying more antivirus software. Some companies have gone to extremes to show how badly users need their products. Last October RSA Security sent a half-dozen employees out to Central Park in New York wearing "I Love N.Y." T-shirts to see if passers-by would fall for an in-person phishing scam to get their personal information. In the guise of conducting a tourism survey, the RSA employees spent a few days handing out paper questionnaires. More than 103 people filled out the questionnaires listing their name, address, number of children, place of birth, mother's maiden name, date of birth and other information, says RSA's public relations manager, Matt Buckley. "We left out the Social Security number." The purpose of the survey exercise was to show how easily people fall for phishing scams. "It shows that even though there are a lot of stories about phishing, you can't rely on education. You need a technology process," as a safeguard, Buckley says. Ironically, cybercriminals are finding surveys help them, too. A recent phishing scam masquerades as a $20 credit offer from Chase Manhattan Bank if the recipient fills out an online survey about customer satisfaction, followed by requests for personal information such as Social Security number and mother's maiden name. ? 2005 : All rights reserved From isn at c4i.org Wed Mar 22 02:38:48 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:38:48 -0600 (CST) Subject: [ISN] Oreck cleans up after Katrina Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,109752,00.html By Stephanie Overby MARCH 21, 2006 CIO Just before Hurricane Katrina made landfall last Aug. 29, Tom Oreck, CEO of vacuum manufacturing company Oreck Corp., took off from New Orleans on a plane bound for Houston with his wife, his three young children, his dog and his company's backup tapes. When he touched down, he FedExed the tapes to the company's backup data center in Boulder, Colo., and began piecing his company back together. Oreck's headquarters are in New Orleans, and the company also has a 375,000-square-foot manufacturing plant and call center based in Long Beach on the Mississippi Gulf Coast. Though the company was back in operation 10 days after the hurricane (and now, more than six months later, has resumed normal operations), its disaster recovery plan was severely tested by the storm. In a Q&A [1] with CIO, Oreck said he was surprised by how important communications was to a disaster recovery plan and how even cell phone systems have a fundemental design flaw -- that each call is routed through your original area code, where towers may be down. The experience taught Tom Oreck some critical lessons about the role of IT in business continuity. First, in today's networked environment, when one IT system breaks down, they're all down, for all intents and purposes. Second, the public telecommunications system can't be counted on. And although a good business-continuity plan is essential, recovery from a disaster depends on what Oreck calls "aggressive improvisation" by employees. The company owes its existence to improvisation. When Oreck's father David first tried to sell his lightweight, heavy-duty vacuum cleaner in the 1960s, he had trouble marketing the product through department stores, which were the traditional channel of distribution. So the elder Oreck went straight to the consumer, turning the fledgling Oreck Corp. into a direct marketing company. Back then, Oreck's systems consisted of a few telephones, typewriters and invoices to be filled out in triplicate. Four decades later, with estimated annual revenue of $190 million (Oreck doesn't publish its revenue), the company has 450 retail stores and an expanded product line that includes cleaning and air-purification products. And its IT needs are complex. The direct marketing side of the business lives or dies by its data. Manufacturing depends on supply chain and logistics systems. Customer service requires its call centers. Oreck and his chief financial officer approve all major IT investments. Nevertheless, Oreck is hard-pressed to name the applications that keep the company running smoothly (aside from that expensive ERP system he recently approved). He is less interested in the systems themselves than in the business results they deliver -- or don't. "Our business is about three things. It is about marketing. It is about controlled, aligned distribution. And it is about quality, both in the product and in customer service," says Oreck. "IT's role is to support those three things. And as we continue to develop, IT's job is to make sure that the information that's needed is in the form it's needed in, and in the location it needs to be in, for people to be able to accomplish their jobs." [1] http://www.computerworld.com/hardwaretopics/storage/story/0,10801,109753,00.html From isn at c4i.org Wed Mar 22 02:39:08 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:39:08 -0600 (CST) Subject: [ISN] Bringing Botnets Out of the Shadows Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/03/21/AR2006032100279.html By Brian Krebs washingtonpost.com Staff Writer March 21, 2006 Nicholas Albright's first foray into some of the darkest alleys of the Internet came in November 2004, shortly after his father committed suicide. About a month following his father's death, Albright discovered that online criminals had broken into his dad's personal computer and programmed it to serve as part of a worldwide, distributed network for storing pirated software and movies. Albright managed to get the network shuttered with a call to the company providing the Internet access the criminals were using to control it. From that day forward, Albright poured all of his free time and pent-up anger over his father's death into assembling "Shadowserver," a group of individuals dedicated to battling large, remote-controlled herds of hacked personal PCs, also known as "botnets." Now 27, Albright supports his wife and two children as a dispatcher for a health care company just outside of Boulder, Colo. When he is not busy fielding calls, Albright is chatting online with fellow Shadowserver members, trading intelligence on the most active and elusive botnets. Each "bot" is a computer on which the controlling hacker has installed specialized software that allows him to commandeer many of its functions. Hackers use bots to further their online schemes or as collection points for users' personal and financial information. "I take my [handheld computer] everywhere so I can keep tabs on the botnets when I'm not at home," Albright said in a recent online chat with a washingtonpost.com reporter. "I spend at least 16 hours a day monitoring and updating." On a Sunday afternoon in late February, Albright was lurking in an online channel that a bot herder uses to control a network of more than 1,400 hacked computers running Microsoft Windows software. The hacker controlling this botnet was seeding infected machines with "keyloggers," programs that can record whatever the victim types into online login screens or other data-entry forms. Albright had already intercepted and dissected a copy of the computer worm that the attacker uses to seize control of computers -- an operation that yielded the user name and password the hacker uses to run the control channel. By pretending to be just another freshly hacked bot reporting for duty, Albright passively monitors what the hackers are doing with their botnets and collects information that an Internet service provider would need to get the channel shut down. Albright spied one infected PC reporting data about the online activities of its oblivious owner -- from the detailed information flowing across the wire, it was clear that one of the infected computers belongs to a physician in Michigan. "The botnet is running a keylogger, and I see patient data," Albright said. The mere fact that the doctor's PC was infected with a keylogger is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which requires physicians to take specific security precautions to protect the integrity and confidentiality of patient data. "The police need to be notified ASAP to get that machine off the network." A little more than an hour and a few phone calls later, the doctor's Internet service provider had disconnected the infected PC from its network and alerted the physician. Albright sent an e-mail to the FBI including all the evidence he collected about the attack, but he wasn't terribly sanguine that the feds would do anything with it. "Anything you submit to law enforcement may help later if an investigation occurs," he said. "Chances are, though, it will just be filed away in a database." A Spreading Menace Botnets are the workhorses of most online criminal enterprises today, allowing hackers to ply their trade anonymously -- sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking Web sites. As the profit motive for creating botnets has grown, so has the number of bot-infected PCs. David Dagon, a Ph.D. student at Georgia Tech who has spent several years charting the global spread of botnets, estimates that in the 13-month period ending in January, more than 13 million PCs around the world were infected with malicious code that turned them into bots. Botnets typically consist of Microsoft Windows machines that belong to small-business or home-computer users who failed to secure their PCs against hackers and viruses. Their machines are typically infected when the user opens an infected e-mail attachment. While firewall and anti-virus programs can help block such attacks, online criminals are increasingly developing programs that evade detection or even disable security software. "What I've seen from my work with Shadowserver has blown me away," said Andr? M. Di Mino, 40, a private technology consultant from Bergen County, N.J. Di Mino teamed up with the group in October after he left a job as a chief information officer at a business-services company. "I know many users within my former organization who felt that anti-virus and spyware scanning would save them," Di Mino said. "However, now I see how many malicious files tied to major botnets remain undetected" by the most popular anti-virus programs. Catching Viruses With Honey When he's not manning the deli counter at a supermarket in Liverpool, England, 20-year-old Shadowserver member Dave Andrews is usually poring over new computer virus specimens. (Unlike Andrews, the vast majority of the volunteers are located in the United States.) Like most other members, he began fiddling with computers and programming at an early age. Four months ago, Andrews was on track to become a computer-systems engineer in the British military, but he said he was honorably discharged on account of a recurring physical injury. Most of the Shadowserver crew have backgrounds in computer security, and they are all volunteers who spend most of their free time on the project. Andrews's virus specimens were collected by an automated software tool designed to catch new pieces of computer code that criminals use to infect PCs and turn them into bots. Shadowserver locates bot networks by deploying a series of "honeynets" -- sensors that mimic computers with known security flaws -- in an effort to lure attackers, allowing the group to capture samples of new bot programs. Most bots spread by instructing new victims to download the attacker's control program from a specific set of Web sites. By stripping out those links, Shadowserver members can begin to build a map of the attacker's network, information which is then shared with several other botnet hunting groups, security volunteer groups, federal law enforcement, and any affected ISPs or Web site hosts. Each unique piece of intercepted bot code is run through nearly two dozen anti-virus programs to determine if the code has already been identified by security vendors. Shadowserver submits any new or undetected specimens to the major anti-virus companies. Andrews said he is constantly surprised by the sheer number of bot programs that do not get flagged as malicious by any of the programs. "Generally, one or two [correct identifications] is considered good, but there are hundreds of bot programs that each anti-virus program doesn't catch on their own," Andrews said. In Andrews's experience, by far the most common reason criminals create botnets these days -- other than perhaps to sell or rent them to other criminals -- is to install online ad-serving software that earns the attacker a few pennies per install. "The majority of these [botmasters] are hardcore users who repeat over and over, because it can earn them money by the installation of adware," he said. A Thankless Job Even after the Shadowserver crew has convinced an ISP to shut down a botmaster's command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker's control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots. "The botnets we've already shut down have a real possibility of popping back up again tomorrow," Albright said. Such constant attacks and setbacks can take an emotional toll on volunteers who spend countless hours not only hunting down bot herders but in many cases notifying the individuals or institutions whose networks and systems the hackers have commandeered. This is largely a thankless job, because in most cases the victims never even respond. David Taylor, a senior information security specialist at the University of Pennsylvania, knows all too well what botnet-hunting burnout feels like. Taylor was invited to join Albright and the Shadowserver crew following a story at washingtonpost.com detailing his conversations with a botmaster named "Diabl0." The hacker bragged about making money with his botnet through adware installations. (Diabl0 -- an 18-year-old Moroccan national named Farid Essebar -- was eventually arrested on suspicion of authoring the "Zotob" worm that infected hundreds of companies in a high-profile attack last fall.) A few months ago, Taylor became obsessed with tracking a rather unusual botnet consisting of computers running Mac OS X and Linux operating systems. Working a week straight, Taylor located nearly all of the infected machines and had some success notifying the owners of those systems, but the Taiwanese ISP the hackers used to host their control center repeatedly ignored his requests to shutter the site. Since that incident, Taylor has distanced himself from bot hunting -- if only, he says, to make time for other interests. These days he spends most of his spare hours doing something far less stressful -- painting. "Bot hunting can really take over your personal life, because to do this right you really have to stay on top of it -- it can't just be something you do on the weekends," he said. "I guess it takes a special type of person to be able to sustain botnet hunting. ... I don't know anyone who pays people to do this kind of work." Recent media attention to the Shadowserver project has generated interest among a new crop of volunteers eager to deploy honeynet sensors and contribute to the effort. Albright says he'll take all the help he can get, but he worries that the next few years will bring even more numerous and stealthy botnets. "Even with all the sensors we have in place now, we're still catching around 20 new unknown [bot programs] per week," he said. "Once we get more sensors that number will probably double." Albright said that while federal law enforcement has recently made concerted efforts to reach out to groups like Shadowserver in hopes of building a more effective partnership, they don't have the bodies, the technology, or the legal leeway to act directly on the information the groups provide. "Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view." "It's going to get a lot worse in the next two years. We need a taskforce or law enforcement agency to handle these types of intrusions ... and that needs to be all they do," Albright said. "Sadly, without more law enforcement support this will remain a chase-your-tail type game, because we won't ever really shut these networks down until the bot master goes to jail, and his drones are cleaned." ? 2006 Washingtonpost.Newsweek Interactive From isn at c4i.org Wed Mar 22 02:39:26 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:39:26 -0600 (CST) Subject: [ISN] School district investigating illegal grade changes Message-ID: Forwarded from: William Knowles http://www.palmbeachpost.com/pbccentral/content/local_news/epaper/2006/03/22/s1a_SKGRADES_0322.html By Nirvi Shah Palm Beach Post Staff Writer March 22, 2006 Someone used a school district employee's computer access to change grades and possibly other confidential records that may have affected students' college applications. The Palm Beach County School District recently sent letters to colleges and universities - they would not say how many - informing them that some of the records they received could be wrong. Since December, school police have been investigating one or more instances in which someone altered grades without hacking into the computer system, school district spokesman Nat Harrington said. Whoever did this got to the records using the identity of someone authorized to access student records. The school district has beefed up security to prevent breaches from the outside, Harrington said. They repel attempts to break into the network from the outside all the time. But it's harder to determine when someone who is authorized to use the district's computer network is doing something improper. "The system is built on the basis that everyone has a certain level of clearance," he said. "With a higher level password, you can go pretty much anywhere in the system." The computer intruder could have gotten the information by simply looking over someone's shoulder, he said. "We don't have any indication that the person is an employee," Harrington said. School district employees are now stuck trying to figure out exactly what was changed and fix the grades and other records so they are accurate. Parents and students districtwide haven't been told that student records may have been viewed, Harrington said. "We'll cross that bridge when we get to the end of the investigation," he said. When the district's investigation is finished, those responsible face serious consequences. "Once we have more information, we intend to pursue criminal charges," Harrington said. Last year, an Inlet Grove High senior was arrested for allegedly hacking into the district's system from home at least nine times, although he wasn't accused of changing any records. In that case, a school district technician noticed the network had been hacked after former student Ryan Duncan uploaded several programs onto the network in January 2004. It turned out later that those programs would have allowed him to control computers throughout the district from his home. Since then, Duncan has made a video on the consequences of hacking that has been shown at schools all over the district and on its TV station, Adelphia Cable Channel 19. Harrington refused to say which schools were involved in the latest incident. However, a parent at Dreyfoos School of the Arts said the school recently created an integrity committee to prevent situations like this in the future. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Wed Mar 22 02:39:39 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 22 Mar 2006 01:39:39 -0600 (CST) Subject: [ISN] FBI ripped for IT upgrade costs Message-ID: http://news.com.com/FBI+ripped+for+IT+upgrade+costs/2100-1028_3-6052326.html [You have to wonder how far $52,000 would go in issuing basic e-mail addresses for the NYC FBI intelligence analysts and agents? [1] - WK] By Anne Broache Staff Writer, CNET News.com March 21, 2006 The FBI squandered $10.1 million on "questionable contractor costs"--including custom-made ink pens and highlighters--and another $7.6 million on missing equipment while upgrading its computer systems, government auditors reported. Since mid-2001, the FBI has been undertaking a massive project called Trilogy, aimed at ushering its computer systems into the 21st century, and the agency has already reached $500 million in reported costs. One stage of the project--building a new infrastructure--was completed in April 2004. But work on a revamped electronic case-management software system has stalled, though the FBI said last week that it had awarded its main contract for the system, known as Sentinel, to defense tech giant Lockheed Martin. The agency expects that endeavor to cost $425 million over the next six years. An 87-page report [2] released Monday by the Government Accountability Office faults the FBI for a number of "weaknesses" in its financial dealings with contractors, including incorrect billings for overtime hours worked, potentially inflated wages, excessive and first-class airfare costs, and other invoice anomalies. For example, Computer Sciences Corporation (CSC), one of the FBI's subcontractors, charged the agency $456,211 for services described only as "other direct costs." When the GAO probed the company for more information, it landed on an e-mail exchange hinting that CSC probably didn't have enough information to approve the charge but did so anyway. Some more explicitly identified expenses also raised questions for government auditors. For instance, CACI, a subcontractor hired to do training for the project, billed the FBI for more than $50,000 to cover the cost of custom-made highlighters and pens. The GAO faulted the FBI at length for its travel spending. According to federal regulations, all travelers reimbursed by the government must fly coach or economy class unless first-class travel is properly authorized and justified. Auditors determined that no documentation provided by the FBI or CSC could justify 19 first-class tickets, costing more than $20,000, 75 "unusually expensive" coach-class tickets, totaling more than $100,000, and other pricey fares. The FBI was also unable to locate 1,200 pieces of equipment, including desktop and laptop computers, printers and servers, the auditors reported. In general, the agency has failed for years to keep adequate records of the gadgets it purchases, leaving the devices prone to being "lost or stolen without detection," the report charged. Overreliance on contractors to keep tabs on equipment and other records was largely to blame for the mishaps, the auditors suggested. They recommended 27 courses of action, including more careful vetting of expenses, closer documentation of contractor charges, and revising agency policies to track equipment with a greater level of detail. FBI representatives did not respond to requests for comment Tuesday. In its written response to the GAO, the agency said it had "accounted for" more than 1,000 of the missing or improperly documented items as of January 2006. It also said it agreed with GAO's recommendations and was committed to making improvements in its management processes. [1] http://attrition.org/pipermail/isn/2006-March/002768.html [2] http://www.gao.gov/new.items/d06306.pdf From isn at c4i.org Thu Mar 23 04:48:35 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Mar 2006 03:48:35 -0600 (CST) Subject: [ISN] Two Held for Offering Key Technology to Kazakhstan Message-ID: http://english.chosun.com/w21data/html/news/200603/200603220030.html Mar. 22, 2006 The National Intelligence Service and prosecutors have uncovered a plot to leak cutting-edge mobile phone technology to Kazakhstan. It was the first major case of industrial espionage on behalf of a Central Asian country. So far, China and Taiwan have been the main destinations for purloined core technology. Seoul District Prosecutors Office on Wednesday arrested a Samsung Electronics researcher identified as Lee (34) and an accomplice identified as Chang (also 34) on charges of stealing blueprints for Samsung??s two latest mobile phones and trying to sell them to a major telecommunications firm in Kazakhstan. Prosecutors say Lee downloaded and printed 15 pages of diagrams related to a mobile phone with built-in antenna and a cutting-edge slim phone in November last year. Lee allegedly showed the drawings to two officials with the Kazakh company who were visiting Korea, and together with Chang proposed a technology partnership. Prosecutors said Chang drafted a contract for technology consulting services and faxed it to the Kazakh firm on Nov. 27, demanding a US$2 million fee. When the company did not respond, Chang on Dec. 16 gave another two pages of diagrams to a Kazakh living in Korea who acted as a middleman and asked him to deliver them to the firm. Lee, who has been working with Samsung Electronics for four years, stole the blueprints to pay off debts of W100 million (US$100,000), the prosecution said. During the investigation, Lee denied the charges, telling prosecutors he was merely exploring new sources of income and work opportunities overseas. Samsung Electronics said the attempt could have caused losses of W1.3 trillion (US$1.3 billion). The NIS and prosecutors say industrial espionage on behalf of overseas firms is on the rise. In high-profile cases, an attempt to leak Hynix Semiconductor technology to China was foiled in July last year and another attempt to leak Samsung Electronics GSM mobile phone technology to China in November. The NIS said technology subject to attempted theft was valued at W13 trillion in 2003, rising to W35 trillion in 2005. From isn at c4i.org Thu Mar 23 04:48:49 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Mar 2006 03:48:49 -0600 (CST) Subject: [ISN] Apple Gets Security Lecture from Microsoft Message-ID: http://www.eweek.com/article2/0,1895,1941316,00.asp By Ryan Naraine March 22, 2006 Apple is getting a lecture on its security response process from the unlikeliest of places. In a classic flipping of the script, a Microsoft program manager who regularly serves as the public face of the software maker's security response process rapped Apple for the way it handles security guidance to customers. In a series of entries on his personal blog at Stepto.com, Microsoft program manager Stephen Toulouse called on the Cupertino, Calif.-based Apple to hire a security czar and revamp the way information is released when Mac OS X updates are shipped. "Look, the only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe," Toulouse declared in a reaction to what he described as the "recent trials and tribulations of Apple in the security space." "Here's the reality, for the next couple of years the Mac OS will experience increasing security threats and mark my words, the company will have to seek outside expertise in the form of a head of security communications in the next 12 months," Toulouse added. He said Apple needs a person "steeped in security issues, true technical analysis, and can lead a good security team to get good guidance out there." Toulouse's statements, which were posted on his own blog and reflected only his personal opinions, echoes a growing sentiment?in and outside Redmond - that Microsoft is now the standard by which other vendors are judged when it comes to dealing to security crises. In the aftermath of the Blaster and Slammer worm attacks, Microsoft has made significant changes to the way it fesses up to security vulnerabilities and communicates with hackers in the private research community. Toulouse said the company certainly learned from its own problems. "A lot of the attacks Apple is experiencing today are just like the most prevalent threats on Windows: Attacks that require the user to take an action first. We've learned the lesson of getting out there fast and providing clear prescriptive guidance," he added. In response to an Apple spokesman who was quoted in a BusinessWeek article as saying the company does not need a security figurehead because the entire Apple staff cares about security, Toulouse said: "That's a little like saying the White House shouldn't have a Department of Homeland Security because, DUH, everyone in the government cares about security!" A separate entry on Toulouse's blog also takes issue with statements from Apple that the content in its security advisories are similar to those released by Microsoft. "[I] went to their most recent security update documentation. I note no mitigating factors in Apple's security communication for customers to assess their risk. I note no frequently asked questions in Apple's security communication to cover what an attacker could and could not do or any other information customers might ask about. I note no workarounds in Apple's security communication for people who cannot immediately deploy the update," Toulouse declared. "I note no deployment information for enterprises in Apple's security communication. I note no severity rating for any of the issues again so customers can assess their risk since updating can be disruptive sometimes. I note no file manifests in Apple's security information for customers to check to make sure updates are applied properly if they wish. I note no caveats in Apple's security communication in case changes made in the update cause known application compatibility issues or support issues are discovered," he added. "I note no free support number for trouble with updates in Apple's security information in case customers need help applying the update," Toulouse countered. He stressed that Microsoft's prepatch security alerts and subsequent security bulletins contain all that information because that's what customers demand. When Apple was forced to re-release a security patch because of problems caused by the original update, Toulouse posted a third blog entry with another call for Apple to implement better internal security coordination and highlighted several weaknesses in the way Apple announced the patched patch. "In the original advisory, they note that a new version is available, so that's good. But, there's no RSS feed around it. You can get an RSS feed for ALL support articles, but not just for the ones that apply to security updates. Apple does have a security announce mailing list. But it doesn't seem to cover when there are new versions available when a bug is introduced by the update," he noted. "One might argue that you don't need those things if you are using the built-in auto-update functionality of OS X, but I would argue back that the fact there was an update to the update might mean people turn that off to test updates before deployment because of problems like this. Oh well," Toulouse declared. From isn at c4i.org Thu Mar 23 04:49:02 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Mar 2006 03:49:02 -0600 (CST) Subject: [ISN] Sun Grid hit by network attack Message-ID: http://news.com.com/Sun+Grid+hit+by+network+attack/2100-7349_3-6052968.html By Stephen Shankland Staff Writer, CNET News.com March 22, 2006 Sun Microsystems' Grid, a publicly available computing service, was hit by a denial-of-service network attack on its inaugural day, the company said Wednesday. To let people try out the Sun Grid, the company made a text-to-speech translation service publicly accessible for, for example, turning blog entries into podcasts. "It became the focus of a denial-of-service attack," Aisling MacRunnels, Sun's senior director of utility computing, said in an interview Wednesday. In denial-of-service attacks, numerous computers--often groups of compromised PCs called botnets--simultaneously attack a target on the network. In this case, the attack took down the text-to-speech service. Dealing with the issue was relatively easy: Sun moved the service to be within the regular Sun Grid, which requires authorization to use. "We had to defend against a bunch. There were too many coming against us, so we moved it inside," MacRunnels said. The attacks didn't disturb the regular grid, Sun said. "There was no degradation to performance for users inside the Sun Grid," spokesman Brett Smith said. The Sun Grid is one of several visionary ideas that the Santa Clara, Calif.-based company hopes will restore status and revenue that tapered away after the dot-com bubble burst and its own hardware and software lost much of its cachet. The Sun Grid authorization process requires a person to agree to legal terms and export control terms, and users must share their addresses. Payment requires PayPal or another Sun-approved mechanism, and PayPal users must be verified, MacRunnels added. "That gives us a level of knowledge about the user. They have to have a bank account on file with PayPal and a home address. Those make us feel more comfortable," MacRunnels said. That position dovetails with one long held by Sun Chief Executive Scott McNealy. "Absolute anonymity breeds irresponsibility," he said in a 2003 interview. "Audit trails and authentication provide a much more civil society." From isn at c4i.org Thu Mar 23 04:48:23 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Mar 2006 03:48:23 -0600 (CST) Subject: [ISN] Symantec pulls Backup Exec patches Message-ID: http://www.techworld.com/security/news/index.cfm?NewsID=5621 By Matthew Broersma Techworld 22 March 2006 Companies using Symantec's Veritas Backup Exec are facing a dilemma after Symantec warned of security flaws in the software, but pulled some of the patches due to quality issues. Symantec warned that flaws in the Backup Exec Remote Agent could allow attackers to cause memory access violations or use up all system resources, causing the system to crash and lose backup capability. While only moderately serious in itself, the bug could be a big problem due to the way Backup Exec is typically used, according to the SANS Institute's Internet Storm Center (ISC). "Considering that this is typically used for backups of critical data, the severity could be pretty high," wrote handler Bojan Zdrnja on the ISC website. "It's easy to imagine a scenario when you need business critical data that was supposed to be backed up yesterday, but it wasn't due to the Backup Exec crashing." Affected versions include Backup Exec 10.x and 9.x and Backup Exec Remote Agent 10.x and 9.x for Windows Servers (RAWS). Ordinarily, companies could solve the problem just by applying Symantec's patch. In this case, though, there are two problems: one is that some users have experienced problems with some of the patches, according to the ISC. The other is that some of the patches are no longer available, having been withdrawn by Symantec. The company withdrew two RAWS patches, affecting different versions of Remote Agent for Windows Servers, and said in an advisory that they would be re-released "shortly". Patches for Remote Agent for Linux and Unix Servers (RALUS) are all available. Symantec also warned of a low-risk bug in the Job Engine service, which can only be exploited under particular conditions. From isn at c4i.org Thu Mar 23 04:49:32 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Mar 2006 03:49:32 -0600 (CST) Subject: [ISN] International body adopts network security standard Message-ID: http://www.fcw.com/article92696-03-22-06-Web By Dibya Sarkar Mar. 22, 2006 The International Organization for Standardization (ISO) approved last month a comprehensive model that identifies critical requirements to ensure end-to-end network security. Specifically, the global standards group formally adopted ISO/IEC 18028-2, which defines a standard security architecture and provides a systematic approach to support the planning, design and implementation of information technology networks. The standard is based on X.805, a framework Bell Labs created several years ago. The International Telecommunication Union (ITU), another standards body, adopted it before ISO. Rati Thanawala, vice president of Bell Labs' network planning, performance and economic analysis division, said the new ISO standard provides a consistent methodology for assessing end-to-end network security. She said it also provides a common language among IT network managers, administrators, engineers and security officers to address security with the emergence of new technologies and convergence of networks. The standard also allows government and private-sector officials to perform cost-benefit analyses and better business continuity planning, Thanawala said. "If you did have a disaster in communications, what is the impact of that?" she asked. "What is going to happen? It's coming at a good time right now because right now is a very critical time for looking at security of communications networks." Bell Labs created the X.805 standard to ensure end-to-end interoperability and security for communications networks. Previously, it was an area driven by implementing devices, such as firewalls, here and there rather than looking at the issue holistically. Thanawala said a working group was established about four years ago within ITU to address that issue, and it was then that Bell Labs created the X.805 architecture framework. For example, she said, there are not an infinite number of threats in a communications network, but only five. "The five threats are how you can destroy information, corrupt information, remove information, disclose information or interrupt information," she said. "There isn't a sixth threat. Prior to taking a systemic approach to this, people thought there were an infinite number of threats to networks. But when you really get good subject-matter experts to sit down and start thinking about it, they said there are only five threats." Similarly, Thanawala said, there are only eight dimensions of security that must be addressed to prevent the exploitation of vulnerabilities. They include privacy, availability, integrity, communications flow, confidentiality, nonrepudiation, authentication and access control. There are three security layers - infrastructure, services and applications - and three security planes - management, control and end-user - that represent the types of activities that take place on a network. "So, basically there are five threats, eight dimensions, three security layers and three planes, and that's a 72-cell matrix," Thanawala said. "And that is the entire way of looking at security of any communications network. It could be the Internet. It could be the enterprise system. It could a sole operator." She said the standard is critical because communications is vital to many other infrastructures, such as banking and finance, transportation, and power. From isn at c4i.org Thu Mar 23 04:49:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Mar 2006 03:49:18 -0600 (CST) Subject: [ISN] Laptop with Hewlett-Packard employees' ID stolen Message-ID: http://www.mercurynews.com/mld/mercurynews/business/14162732.htm By Nicole C. Wong Mercury News Mar. 22, 2006 A Fidelity Investments laptop that contained the names, addresses, Social Security numbers, birth dates, compensation and other information for 196,000 current and former Hewlett-Packard employees participating in the company-sponsored retirement plan was stolen a week ago, the two companies confirmed Wednesday. Fidelity sent e-mails and letters overnight to the retirement plan participants notifying them of the security breach. The Boston-based financial services company, which administers HP's defined benefit pension plan and 401k retirement plan, has subsequently stepped up monitoring of its HP accounts and added more authentication measures so people must provide extra personal information to access their accounts. ``We have no indication that any of the information's been misused,'' Anne Crowley, a Fidelity spokeswoman, said Wednesday evening. ``We went back and monitored activity in accounts since the theft, and we find nothing to indicate there's any unusual or suspicious activity.'' Fidelity would not say how or where its laptop was stolen on the evening of March 15 because a local law enforcement agency is investigating the case. But Crowley noted, ``the law enforcement agency did tell us there have been other laptop thefts in that area recently and they've largely appeared to be related to property theft, as opposed to someone setting out for data theft.'' From isn at c4i.org Thu Mar 23 04:49:44 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 23 Mar 2006 03:49:44 -0600 (CST) Subject: [ISN] Is Your DR Plan Vulnerable to an Attack? Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109795,00.html Opinion by John Webster MARCH 22, 2006 COMPUTERWORLD Sorry, I have to do this. I have to rant. Here's what I have to get off my chest. News item: "DHS Scores F on Cybersecurity Report Card." Last week, a congressional oversight committee gave the U.S. Department of Homeland Security a failing grade on its annual cybersecurity report card. Congress says that when it comes to protecting the country's data infrastructure -- an entity that in itself has become critical to the continued functioning of the U.S. economy -- the DHS is a D-U-N-C-E. Appalling. Shortly after 9/11, I published an article at SNWonline.com that stated that an aggressive and well thought-out attack on our financial information systems could be economically devastating. Furthermore, I wrote that the attacker didn't have to strike by exploding a dirty bomb or hijacking a plane. In fact, the attack could be executed without taking a single life. An attacker using electronic means could even be smart and resourceful enough to disable disaster recovery (DR) capabilities just before launching an attack. To be sure, I didn't expect Washington to hear this particular warning because at the time, there were many more audible voices saying the same thing. But the very sad truth is that the current administration wasn't listening to them either. In fact, the DHS has been handed the cybersecurity dunce cap three years running. The rest of us knew that Al Gore was just joking when we claimed to be the creator of cyberspace. The DHS must have taken the joke seriously because they behave like cyberspace is a place where only liberals live. If you are an IT professional, I think it is safe to assume that the DHS doesn't get it and won't -- that it's not even interested in locking the door at night. I think that means that you, the IT professional, have to double-down on security measures. This would include scrutiny of firewalls and adding storage-based security. And, here's another thought I have in that regard: Is your DR plan vulnerable to an attack? Said another way, could an attacker disable your DR capability prior to launching an attack? In essence, does your DR plan have a DR plan? We now live in a society in which very powerful -- and potentially harmful -- information technologies can be had at a cost of something between cheap and free. As an attacker, all you really need to add to the mix is brain power. In fact, I personally think that all it will take is one devastating cyberattacker to prove to us that bombs are obsolete. So I ask again. Is your DR plan safe from attack? -=- John Webster is senior analyst and founder of research firm Data Mobility Group LLC. He is also the author of numerous articles and white papers on a wide range of topics and is the co-author of the book Inescapable Data: Harnessing the Power of Convergence (IBM Press, 2005) [1]. Webster can be reached at jwebster at datamobilitygroup.com. [1] http://www.amazon.com/exec/obidos/ASIN/0131852159/c4iorg From isn at c4i.org Fri Mar 24 03:40:19 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Mar 2006 02:40:19 -0600 (CST) Subject: [ISN] Man fined $250 in first area case of Internet piracy Message-ID: http://rrstar.com/apps/pbcs.dll/article?AID=/20060323/NEWS0107/103230036/1011 By Chris Green ROCKFORD REGISTER STAR March 23, 2006 ROCKFORD - Just as pirating your neighbor's cable service to watch premium movie channels is against the law, so too is surfing the Web using someone else's wireless Internet access. David M. Kauchak, 32, a former Machesney Park resident, is the first person in Winnebago County to be charged with remotely accessing another computer system without the owner's approval. He pleaded guilty Tuesday to the charge and was fined $250 and sentenced to one year of court supervision. "We just want to get the word out that it is a crime. We are prosecuting it, and people need to take precautions," Assistant State's Attorney Tom Wartowski said. Kauchak was arrested in January in Loves Park when local authorities learned he was accessing the Internet through a nonprofit agency's computer. Wartowski said a Loves Park police officer was on patrol in the wee hours of the morning when he saw Kauchak sitting in a car with a computer. "He slowed down, took a look and saw he had a laptop in his lap. He talked to him and put it all together," Wartowski said. In a prepared statement, Winnebago County State's Attorney Paul Logli said, "With the increasing use of wireless computer equipment, the people of Winnebago County need to know that their computer systems are at risk. They need to use encryption or what are known as firewalls to protect their data, much the same way locks protect their homes. "Likewise, our residents need to know that it is a crime, punishable by up to a year in jail, to access someone else's computer, wireless system or Internet connection without that person's approval." From isn at c4i.org Fri Mar 24 03:40:35 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Mar 2006 02:40:35 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-12 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-03-16 - 2006-03-23 This week : 96 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Secunia Research has discovered a critical vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. While Secunia was coordinating disclosure with Microsoft a third party also discovered this vulnerability, however, the third party chose to immediately disclose it to various public mailing lists. Secunia then quickly issued a Highly Critical Secunia advisory regarding this to enable our customers and readers to take the appropriate actions. Currently, no solution is available from the vendor. Please read the referenced Secunia advisory for additional details. Reference: http://secunia.com/SA18680 -- ISS X-Force has reported a vulnerability in Sendmail, which can be exploited by malicious people to compromise a vulnerable system. All users are advised to update or apply available patches. Additional details can be found in the referenced Secunia advisory below. Reference: http://secunia.com/SA19342 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19218] Flash Player Unspecified Code Execution Vulnerabilities 2. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 3. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 4. [SA19138] Microsoft Office Multiple Code Execution Vulnerabilities 5. [SA19269] Internet Explorer Multiple Event Handlers Denial of Service Weakness 6. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 7. [SA19261] OpenOffice cURL/libcURL URL Parsing Off-By-One Vulnerability 8. [SA19277] phpMyAdmin "set_theme" Cross-Site Scripting 9. [SA19265] Novell NetWare NWFTPD Potential Denial of Service Vulnerability 10. [SA19330] Linux Kernel Buffer Overflow Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19288] MailEnable Webmail and POP3 Buffer Overflow Vulnerabilities [SA19267] Mercur Messaging IMAP Service Buffer Overflow Vulnerability [SA19292] betaparticle blog SQL Injection Vulnerabilities [SA19286] ASPPortal "downloadid" SQL Injection Vulnerability [SA19297] VPMi Enterprise "Request_Name_Display" Cross-Site Scripting [SA19296] WinHKI Multiple Archive Directory Traversal Vulnerability [SA19313] Nortel Centrex IP Client Manager Windows Privilege Escalation [SA19284] avast! Antivirus Insecure Default File Permissions [SA19282] PC-cillin Internet Security Insecure Default Directory Permissions [SA19338] Baby FTP Server File Enumeration Weakness [SA19269] Internet Explorer Multiple Event Handlers Denial of Service Weakness UNIX/Linux: [SA19368] Slackware update for sendmail [SA19367] Debian update for sendmail [SA19363] Gentoo update for sendmail [SA19362] Red Hat update for realplayer [SA19361] SUSE update for sendmail [SA19360] Sun Solaris Sendmail Signal Handling Memory Corruption [SA19356] Fedora update for sendmail [SA19349] AIX sendmail Signal Handling Memory Corruption Vulnerability [SA19346] Red Hat update for sendmail [SA19345] FreeBSD update for sendmail [SA19342] Sendmail Signal Handling Memory Corruption Vulnerability [SA19328] Gentoo update for netscape-flash [SA19304] Gentoo update for metamail [SA19291] Gentoo update for peercast [SA19276] Debian update for crossfire [SA19366] FreeBSD IPsec Sequence Number Verification Bypass [SA19354] KisMAC Cisco Vendor Tag SSID Parsing Buffer Overflow [SA19344] Gentoo update for curl [SA19335] Fedora update for curl [SA19334] Gentoo update for pngcrush [SA19301] Gentoo update for PEAR-Auth [SA19287] Trustix update for gnupg [SA19281] jabberd SASL Negotiation Denial of Service Vulnerability [SA19279] Debian update for xine-lib [SA19272] Debian update for vlc [SA19271] cURL/libcURL TFTP Protocol URL Parsing Buffer Overflow [SA19266] Debian update for ilohamail [SA19264] Debian update for kdegraphics [SA19262] QmailAdmin "PATH_INFO" Handling Buffer Overflow [SA19350] Debian update for firebird2 [SA19355] Gentoo update for php [SA19347] FreeBSD OPIE opiepasswd User Verification Vulnerability [SA19317] HP VirtualVault Apache HTTP Request Smuggling Vulnerability [SA19303] Gentoo update for crypt-cbc [SA19302] Gentoo update for heimdal [SA19300] FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability [SA19339] Debian update for kernel-patch-vserver / util-vserver [SA19336] Fedora update for beagle [SA19333] util-vserver Unknown Capabilities Handling Security Issue [SA19330] Linux Kernel Netfilter Weakness and RNDIS Buffer Overflow [SA19323] RunIt "chpst" Multiple Groups Handling Security Issue [SA19318] Debian update for snmptrapfmt [SA19316] Fedora update for xorg-x11-server [SA19311] Sun Solaris update for Xorg X Server [SA19307] X.Org X11 User Privilege Checking Security Bypass [SA19305] HP-UX usermod Recursive Ownership Change Security Issue [SA19278] Beagle "beagle-status" Command Execution Vulnerability [SA19357] Linux Kernel IPv4 "sockaddr_in.sin_zero" Information Disclosure [SA19280] Gnome Screensaver Password Bypass Vulnerability Other: [SA19337] Firepass 4100 SSL VPN "s" Cross-Site Scripting Vulnerability [SA19324] Novell NetWare NILE.NLM SSL Negotiation Vulnerabilities [SA19319] Motorola Cellular Phones Security Dialog Spoofing Vulnerability [SA19265] Novell NetWare NWFTPD Potential Denial of Service Vulnerability Cross Platform: [SA19358] RealNetworks Products Multiple Buffer Overflow Vulnerabilities [SA19353] XHP CMS "FileManager" File Upload Vulnerability [SA19352] vBulletin ImpEx Module "systempath" File Inclusion Vulnerability [SA19343] FreeWPS "ImageManager" File Upload Vulnerability [SA19320] Free Articles Directory "page" File Inclusion Vulnerability [SA19298] KnowledgebasePublisher "dir" File Inclusion Vulnerability [SA19285] PHP iCalendar File Inclusion and Calendar Upload Vulnerabilities [SA19359] AnyPortal(php) "F" Directory Traversal Vulnerability [SA19329] 1WebCalendar Multiple SQL Injection Vulnerabilities [SA19322] gCards Multiple Vulnerabilities [SA19315] phpWebsite "sid" Parameter SQL Injection [SA19314] Skull-Splitter's Download Counter for Wallpapers SQL Injection [SA19310] BEA WebLogic Server/Express Two Vulnerabilities [SA19309] webcheck Website Content Script Insertion Vulnerability [SA19290] OSWiki Username Script Insertion Vulnerability [SA19289] CuteNews "archive" Disclosure of Sensitive Information Vulnerability [SA19283] SoftBB "mail" SQL Injection Vulnerability [SA19275] Maian Support SQL Injection Vulnerabilities [SA19274] Maian Events Multiple SQL Injection Vulnerabilities [SA19273] Maian Weblog Multiple SQL Injection Vulnerabilities [SA19270] Simple PHP Blog "blog_language" Local File Inclusion [SA19263] Streber Unspecified Script Insertion Vulnerability [SA19351] AdMan "transactions_offset" SQL Injection Vulnerability [SA19340] PHP Live! "base_url" Cross-Site Scripting Vulnerability [SA19332] IBM Tivoli Business Systems Manager Cross-Site Scripting [SA19321] ExtCalendar calendar.php Cross-Site Scripting Vulnerabilities [SA19308] BEA WebLogic Portal JSR-168 Portlets Rendering Security Issue [SA19299] Invision Power Board PM Unspecified Cross-Site Scripting [SA19294] Contrexx CMS Cross-Site Scripting Vulnerability [SA19293] Woltlab Burning Board "class_db_mysql.php" Cross-Site Scripting [SA19277] phpMyAdmin "set_theme" Cross-Site Scripting [SA19268] Skull-Splitter's PHP Guestbook Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19288] MailEnable Webmail and POP3 Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-20 Two vulnerabilities have been reported in MailEnable, which can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19288/ -- [SA19267] Mercur Messaging IMAP Service Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-17 Tim Taylor has discovered a vulnerability in Mercur Messaging 2005, which can be exploited by malicious people and by malicious users to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19267/ -- [SA19292] betaparticle blog SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-20 Mustafa Can Bjorn has reported two vulnerabilities in betaparticle blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19292/ -- [SA19286] ASPPortal "downloadid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-21 nukedx has discovered a vulnerability in ASPPortal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19286/ -- [SA19297] VPMi Enterprise "Request_Name_Display" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-21 Steven M. Christey has reported a vulnerability in VPMi Enterprise, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19297/ -- [SA19296] WinHKI Multiple Archive Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-03-20 Hamid Ebadi has discovered a vulnerability in WinHKI, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19296/ -- [SA19313] Nortel Centrex IP Client Manager Windows Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-20 Nortel Networks has acknowledged some security issues in Centrex IP Client Manager, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19313/ -- [SA19284] avast! Antivirus Insecure Default File Permissions Critical: Less critical Where: Local system Impact: Security Bypass, Manipulation of data, Privilege escalation Released: 2006-03-20 A security issue has been reported in avast! Antivirus, which can be exploited by malicious, local users to bypass certain security restrictions or gain escalated privileges. Full Advisory: http://secunia.com/advisories/19284/ -- [SA19282] PC-cillin Internet Security Insecure Default Directory Permissions Critical: Less critical Where: Local system Impact: Manipulation of data, Privilege escalation Released: 2006-03-22 Dominique GREGOIRE has discovered a security issue in PC-cillin Internet Security, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19282/ -- [SA19338] Baby FTP Server File Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-03-23 Ziv Kamir has discovered a weakness in Baby FTP Server, which can be exploited by malicious people to enumerate files on an affected system. Full Advisory: http://secunia.com/advisories/19338/ -- [SA19269] Internet Explorer Multiple Event Handlers Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2006-03-20 Michal Zalewski has discovered a weakness in Internet Explorer, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19269/ UNIX/Linux:-- [SA19368] Slackware update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Slackware has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19368/ -- [SA19367] Debian update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Debian has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19367/ -- [SA19363] Gentoo update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Gentoo has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19363/ -- [SA19362] Red Hat update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Red Hat has issued an update for RealPlayer. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19362/ -- [SA19361] SUSE update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 SUSE has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19361/ -- [SA19360] Sun Solaris Sendmail Signal Handling Memory Corruption Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Sun has acknowledged a vulnerability in Solaris, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19360/ -- [SA19356] Fedora update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Fedora has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19356/ -- [SA19349] AIX sendmail Signal Handling Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 IBM has acknowledged a vulnerability in sendmail in AIX, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19349/ -- [SA19346] Red Hat update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Red Hat has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19346/ -- [SA19345] FreeBSD update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 FreeBSD has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19345/ -- [SA19342] Sendmail Signal Handling Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 ISS X-Force has reported a vulnerability in Sendmail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19342/ -- [SA19328] Gentoo update for netscape-flash Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-22 Gentoo has issued an update for netscape-flash. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19328/ -- [SA19304] Gentoo update for metamail Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-20 Gentoo has issued an update for metamail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19304/ -- [SA19291] Gentoo update for peercast Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-21 Gentoo has issued an update for peercast. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19291/ -- [SA19276] Debian update for crossfire Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-20 Debian has issued an update for crossfire. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19276/ -- [SA19366] FreeBSD IPsec Sequence Number Verification Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-23 A security issue has been reported in FreeBSD, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19366/ -- [SA19354] KisMAC Cisco Vendor Tag SSID Parsing Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-23 Stefan Esser has reported a vulnerability in KisMAC, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19354/ -- [SA19344] Gentoo update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-22 Gentoo has issued an update for curl. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19344/ -- [SA19335] Fedora update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-22 Fedora has issued an update for curl. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19335/ -- [SA19334] Gentoo update for pngcrush Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-22 Gentoo has issued an update for pngcrush. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19334/ -- [SA19301] Gentoo update for PEAR-Auth Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-03-20 Gentoo has issued an update for PEAR-Auth. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19301/ -- [SA19287] Trustix update for gnupg Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-20 Trustix has issued an update for gnupg. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19287/ -- [SA19281] jabberd SASL Negotiation Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-20 A vulnerability has been reported in jabberd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19281/ -- [SA19279] Debian update for xine-lib Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-17 Debian has issued an update for xine-lib. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19279/ -- [SA19272] Debian update for vlc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-17 Debian has issued an update for vlc. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19272/ -- [SA19271] cURL/libcURL TFTP Protocol URL Parsing Buffer Overflow Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-20 Ulf Harnhammar has reported a vulnerability in cURL/libcURL, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19271/ -- [SA19266] Debian update for ilohamail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-20 Debian has issued an update for ilohamail. This fixes some vulnerabilities, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19266/ -- [SA19264] Debian update for kdegraphics Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-20 Debian has issued an update for kdegraphics. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19264/ -- [SA19262] QmailAdmin "PATH_INFO" Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-17 A vulnerability has been reported in QmailAdmin, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19262/ -- [SA19350] Debian update for firebird2 Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-03-23 Debian has issued an update for firebird2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19350/ -- [SA19355] Gentoo update for php Critical: Less critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-23 Gentoo has issued an update for php. This fixes a vulnerability, which can be exploited by malicious people to conduct HTTP response splitting attacks, potentially conduct cross-site scripting attacks, and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19355/ -- [SA19347] FreeBSD OPIE opiepasswd User Verification Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation Released: 2006-03-23 A vulnerability has been reported in FreeBSD, which can be exploited by malicious, local users to gain escalated privileges or by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19347/ -- [SA19317] HP VirtualVault Apache HTTP Request Smuggling Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-03-21 HP has acknowledged a vulnerability in Virtualvault, which can be exploited by malicious people to conduct HTTP request smuggling attacks. Full Advisory: http://secunia.com/advisories/19317/ -- [SA19303] Gentoo update for crypt-cbc Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-20 Gentoo has issued an update for crypt-cbc. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19303/ -- [SA19302] Gentoo update for heimdal Critical: Less critical Where: From local network Impact: Privilege escalation Released: 2006-03-20 Gentoo has issued an update for heimdal. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19302/ -- [SA19300] FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability Critical: Less critical Where: From local network Impact: DoS, Security Bypass Released: 2006-03-21 A vulnerability has been reported in FreeRADIUS, which can be exploited by malicious people to cause a DoS (Denial of Service) and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19300/ -- [SA19339] Debian update for kernel-patch-vserver / util-vserver Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-22 Debian has issued updates for kernel-patch-vserver and util-vserver. This fixes two security issues, which can be exploited by malicious programs to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19339/ -- [SA19336] Fedora update for beagle Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-22 Fedora has issued an update for beagle. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19336/ -- [SA19333] util-vserver Unknown Capabilities Handling Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-22 A security issue has been reported in util-vserver, which potentially can be exploited by malicious programs to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19333/ -- [SA19330] Linux Kernel Netfilter Weakness and RNDIS Buffer Overflow Critical: Less critical Where: Local system Impact: Unknown Released: 2006-03-22 A weakness and a vulnerability have been reported in the Linux Kernel, which have unknown impacts. Full Advisory: http://secunia.com/advisories/19330/ -- [SA19323] RunIt "chpst" Multiple Groups Handling Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-22 Tino Keitel has reported a security issue in RunIt, which potentially can cause a process to run with escalated group privileges. Full Advisory: http://secunia.com/advisories/19323/ -- [SA19318] Debian update for snmptrapfmt Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-22 Debian has issued an update for snmptrapfmt. This fixes a vulnerability, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19318/ -- [SA19316] Fedora update for xorg-x11-server Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-21 Fedora has issued an update for xorg-x11-server. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19316/ -- [SA19311] Sun Solaris update for Xorg X Server Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-21 Sun has issued an update for Xorg X Server. This fixes a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19311/ -- [SA19307] X.Org X11 User Privilege Checking Security Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-21 A vulnerability has been reported in X11, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19307/ -- [SA19305] HP-UX usermod Recursive Ownership Change Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-20 A security issue has been reported in HP-UX, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19305/ -- [SA19278] Beagle "beagle-status" Command Execution Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-17 James McCaw has discovered a vulnerability in Beagle, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19278/ -- [SA19357] Linux Kernel IPv4 "sockaddr_in.sin_zero" Information Disclosure Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-23 Pavel Kankovsky has reported a weakness in the Linux kernel, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19357/ -- [SA19280] Gnome Screensaver Password Bypass Vulnerability Critical: Not critical Where: Local system Impact: Security Bypass Released: 2006-03-20 Sam Morris has reported a vulnerability in gnome-screensaver, which can be exploited by a malicious person with physical access to a system to bypass the password protected screensaver. Full Advisory: http://secunia.com/advisories/19280/ Other:-- [SA19337] Firepass 4100 SSL VPN "s" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-22 ILION Research Labs has reported a vulnerability in Firepass 4100 SSL VPN, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19337/ -- [SA19324] Novell NetWare NILE.NLM SSL Negotiation Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-03-22 Some vulnerabilities have been reported in Novell NetWare / Open Enterprise Server, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19324/ -- [SA19319] Motorola Cellular Phones Security Dialog Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Spoofing, Exposure of sensitive information Released: 2006-03-22 Kevin Finisterre has reported a vulnerability in Motorola PEBL U6 and Motorola V600, which can be exploited by malicious people to trick users into accepting certain security dialogs. Full Advisory: http://secunia.com/advisories/19319/ -- [SA19265] Novell NetWare NWFTPD Potential Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-03-17 A vulnerability has been reported in NetWare, which potentially can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19265/ Cross Platform:-- [SA19358] RealNetworks Products Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19358/ -- [SA19353] XHP CMS "FileManager" File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 rgod has discovered a vulnerability in XHP CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19353/ -- [SA19352] vBulletin ImpEx Module "systempath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-23 ReZEN has reported a vulnerability in the ImpEx module for vBulletin, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19352/ -- [SA19343] FreeWPS "ImageManager" File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-22 alexander wilhelm has discovered a vulnerability in FreeWPS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19343/ -- [SA19320] Free Articles Directory "page" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-22 Botan has discovered a vulnerability in Free Articles Directory, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19320/ -- [SA19298] KnowledgebasePublisher "dir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-21 uid0 has reported a vulnerability in KnowledgebasePublisher, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19298/ -- [SA19285] PHP iCalendar File Inclusion and Calendar Upload Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-03-21 rgod has discovered two vulnerabilities in PHP iCalendar, which can be exploited by malicious people to disclose potentially sensitive information and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19285/ -- [SA19359] AnyPortal(php) "F" Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: System access, Exposure of sensitive information, Manipulation of data Released: 2006-03-23 Nuno Justo has discovered a vulnerability in AnyPortal(php), which can be exploited by malicious users to disclose and manipulate sensitive information, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19359/ -- [SA19329] 1WebCalendar Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-22 r0t has discovered some vulnerabilities in 1WebCalendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19329/ -- [SA19322] gCards Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information Released: 2006-03-21 rgod has discovered multiple vulnerabilities in gcards, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19322/ -- [SA19315] phpWebsite "sid" Parameter SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-22 DaBDouB-MoSiKaR has discovered a vulnerability in phpWebsite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19315/ -- [SA19314] Skull-Splitter's Download Counter for Wallpapers SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-20 Aliaksandr Hartsuyeu has reported some vulnerabilities in Download Counter for Wallpapers, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19314/ -- [SA19310] BEA WebLogic Server/Express Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS Released: 2006-03-21 Two vulnerabilities have been reported in WebLogic Server / Express, which can be exploited by malicious people to disclose potentially sensitive information and to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19310/ -- [SA19309] webcheck Website Content Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-23 A vulnerability has been reported in webcheck, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19309/ -- [SA19290] OSWiki Username Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-22 A vulnerability has been reported in OSWiki, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19290/ -- [SA19289] CuteNews "archive" Disclosure of Sensitive Information Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-20 Hamid Ebadi has discovered a vulnerability in CuteNews, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19289/ -- [SA19283] SoftBB "mail" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-20 A vulnerability has been discovered in SoftBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19283/ -- [SA19275] Maian Support SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-03-17 Aliaksandr Hartsuyeu has reported two vulnerabilities in Maian Support, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19275/ -- [SA19274] Maian Events Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-17 Aliaksandr Hartsuyeu has discovered multiple vulnerabilities in Maian Events, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19274/ -- [SA19273] Maian Weblog Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-17 Aliaksandr Hartsuyeu has discovered multiple vulnerabilities in Maian Weblog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19273/ -- [SA19270] Simple PHP Blog "blog_language" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-20 rgod has discovered a security issue in Simple PHP Blog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19270/ -- [SA19263] Streber Unspecified Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-20 A vulnerability has been reported in Streber, which potentially can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19263/ -- [SA19351] AdMan "transactions_offset" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2006-03-23 r0t has reported a vulnerability in AdMan, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19351/ -- [SA19340] PHP Live! "base_url" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-23 K-sPecial has reported a vulnerability in PHP Live!, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19340/ -- [SA19332] IBM Tivoli Business Systems Manager Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-23 A vulnerability has been reported in IBM Tivoli Business Systems Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19332/ -- [SA19321] ExtCalendar calendar.php Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-21 Soot has discovered some vulnerabilities in ExtCalendar, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19321/ -- [SA19308] BEA WebLogic Portal JSR-168 Portlets Rendering Security Issue Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-21 A security issue has been reported in WebLogic Portal, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19308/ -- [SA19299] Invision Power Board PM Unspecified Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-22 A vulnerability has been reported in Invision Power Board, which potentially can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19299/ -- [SA19294] Contrexx CMS Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-21 Soot has discovered a vulnerability in Contrexx CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19294/ -- [SA19293] Woltlab Burning Board "class_db_mysql.php" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-20 r57shell has reported a vulnerability in Burning Board and Burning Board Lite, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19293/ -- [SA19277] phpMyAdmin "set_theme" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-17 A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19277/ -- [SA19268] Skull-Splitter's PHP Guestbook Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-17 Aliaksandr Hartsuyeu has discovered a vulnerability in Skull-Splitter's PHP Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19268/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 24 03:40:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Mar 2006 02:40:56 -0600 (CST) Subject: [ISN] ITL Bulletin for March 2006 Message-ID: Forwarded from: Elizabeth Lennon MINIMUM SECURITY REQUIREMENTS FOR FEDERAL INFORMATION AND INFORMATION SYSTEMS: FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 200 APPROVED BY THE SECRETARY OF COMMERCE Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce The Secretary of Commerce, Carlos M. Gutierrez, has approved a new Federal Information Processing Standard (FIPS) to improve the security of government information and information systems. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, which was approved on March 9, 2006, assists federal agencies in conducting effective information security programs and in meeting the requirements of the Federal Information Security Management Act (FISMA) of 2002. FISMA requires all federal agencies to develop, document, and implement agency-wide information security programs and to provide information security for the information and information systems that support the operations and assets of the agency, including those systems provided or managed by another agency, contractor, or other source. To help agencies carry out these policies, FISMA called for NIST to develop federal standards for the security categorization of federal information and information systems according to risk levels, and for minimum security requirements for information and information systems in each security category. FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems, issued in February 2004, was the first standard that was specified by FISMA. FIPS 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. FIPS 200, which is the second standard that was specified by FISMA, is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing appropriate levels of information security based on levels of risk. In applying the provisions of FIPS 200, agencies will categorize their systems as required by FIPS 199, and then select an appropriate set of security controls from NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, to satisfy their minimum security requirements. Security controls are the management, operational and technical safeguards and countermeasures needed to protect the confidentiality, integrity, and availability of a computer system and its information. Management safeguards range from risk assessments to security planning. Operational safeguards include factors such as personnel security and basic hardware/software maintenance. Technical safeguards include items such as audit trails and communications protection. Applicability of FIPS 200 FIPS 200 is applicable to: * all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and * all federal information systems other than those information systems designated as national security systems as defined in 44 US Code Section 3542(b)(2). FIPS 200 was broadly developed from a technical perspective to complement similar standards for national security systems. In addition to the agencies of the federal government, state, local, and tribal governments and private sector organizations that compose the critical infrastructure of the United States are encouraged to consider the use of the standard. Using FIPS 200 In applying FIPS 200, federal agencies must first categorize their information systems as low-impact, moderate-impact, or high- impact for the security objectives of confidentiality, integrity, and availability in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. A low-impact system is an information system in which all three of the security objectives for confidentiality, integrity, and availability are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. A high-impact system is an information system in which at least one security objective is high. This determination of information system impact levels must be accomplished prior to the consideration of minimum security requirements and the selection of appropriate security controls for those information systems. Specifying Minimum Security Requirements FIPS 200 specifies minimum security requirements for federal information and information systems in seventeen security-related areas that represent a broad-based, balanced information security program. The seventeen security-related areas encompass the management, operational, and technical aspects of protecting federal information and information systems, and include the following: Access control: limiting information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems), and to types of transactions and functions that authorized users are permitted to exercise. Audit and accountability: creating, protecting, and retaining information system audit records that are needed for the monitoring, analysis, investigation, and reporting of unlawful, unauthorized or inappropriate information system activity, and ensuring that the actions of individual users can be traced so that the individual users can be held accountable for their actions. Awareness and training: ensuring that managers and users of information systems are made aware of the security risks associated with their activities and of applicable laws, policies, and procedures related to security, and ensuring that personnel are trained to carry out their assigned information security-related duties. Certification, accreditation, and security assessments: assessing security controls for effectiveness, implementing plans to correct deficiencies and to reduce vulnerabilities, authorizing the operation of information systems and system connections, and monitoring system security controls. Configuration management: establishing baseline configurations and inventories of systems, enforcing security configuration settings for products, monitoring and controlling changes to baseline configurations and to components of systems throughout their system development life cycles. Contingency planning: establishing and implementing plans for emergency response, backup operations, and post-disaster recovery of information systems. Identification and authentication: identifying and authenticating the identities of users, processes, or devices that require access to information systems. Incident response: establishing operational incident handling capabilities for information systems, and tracking, documenting, and reporting incidents to appropriate officials. Maintenance: performing periodic and timely maintenance of systems, and providing effective controls on the tools, techniques, mechanisms, and personnel that perform system maintenance. Media protection: protecting information in printed form or on digital media, limiting access to information to authorized users, and sanitizing or destroying digital media before disposal or reuse. Personnel security: ensuring that individuals in positions of authority are trustworthy and meet security criteria, ensuring that information and information systems are protected during personnel actions, and employing formal sanctions for personnel failing to comply with security policies and procedures. Physical and environmental protection: limiting physical access to systems and to equipment to authorized individuals, protecting the physical plant and support infrastructure for systems, providing supporting utilities for systems, protecting systems against environmental hazards, and providing environmental controls in facilities that contain systems. Planning: developing, documenting, updating, and implementing security plans for systems. Risk assessment: assessing the risk to organizational operations, assets, and individuals resulting from the operation of information systems, and the processing, storage, or transmission of information. Systems and services acquisition: allocating resources to protect systems, employing system development life cycles processes, employing software usage and installation restrictions, and ensuring that third-party providers employ adequate security measures to protect outsourced information, applications, or services. System and communications protection: monitoring, controlling and protecting communications at external and internal boundaries of information systems, and employing architectural designs, software development techniques, and systems engineering principles to promote effective security. System and information integrity: identifying, reporting, and correcting information and system flaws in a timely manner, providing protection from malicious code, and monitoring system security alerts and advisories. Selection of Security Controls Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements that are described in SP 800-53, Recommended Security Controls for Federal Information Systems. This publication was originally issued in February 2005 and was updated through June 2005. To keep the security controls discussed in the publication up to date with current practices, NIST conducts an annual review and update process. The purpose of the annual review is to ensure that the security controls listed in the control catalog and that the specified minimum security controls represent the current state of the practice in safeguards and countermeasures for information systems. In March 2006, NIST announced that it had revised SP 800-53 and made it available for public review and comment as Draft SP 800-53, Revision 1, Recommended Security Controls for Federal Information Systems. During the year after the original publication of SP 800-53, NIST received many thoughtful comments about the format, structure, and content of the publication. The revision reflects customer experience gained from employing the security controls and security controls baselines, changing security requirements within organizations, and new technologies that are available for information security. FIPS 200 and its supporting publication SP 800-53 establish conditions to enable organizations to be flexible in tailoring their security control baselines. Agencies may, for example, apply appropriate scoping guidance, taking into consideration the issues related to the specific technologies employed by the agency, the common security controls employed, requirements for public access to information systems, specific physical conditions, the size and complexity of systems, and the risks involved. Guidance is provided on how to assess these considerations in implementing agency security controls. SP 800-53 also provides guidance on the use of compensating security controls that may be employed by an organization in lieu of the prescribed controls in the low, moderate, or high security control baselines. Other areas of flexibility for agencies include defining selected portions of the controls to support organization-unique requirements or objectives, and supplementing the security control baselines with additional controls that may be needed. Other Guidance Supporting the Implementation of FIPS 199 and FIPS 200 NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, assists organizations in developing security plans that summarize the security requirements for each information system, and the security controls in place or planned for meeting the requirements. The publication relates the security planning processes that agencies should employ to the requirements of FIPS 199 and FIPS 200. NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, is being revised to be consistent with NIST SP 800-53, Recommended Security Controls for Federal Information Systems. The revision will add information about FIPS 199, compensating controls, common controls, SP 800-53 and SP 800-53A, and agency security program-level assessments (including a program-level questionnaire). The system-level questionnaire will be used as a reporting form for the seventeen security-related areas that are listed above. NIST SP 800-30, Risk Management Guide for Information Technology Systems, provides guidance to organizations in identifying the risks to their information systems, assessing the risks, and taking steps to reducing the risks to an acceptable level. The risk management process enables organizations to protect the information systems that store, process, and transmit organizational information, to make well-informed risk management decisions, and to apply system authorization and accreditation processes. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, provides guidance for the security certification and accreditation of information systems. Security certification and accreditation are important activities that support a risk management process, and are essential to an organization's information security program. Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Security certification, which supports the accreditation process, is a comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, assists federal agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. The impact levels are based on the security categorization definitions in FIPS 199 and are included in two volumes. Volume I of SP 800-60 provides guidelines for identifying impact levels by type and suggests impact levels for administrative and support information common to multiple agencies. Volume II includes the rationale for information type and impact level recommendations and examples of recommendations for agency-specific, mission-related information. Other publications, directives, and policies that support compliance with FISMA are available from the FISMA Implementation Project website listed below. Schedule for Implementation of FIPS 200 FIPS 200 is effective immediately, and agencies are expected to be in compliance within one year. Agencies will have one year to implement the security controls included in SP 800-53 after the current review period has been completed, and the publication has been issued in final form. However, agencies are encouraged to initiate compliance activities immediately. For More Information Information about the FISMA Implementation Project, including references, contacts, and information about upcoming conferences and workshops, is available on the NIST website: http://csrc.nist.gov/sec-cert. FIPS 199 and FIPS 200 are available on the NIST website http://csrc.nist.gov/publications/fips/index.html. NIST Special Publications are available on the NIST website http://csrc.nist.gov/publications/nistpubs/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 From isn at c4i.org Fri Mar 24 03:40:08 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Mar 2006 02:40:08 -0600 (CST) Subject: [ISN] Whistleblower Says FBI E-Mail Flap Overblown Message-ID: http://www.ecommercetimes.com/story/X6PjYfzs2xLwfq/Whistleblower-Says-FBI-E-Mail-Flap-Overblown.xhtml By John P. Mello Jr. www.TechNewsWorld.com Part of the ECT News Network 03/23/06 "Most people who see something happening and think it's imperative to get the information to the FBI would not e-mail it," Coleen Rowley, former principal legal advisor with the bureau contended. "They would probably pick up the phone and call. "If you're working on any matter involving terrorism or counter intelligence, you can't be e-mailing any of that outside the FBI anyway," she added. Concern that a dearth of external e-mail accounts at the FBI will effect the agency's ability to fight crime and terrorism is "overblown," according to Coleen Rowley. Rowley is a former principal legal advisor with the bureau known for blowing the whistle on oversights it made prior to the World Trade Center attacks on Sept. 11, 2001. "Trying to tie this in with terrorism is a little overblown because you can't communicate that kind of information over a non-secured system that goes outside the FBI anyway," Rowley, who is now running for a Congressional seat in Minnesota, told TechNewsWorld. Alarms over the FBI's external e-mail situation were raised this week in the New York media when the head of the bureau's office in the Big Apple, Mark Mershon, reportedly told members of the Daily News editorial board: "As ridiculous as this might sound, we have real money issues right now, and the government is reluctant to give all agents and analysts dot-gov accounts. "We just don't have the money, and that is an endless stream of complaints that come from the field." New Sentinel Ironically, Mershon's remarks were made just seven days after it was reported that the FBI plans to spend US$500 million to upgrade technology at the bureau. The upgrade is part of the bureau's efforts to resurrect its Virtual Case File (VCF) system. After spending $170 million on that system, the agency had to scrap it last year because it was obsolete and riddled with problems. The first contract for the new system, dubbed Sentinel, is expected to be awarded in April. National Shortage Although everyone in the bureau has access to internal e-mail and some have access to a law-enforcement intranet called LEO (Law Enforcement Online), there appears to be a shortage of external accounts nationwide. "Currently, over half of all FBI employees have a non-classified e-mail account," Cathy Milhoan, a spokesperson in the bureau's Washington, D.C. headquarters, told TechNewsWorld. Jim Margolin, a spokesperson in the FBI's New York City office, told the TechNewsWorld that 80 percent of the 2000 employees in that office have external e-mail accounts. Milhoan noted, however, that by the end of the year, external accounts will be available to all 30,000 FBI employees nationwide. Doesn't Impair Performance She attributed the current shortage of external e-mail accounts to the termination a year ago of a contract with AT&T (NYSE: T) . "Their servers were compromised so we discontinued the old fbi-dot-gov account," she explained. She said that the new external e-mail system runs on FBI servers and its accounts have the designation ic-dot-fbi-dot-gov. Asked if the unavailability of an external e-mail account impairs an agent's ability to perform their duties in any way, Milhoan declared, "Absolutely not." Drop A Dime Rowley added, "When you're working in the FBI, most of your communication is internal. "Most people who see something happening and think it's imperative to get the information to the FBI would not e-mail it," she contended. "They would probably pick up the phone and call. "If you're working on any matter involving terrorism or counter intelligence, you can't be e-mailing any of that outside the FBI anyway," she observed. Shortfalls Not New Rowley maintained that the FBI's New York office has always been chronically plagued with resource shortfalls. "The New York office, because it has the largest number of agents and personnel in the FBI, was always disadvantaged in terms of resources," she said. Today, the shortfall is in e-mail accounts, when she served in the New York office in the 1980s, it was automobiles. "We were driving real clunkers back in the '80s," she recalled. "Some of the cars we were driving were demolition derby models." From isn at c4i.org Fri Mar 24 03:41:08 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Mar 2006 02:41:08 -0600 (CST) Subject: [ISN] HHS rebuts GAO's security assessment Message-ID: http://govhealthit.com/article92719-03-23-06-Web By Nancy Ferris Mar. 23, 2006 The Department of Health and Human Services and the Government Accountability Office are at odds over a GAO report [1] that describes HHS' information systems as vulnerable to hackers, identity thieves and privacy breaches. The report states that sensitive Medicare records could be lost or stolen because of numerous information security flaws. But the department's official response, sent by Inspector General Daniel Levinson, brags about HHS' progress, denies that the flaws are significant and states that GAO based its conclusions on outdated reports. The 46-page GAO report, requested by Sen. Charles Grassley (R-Iowa), chairman of the Senate Finance Committee, states that "significant weaknesses in information security controls at HHS and at [HHS' Centers for Medicare and Medicaid Services] in particular put at risk the confidentiality, integrity and availability of their sensitive information and information systems." Grassley issued a statement stating that "instead of firewalls to safeguard sensitive data, we have Swiss cheese. These agencies have to once and for all implement their data protection programs and put the security back into information security." To prepare the report, GAO investigators reviewed reports issued in 2004 and 2005 by Levinson?s office and outside auditors. But HHS responded that the auditors omitted a 2005 IG report showing the department had made substantial progress. "The frequent use of the word "significant" to describe control weaknesses documented throughout this GAO assessment evokes a negative connotation that is not reflective of the progress or current state of HHS' information security program," according to the HHS response. "HHS is proud of its information security program and the progress it has made over the last fiscal year," the response adds. The GAO report cites deficiencies in almost every aspect of information security at HHS, including firewalls, intrusion-detection systems, security policies, training and passwords. Many of its criticisms are leveled at the contractors that process Medicare claims for CMS. For example, it says five of the contractors had no intrusion-detection systems in place. CMS is reducing the number of Medicare claims processing contractors and data centers, partly to improve controls and data security. But HHS did not escape criticism. In one case, an HHS agency used router and firewall logs for troubleshooting instead of for intrusion detection, the report states. The report called on HHS to implement a departmentwide information security program, in accordance with the Federal Information Security Management Act. HHS said that implementation is well under way. [1] http://www.gao.gov/new.items/d06267.pdf From isn at c4i.org Fri Mar 24 03:41:19 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Mar 2006 02:41:19 -0600 (CST) Subject: [ISN] 40,000 BP workers exposed in Ernst & Young laptop loss Message-ID: http://www.theregister.co.uk/2006/03/23/ey_bp_laptop/ By Ashlee Vance in Mountain View 23rd March 2006 Exclusive - Like sands through the hourglass, these are The Days of Ernst & Young laptop loss. Yes, friends, The Register can confirm that BP has been added to the list of Ernst & Young customers whose personal data has been exposed after a laptop theft. BP joins Sun Microsystems, Cisco and IBM in this not so exclusive club. Ernst & Young has sent out a letter to all 38,000 BP employees in the US, telling them that a laptop theft had exposed their names and social security numbers. To keep the BP staff's mind at ease, Ernst & Young said that the file name containing their info did not indicate what type of information was on the laptop, and the laptop was password protected. Phew! Ernst & Young confirmed that this is the very same laptop that held data on the Sun, Cisco and IBM workers. All of these data losses were revealed by us in a set of exclusive stories. Ernst & Young also recently lost four more laptops in Miami, although it has not said which customers were affected in those incidents. Oddly, the Ernst & Young saga has gone untouched by other media outlets. That's somewhat surprising given the vigor with which security reporters chased down our initial confirmation yesterday that a Fidelity Investments laptop loss had exposed the personal information of 200,000 HP employees. Ernst & Young continues to maintain a code of silence around the laptop thefts, saying only that the BP/Sun/IBM/Cisco machine was password protected. This speak no evil policy has resulted in a string of stories as Ernst & Young customers are told one by one about the theft. It's difficult to obtain an exact figure on how many people have been affected by Ernst & Young's security lapse given that it won't say anything on the subject. We do, however, know that the IBM data breach exposed all current and former employees who have worked overseas at some point in their career. So, we're likely talking well over 100,000 people in that one incident. You have to wonder how long these thefts can continue before the financial services companies start explaining why key customer data was sitting on laptops and why workers felt it okay to leave these laptops in their cars or in conference rooms. The lack of action on their part will no doubt encourage legislators to step in at some point. Keep your letters coming. ? From isn at c4i.org Fri Mar 24 03:41:33 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 24 Mar 2006 02:41:33 -0600 (CST) Subject: [ISN] Israeli Software Firm Abandons U.S. Deal Message-ID: http://www.guardian.co.uk/worldlatest/story/0,,-5707949,00.html By TED BRIDIS Associated Press Writer March 24, 2006 WASHINGTON (AP) - A leading Israeli software company failed to resolve security objections by the Bush administration over its plans to buy a smaller U.S. technology rival and abruptly abandoned the $225 million deal. Check Point Software Technologies Ltd. of Ramat Gan, Israel, withdrew its plans Thursday near the conclusion of a rare, full-blown investigation by a U.S. review panel over the company's plans to buy Sourcefire Inc. Check Point had been told U.S. officials feared the transaction could endanger some of government's most sensitive computer systems. Lawyers for the companies offered to attach conditions to the sale that executives believed were onerous but were intended to satisfy the concerns expressed by the review panel, said one person familiar with the process. But no agreement could be reached. The Treasury Department, which oversees the Committee on Foreign Investments in the United States, formally accepted Check Point's request to withdraw from the review process. The objections by the FBI and Pentagon were partly over specialized intrusion detection software known as ``Snort,'' which guards some classified U.S. military and intelligence computers. Snort's author is a senior executive at Sourcefire, based in Columbia, Md., near the ultra-secret National Security Agency. The investigation was carried out by the same U.S. review panel that approved the now-abandoned ports deal involving Dubai-owned DP World. Sourcefire said in a statement it was prepared to continue operating independently as a booming software security company. One financial analyst said Sourcefire may limit future transactions with U.S.-based companies to avoid another security review. ``Given the CFIUS concerns, they may have to limit their potential partners,'' said Peter Kuper of Morgan Stanley. ``A U.S. acquirer would be a lot simpler and cleaner.'' In private meetings between the panel and Check Point, FBI and Pentagon officials objected forcefully to letting any foreign company acquire some sensitive Sourcefire technology for preventing hacker break-ins and monitoring data traffic, an executive familiar with the discussions previously told The Associated Press. This executive spoke on condition of anonymity because government negotiations are supposed to remain confidential. Under the sale, publicly announced Oct. 6, Check Point would have owned all Sourcefire's patents, source-code blueprints for its software and the expertise of employees. The review panel privately notified Check Point on Feb. 6 it intended to fully investigate the transaction's security risks, the executive said. That was days before the furor erupted over the Dubai ports deal. Check Point disclosed the news to investors Feb. 13, but the announcement drew little attention despite escalating scrutiny and interest in Washington over such reviews. The U.S. committee has concluded only 25 full-blown investigations in more than 1,600 business transactions it has reviewed since 1988. In roughly half the investigations, companies pulled out of the deal rather than face imminent rejection. From isn at c4i.org Mon Mar 27 04:18:42 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Mar 2006 03:18:42 -0600 (CST) Subject: [ISN] Terrorist 007, Exposed Message-ID: Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR2006032500020.html By Rita Katz and Michael Kern March 26, 2006 For almost two years, intelligence services around the world tried to uncover the identity of an Internet hacker who had become a key conduit for al-Qaeda. The savvy, English-speaking, presumably young webmaster taunted his pursuers, calling himself Irhabi -- Terrorist -- 007. He hacked into American university computers, propagandized for the Iraq insurgents led by Abu Musab al-Zarqawi and taught other online jihadists how to wield their computers for the cause. Suddenly last fall, Irhabi 007 disappeared from the message boards. The postings ended after Scotland Yard arrested a 22-year-old West Londoner, Younis Tsouli, suspected of participating in an alleged bomb plot. In November, British authorities brought a range of charges against him related to that plot. Only later, according to our sources familiar with the British probe, was Tsouli's other suspected identity revealed. British investigators eventually confirmed to us that they believe he is Irhabi 007. The unwitting end of the hunt comes at a time when al-Qaeda sympathizers like Irhabi 007 are making explosive new use of the Internet. Countless Web sites and password-protected forums -- most of which have sprung up in the last several years -- now cater to would-be jihadists like Irhabi 007. The terrorists who congregate in those cybercommunities are rapidly becoming skilled in hacking, programming, executing online attacks and mastering digital and media design -- and Irhabi was a master of all those arts. But the manner of his arrest demonstrates how challenging it is to combat such online activities and to prevent others from following Irhabi's example: After pursuing an investigation into a European terrorism suspect, British investigators raided Tsouli's house, where they found stolen credit card information, according to an American source familiar with the probe. Looking further, they found that the cards were used to pay American Internet providers on whose servers he had posted jihadi propaganda. Only then did investigators come to believe that they had netted the infamous hacker. And that element of luck is a problem. The Internet has presented investigators with an extraordinary challenge. But our future security is going to depend increasingly on identifying and catching the shadowy figures who exist primarily in the elusive online world. The short career of Irhabi 007 offers a case study in the evolving nature of the threat that we at the SITE Institute track every day by monitoring and then joining the password-protected forums and communicating with the online jihadi community. Celebrated for his computer expertise, Irhabi 007 had propelled the jihadists into a 21st-century offensive through his ability to covertly and securely disseminate manuals of weaponry, videos of insurgent feats such as beheadings and other inflammatory material. It is by analyzing the trail of information left by such postings that we are able to distinguish the patterns of communication used by individual terrorists. Irhabi's success stemmed from a combination of skill and timing. In early 2004, he joined the password-protected message forum known as Muntada al-Ansar al-Islami (Islam Supporters Forum) and, soon after, al-Ekhlas (Sincerity) -- two of the password-protected forums with thousands of members that al-Qaeda had been using for military instructions, propaganda and recruitment. (These two forums have since been taken down.) This was around the time that Zarqawi began using the Internet as his primary means of disseminating propaganda for his insurgency in Iraq. Zarqawi needed computer-savvy associates, and Irhabi proved to be a standout among the volunteers, many of whom were based in Europe. Irhabi's central role became apparent to outsiders in April of that year, when Zarqawi's group, later renamed al-Qaeda in Iraq, began releasing its communiqu?s through its official spokesman, Abu Maysara al-Iraqi, on the Ansar forum. In his first posting, al-Iraqi wrote in Arabic about "the good news" that "a group of proud and brave men" intended to "strike the economic interests of the countries of blasphemy and atheism, that came to raise the banner of the Cross in the country of the Muslims." At the time, some doubted that posting's authenticity, but Irhabi, who was the first to post a response, offered words of support. Before long, al-Iraqi answered in like fashion, establishing their relationship -- and Irhabi's central role. Over the following year and a half, Irhabi established himself as the top jihadi expert on all things Internet-related. He became a very active member of many jihadi forums in Arabic and English. He worked on both defeating and enhancing online security, linking to multimedia and providing online seminars on the use of the Internet. He seemed to be online night and day, ready to answer questions about how to post a video, for example -- and often willing to take over and do the posting himself. Irhabi focused on hacking into Web sites as well as educating Internet surfers in the secrets to anonymous browsing. In one instance, Irhabi posted a 20-page message titled "Seminar on Hacking Websites," to the Ekhlas forum. It provided detailed information on the art of hacking, listing dozens of vulnerable Web sites to which one could upload shared media. Irhabi used this strategy himself, uploading data to a Web site run by the state of Arkansas, and then to another run by George Washington University. This stunt led many experts to believe -- erroneously -- that Irhabi was based in the United States. Irhabi used countless other Web sites as free hosts for material that the jihadists needed to upload and share. In addition to these sites, Irhabi provided techniques for discovering server vulnerabilities, in the event that his suggested sites became secure. In this way, jihadists could use third-party hosts to disseminate propaganda so that they did not have to risk using their own web space and, more importantly, their own money. As he provided seemingly limitless space captured from vulnerable servers throughout the Internet, Irhabi was celebrated by his online followers. A mark of that appreciation was the following memorandum of praise offered by a member of Ansar in August 2004: "To Our Brother Irhabi 007. Our brother Irhabi 007, you have shown very good efforts in serving this message board, as I can see, and in serving jihad for the sake of God. By God, we do not like to hear what hurts you, so we ask God to keep you in his care. You are one of the top people who care about serving your brothers. May God add all of that on the side of your good work, and may you go careful and successful. We say carry on with God's blessing. Carry on, may God protect you. Carry on serving jihad and its supporters. And I ask the mighty, gracious and merciful God to keep for us everyone who wants to support his faith. Amen." Irhabi's hacking ability was useful not only in the exchange of media, but also in the distribution of large-scale al-Qaeda productions. In one instance, a film produced by Zarqawi's al-Qaeda, titled "All Is for Allah's Religion," was distributed from a page at www.alaflam.net/wdkl . The links, uploaded in June 2005, provided numerous outlets where visitors could find the video. In the event that one of the sites was disabled, many other sources were available as backups. Several were based on domains such as www.irhabi007.ca or www.irhabi007.tv , indicating a strong involvement by Irhabi himself. The film, a major release by al-Qaeda in Iraq, showed many of the insurgents' recent exploits compiled with footage of Osama bin Laden, commentary on the Abu Ghraib prison, and political statements about the rule of then-Iraqi Interim Prime Minister Ayad Allawi. Tsouli has been charged with eight offenses including conspiracy to murder, conspiracy to cause an explosion, conspiracy to cause a public nuisance, conspiracy to obtain money by deception and offences relating to the possession of articles for terrorist purposes and fundraising. So far there are no charges directly related to his alleged activities as Irhabi on the Internet, but given the charges already mounted against him, it will probably be a long time before the 22-year-old is able to go online again. But Irhabi's absence from the Internet may not be as noticeable as many hope. Indeed, the hacker had anticipated his own disappearance. In the months beforehand, Irhabi released his will on the Internet. In it, he provided links to help visitors with their own Internet security and hacking skills in the event of his absence -- a rubric for jihadists seeking the means to continue to serve their nefarious ends. Irhabi may have been caught, but his online legacy may be the creation of many thousands of 007s. feedback at siteinstitute.org Rita Katz is the author of "Terrorist Hunter" [1] (HarperCollins) and the director of the SITE Institute, which is dedicated to the "search for international terrorist entities." Michael Kern is a senior analyst with the institute. [1] http://www.amazon.com/exec/obidos/ASIN/0060528192/c4iorg *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* From isn at c4i.org Mon Mar 27 04:18:55 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Mar 2006 03:18:55 -0600 (CST) Subject: [ISN] Domain Registrar Joker Hit by DDoS Message-ID: http://news.netcraft.com/archives/2006/03/26/domain_registrar_joker_hit_by_ddos.html By Rich Miller March 26, 2006 Domain registrar Joker.com says its nameservers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany. Any of those domains that use Joker's DNS servers are likely to be affected. "Joker.com currently experiences massive distributed denial of service attacks against nameservers," the registrar says in an advisory on its home page. "This affects DNS resolution of Joker.com itself, and also domains which make use of Joker.com nameservers. We are very sorry for this issue, but we are working hard for a permanent solution." Nameservers, which store the records that connect domain names with specific IP addresses, are attractive targets for hackers because they control the availability of large numbers of web sites. In 2002 the Internet's root nameserver system came under attack, with the DDoS causing network congestion but only minor performance problems for the DNS system, which a subsequent analysis noted is "massively overprovisioned to make it robust against attacks or network failures." In the wake of that attack, most major registrars have robust infrasturcture to defend against DDoS attacks. It's not immediately clear whether the problems at Joker.com are related to the specifics of its DDoS defenses or the sheer volume of the attack. In recent weeks some Internet security groups have warned of the dangers posed by DNS recursion attacks, which can use the nameserver system to amplify a DDoS launched by a bot network. From isn at c4i.org Mon Mar 27 04:19:08 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Mar 2006 03:19:08 -0600 (CST) Subject: [ISN] Cyber security an emphasis at OCCC Message-ID: http://www.okc.cc.ok.us/pioneer/Archives/March_27_2006/News8.html By Matthew Caban Staff Writer March 27, 2006 The battle against cyberterrorism is being fought around the globe - and on OCCC campus. As a part of President George W. Bush's plan to combat cyber terrorism a National Security Agency grant was used to find two national faculty development centers in June 2002 to train computer science instructors, said Al Heitkamper, Cyber Security Program director. One of the development centers is located at the University of Tulsa. A $3 million grant from the National Science Foundation in September 2004 helped further fund the program. Heitkamper and another OCCC professor, Brett Weber, studied at TU as part of the program. Both received master's degrees in computer science with an emphasis in cyber security. Weber said the cyber security field changes every month due to new threats or viruses. "There are hundreds ofnew viruses introduced each month and security professionals fight them." The training allowed Weber and Heitkamper to start OCCC's cyber security program last fall. Weber said, currently, there are 75 cyber security majors at OCCC. "Enrollment is up and the program is growing," he said. This semester marks the first time both professors are teaching cyber security classes full time. Weber said five classes are currently being offered in the cyber security field. The classes are principles of information security, security e-commerce, enterprise security management, network security and cyber forensics. "The classes should be taken in order as they build upon each other," he said. The cyber security field includes network security and threat assessment, he said. "The field is growing and constantly changing," Weber said. Heitkamper said OCCC is part of the Computer Security Education Consortium. The CSEC also includes Tulsa Community College, Rose State College, Oklahoma State University-Okmulgee and the Oklahoma Career Tech system. Heitkamper said CSEC's goals are to train the workforce (including students), train professors and meet the needs of the industry. Weber said OCCC's program also should alert the public about the need for security awareness. "People need to be aware of what they should secure and how to do it." From isn at c4i.org Mon Mar 27 04:18:21 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Mar 2006 03:18:21 -0600 (CST) Subject: [ISN] GAO: IRS security is weak Message-ID: http://www.fcw.com/article92737-03-24-06-Web By Matthew Weigelt Mar. 24, 2006 Taxpayers' financial and personal information remains at risk because the Internal Revenue Service has not yet strengthened its information security measures, according to a new Government Accountability Office report. The IRS fixed 41 of the 81 faults GAO discovered last year, the report states. Nevertheless, "GAO identified new information security control weaknesses that threaten the confidentiality, integrity and availability of IRS' financial information systems and the information they process," according to the report, which was released today. The IRS has not established effective electronic access controls related to network management, user accounts, file permissions and logging and monitoring of security-related events, the report states. The agency has also failed to install other controls to secure computers physically. "Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification or loss, possibly without detection, and place IRS operations at risk of disruption," the report states. GAO recommends that the IRS align policies related to password age and configuration settings with federal guidelines, review system security plans, give specialized training to contractors, and update emergency action plans. For emergency plans, the report suggests training non-IRS staff members to restore operations and updating disaster recovery plans. It also recommends installing UNIX-based hardware and equipment for processing applications and data at the IRS' disaster recovery hot site, an alternative processing place to use in an emergency. Until the agency acts on these recommendations, "it is at risk of not being able to appropriately recover in a timely manner," the report states. IRS Commissioner Mark Everson expressed agreement with GAO's assessment in a Feb. 27 letter to GAO's director of information technology, Gregory Wilshusen. "Because the IRS' solution extends beyond the specific findings and addresses the root cause of the weaknesses at an enterprisewide level, a majority of the weaknesses remain open," Everson wrote. "However, as a result of this agencywide approach and other initiatives we have under way, the IRS now has stronger controls to protect taxpayer data." He said IRS officials share the responsibility for IT security. From isn at c4i.org Mon Mar 27 04:19:23 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Mar 2006 03:19:23 -0600 (CST) Subject: [ISN] VSC laptop theft creates security concerns Message-ID: http://www.timesargus.com/apps/pbcs.dll/article?AID=/20060324/NEWS/603240363/1002 By Darren M. Allen Vermont Press Bureau March 24, 2006 MONTPELIER - Thousands of Vermont State Colleges students, faculty and staff learned this week that a VSC laptop computer stolen from a car parked in Montreal on Feb. 28 could have given thieves access to their personal financial information, including Social Security numbers and payroll data. And while system administrators assured the thousands of potential identity-theft victims that they had all but eliminated access to the colleges' computer network from the laptop, some faculty and staff are furious that VSC took three weeks to warn them. "I can share with you that many, many people have come to me to express their anger," said Ernest Broadwater, an education professor at Lyndon State College and the president of the Vermont State Colleges Faculty Federation. The union has contacted an attorney to "learn what measures the VSC has taken to protect the information of our students, staff and faculty." College administrators on Thursday insisted that the threat of stolen identities was minimal, but nonetheless urged the system's 14,000 current students, teachers and staff to be vigilant about their bank and credit card accounts. They said they fear the stolen laptop may have contained information on people associated with the five-college system from as long ago as 2000. "Upon being notified, information technology staff took immediate steps to block network access from the laptop," said a system-wide e-mail that was distributed this week. "We have no evidence that any personal information has been accessed or used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters." Karrin Wilks, VSC vice president for academic and strategic planning, said she has received "many" calls and e-mails since the warning went out Tuesday. "Although we notified everyone just this week, we took precautions immediately," she said. "We didn't know exactly what was on the machine. We had to spend time assessing the threat, and assessing our legal/moral respon-sibilities." To Broadwater, those responsibilities would include more timely notification. "I'd be interested in hearing why it wasn't sooner," he said. "It seems that they were worried about their system but not the individuals who had their identity information compromised." The laptop was stolen from an unidentified information technology officer's car while it was parked on a Montreal street Feb. 28. The woman ? whose name was not released by the VSC ? put her laptop under her seat and locked the car, Wilks said. However, she left a pair of skis in the back. Thieves broke a window, and took the skis, the laptop and other items of value, she said. "Her vacation was ruined," Wilks said. The woman immediately contacted the VSC and also filed a report with the Montreal police. The potential breach of thousands of people's private information was the second one for the state colleges in less than a year. In October, a former Vermont Technical College student discovered that his Social Security number was posted on the Internet. As it turned out, the college had mistakenly posted every student's Social Security number on the Web. "We have taken swift steps to secure the information and to remove the data from the Vermont Tech server and from other sources," then-VTC President Allan Rodgers said in an e-mail to students and to alumni. According to an Associated Press report, he ordered more training on computer security. Identity theft is a growing problem in the United States, and several states have begun passing laws to deal with it. Last year, Vermont consumers were given the ability to freeze their credit reports if they suspect that they are victims of identity theft. In California, lawmakers passed a credit report freeze and another measure that compels companies or organizations that lose sensitive information to immediately notify potential victims. And Congress is grappling with national legislation that would also compel quicker disclosure. Wilks said she understood people's frustration. "People do need to be more vigilant," she said. "People need to monitor their own debit and credit accounts for unusual activity." From isn at c4i.org Mon Mar 27 04:20:02 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Mar 2006 03:20:02 -0600 (CST) Subject: [ISN] Linux Advisory Watch - March 24th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 24th, 2006 Volume 7, Number 13n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week advisories were released for xpvm, vlc, xine-lib, wzdftpd, drupal, kpdf, libmail-audit-perl, ilohamail, kernel-patch-vserver, unzip, snmptrapfmt, firebird2, sendmail, evolution, kernel, xorg, avahi, beagle, curl, php-pear, xterm, scim-anthy, tzdata, logwatch, shadow-utils, cpio, libsepol, bind, Freeciv, zoo, bypass, rshd, metamail, cube, squirrelmail, flex, gnupg, pngcrush, libcurl, cairo, flash-player, and realplayer. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Linux Command Reference Manual: Linux File Structure By: Suhas Desai In the Linux file structure files are grouped according to purpose. Ex: commands, data files, documentation. Parts of a Unix directory tree are listed below. All directories are grouped under the root entry "/". That part of the directory tree is left out of the below diagram. See the FSSTND standard(Filesystem standard). root - The home directory for the root user home - Contains the user's home directories along with directories for services ftp HTTP samba bin - Commands needed during bootup that might be needed by normal users sbin - Like bin but commands are not intended for normal users. Commands run by LINUX: ---------------------- proc - This filesystem is not on a disk. It is a virtual filesystem that exists in the kernels imagination, which is memory. usr - Contains all commands, libraries, man pages, games and static files for normal operation bin - Almost all user commands. some commands are in /bin or /usr/local/bin. sbin - System admin commands not needed on the root filesystem. e.g., most server programs. include - Header files for the C programming language. Should be below /user/lib for consistency. lib - Unchanging data files for programs and subsystems local - The place for locally installed software and other files. man - Manual pages info - Info documents doc - Documentation tmp X11R6 - The X windows system files. There is a directory similar to sr below this directory. X386 - Like X11R6 but for X11 release 5 boot - Files used by the bootstrap loader, LILO. Kernel images are often kept here. lib - Shared libraries needed by the programs on the root filesystem modules - Loadable kernel modules, especially those needed to boot the system after disasters. dev - Device files etc - Configuration files specific to the machine. sysconfig - Files that configure the linux system for devices. var - Contains files that change for mail, news, printers log files, man pages, temp files lib - Files that change while the system is running normally local - Variable data for programs installed in /usr/local. lock - Lock files. Used by a program to indicate it is using a particular device or file log - Log files from programs such as login and syslog which logs all logins and logouts. run - Files that contain information about the system that is valid until the system is next booted. spool - Directories for mail, printer spools, news and other spooled work. tmp - Temporary files that are large or need to exist for longer than they should in /tmp. mnt - Mount points for temporary mounts by the system administrator. tmp - Temporary files. Programs running after bootup should use /var/tmp. Read Full Paper http://www.linuxsecurity.com/images/stories/commandref.pdf ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New xpvm packages fix insecure temporary file 16th, March, 2006 Eric Romang discoverd that xpvm, a graphical console and monitor for PVM, creates a temporary file that allows local attackers to create or overwrite arbitrary files with the privileges of the user running xpvm. http://www.linuxsecurity.com/content/view/121949 * Debian: New vlc packages fix arbitrary code execution 16th, March, 2006 Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. The vlc media player links statically against libavcodec. http://www.linuxsecurity.com/content/view/121951 * Debian: New xine-lib packages fix arbitrary code execution 16th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121957 * Debian: New wzdftpd packages fix arbitrary shell command execution 16th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121959 * Debian: New drupal packages fix several vulnerabilities 17th, March, 2006 The Drupal Security Team discovered several vulnerabilities in Drupal, a fully-featured content management and discussion engine. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-1225,CVE-2006-1226,CVE-2006-1227,CVE-2006-1228 http://www.linuxsecurity.com/content/view/121964 * Debian: New kpdf packages fix arbitrary code execution 17th, March, 2006 Marcelo Ricardo Leitner noticed that the current patch in DSA 932 (CVE-2005-3627) for kpdf, the PDF viewer for KDE, does not fix all buffer overflows, still allowing an attacker to execute arbitrary code. http://www.linuxsecurity.com/content/view/121966 * Debian: New libmail-audit-perl packages fix insecure temporary file use 20th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121981 * Debian: New crossfire packages fix arbitrary code execution 20th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121982 * Debian: New ilohamail packages fix cross-site scripting vulnerabilities 20th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121983 * Debian: New kernel-patch-vserver packages fix root exploit 21st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122004 * Debian: New unzip packages fix arbitrary code execution 21st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122005 * Debian: New snmptrapfmt packages fix insecure temporary file 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122031 * Debian: New firebird2 packages fix denial of service 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122058 * Debian: New sendmail packages fix arbitrary code execution 23rd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122059 * Debian: New evolution packages fix arbitrary code execution 23rd, March, 2006 Several format string vulnerabilities in Evolution, a free groupware suite, that could lead to crashes of the application or the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122065 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: GFS-kernel-2.6.11.8-20050601.152643.FC4.25 16th, March, 2006 Rebuilt against the latest kernel (2.6.15-1.1833_FC4). http://www.linuxsecurity.com/content/view/121954 * Fedora Core 5 Update: xorg-x11-server-1.0.1-9 20th, March, 2006 Coverity scanned the X.Org source code for problems and reported their findings to the X.Org development team. Upon analysis, Alan Coopersmith, a member of the X.Org development team, noticed a couple of serious security issues in the findings. In particular, the Xorg server can be exploited for root privilege escalation by passing a path to malicious modules using the -modulepath command line argument. Also, the Xorg server can be exploited to overwrite any root writable file on the filesystem with the -logfile command line argument. http://www.linuxsecurity.com/content/view/121985 * Fedora Core 5 Update: avahi-0.6.9-8.FC5 20th, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122003 * Fedora Core 5 Update: beagle-0.2.3-4 21st, March, 2006 Some of the wrapper scripts (including beagle-status) looked in the current directory for files with a specific name and ran that instead of the binary in the path. All such cases have been fixed in this release. http://www.linuxsecurity.com/content/view/122022 * Fedora Core 5 Update: curl-7.15.1-3 21st, March, 2006 This curl update fixes security vulnerability CVE-2006-1061 - curl can overflow a heap-based memory buffer if very long TFTP URL with valid host name is passed to curl. This update fixes instalation problems on multilib architectures, too. http://www.linuxsecurity.com/content/view/122023 * Fedora Core 5 Update: sendmail-8.13.6-0.FC5.1 22nd, March, 2006 A flaw in the handling of asynchronous signals. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. http://www.linuxsecurity.com/content/view/122043 * Fedora Core 4 Update: sendmail-8.13.6-0.FC4.1 22nd, March, 2006 A flaw in the handling of asynchronous signals. A remote attacker may be able to exploit a race condition to execute arbitrary code as root. http://www.linuxsecurity.com/content/view/122044 * Fedora Core 5 Update: php-pear-1.4.6-2.1 22nd, March, 2006 This update includes the latest upstream version of the PEAR XML_RPC package (version 1.4.5), which fixes operation of the XML_RPC server component with PHP 5.1.2. http://www.linuxsecurity.com/content/view/122045 * Fedora Core 4 Update: xterm-208-4.FC4 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122046 * Fedora Core 5 Update: scim-anthy-0.9.0-3.fc5 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122047 * Fedora Core 4 Update: tzdata-2006b-2.fc4 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122050 * Fedora Core 4 Update: logwatch-7.2.1-1.fc4 22nd, March, 2006 This new version of logwatch package fixes problems with --splithosts option and contains a lot of services updates. http://www.linuxsecurity.com/content/view/122051 * Fedora Core 5 Update: anthy-7500-1.fc5 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122052 * Fedora Core 5 Update: shadow-utils-4.0.14-5.FC5 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122053 * Fedora Core 5 Update: cpio-2.6-14.FC5 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122054 * Fedora Core 5 Update: libsepol-1.12.1-1.fc5 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122055 * Fedora Core 5 Update: bind-9.3.2-12.FC5 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122056 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Freeciv Denial of Service 16th, March, 2006 A memory allocation bug in Freeciv allows a remote attacker to perform a Denial of Service attack. http://www.linuxsecurity.com/content/view/121944 * Gentoo: zoo Buffer overflow 16th, March, 2006 A buffer overflow in zoo may be exploited to execute arbitrary when creating archives of specially crafted directories and files. http://www.linuxsecurity.com/content/view/121945 * Gentoo: PEAR-Auth Potential authentication bypass 17th, March, 2006 PEAR-Auth did not correctly verify data passed to the DB and LDAP containers, thus allowing to inject false credentials to bypass the authentication. http://www.linuxsecurity.com/content/view/121970 * Gentoo: Heimdal rshd privilege escalation 17th, March, 2006 An error in the rshd daemon of Heimdal could allow authenticated users to elevate privileges. http://www.linuxsecurity.com/content/view/121971 * Gentoo: Crypt:CBC: Insecure initialization vector 17th, March, 2006 Crypt::CBC uses an insecure initialization vector, potentially resulting in a weaker encryption. http://www.linuxsecurity.com/content/view/121972 * Gentoo: Metamail Buffer overflow 17th, March, 2006 A buffer overflow in Metamail could possibly be exploited to execute arbitrary code. http://www.linuxsecurity.com/content/view/121973 * Gentoo: Cube Multiple vulnerabilities 21st, March, 2006 Cube is vulnerable to a buffer overflow, invalid memory access and remote client crashes, possibly leading to a Denial of Service or remote code execution. http://www.linuxsecurity.com/content/view/122012 * Gentoo: SquirrelMail Cross-site scripting and IMAP command injection 21st, March, 2006 SquirrelMail is vulnerable to several cross-site scripting vulnerabilities and IMAP command injection. http://www.linuxsecurity.com/content/view/122013 * Gentoo: GNU tar Buffer overflow 21st, March, 2006 A malicious tar archive could trigger a Buffer overflow in GNU tar, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122014 * Gentoo: flex Potential insecure code generation 21st, March, 2006 flex might generate code with a buffer overflow, making applications using such scanners vulnerable to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122015 * Gentoo: GnuPG Incorrect signature verification 21st, March, 2006 GnuPG may erroneously report a modified or unsigned message has a valid digital signature. http://www.linuxsecurity.com/content/view/122016 * Gentoo: PeerCast Buffer overflow 21st, March, 2006 PeerCast is vulnerable to a buffer overflow that may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122017 * Gentoo: Pngcrush Buffer overflow 21st, March, 2006 Pngcrush is vulnerable to a buffer overflow which could potentially lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122018 * Gentoo: cURL/libcurl Buffer overflow in the handling 21st, March, 2006 libcurl is affected by a buffer overflow in the handling of URLs for the TFTP protocol, which could be exploited to compromise a user's system. http://www.linuxsecurity.com/content/view/122029 * Gentoo: Macromedia Flash Player Arbitrary code execution 21st, March, 2006 Multiple vulnerabilities have been identified that allows arbitrary code execution on a user's system via the handling of malicious SWF files. http://www.linuxsecurity.com/content/view/122030 * Gentoo: Sendmail Race condition in the handling of asynchronous signals 22nd, March, 2006 Sendmail is vulnerable to a race condition which could lead to the execution of arbitrary code with sendmail privileges. http://www.linuxsecurity.com/content/view/122041 * Gentoo: PHP Format string and XSS vulnerabilities 22nd, March, 2006 Multiple vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers, perform cross site scripting or in some cases execute arbitrary code. http://www.linuxsecurity.com/content/view/122042 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated xorg-x11 packages to address local root vuln 20th, March, 2006 Versions of Xorg 6.9.0 and greater have a bug in xf86Init.c, which allows non-root users to use the -modulepath, -logfile and -configure options. This allows loading of arbitrary modules which will execute as the root user, as well as a local DoS by overwriting system files. Updated packages have been patched to correct these issues. http://www.linuxsecurity.com/content/view/122001 * Mandriva: Updated cairo packages to address Evolution DoS vulnerability 20th, March, 2006 GNOME Evolution allows remote attackers to cause a denial of service (persistent client crash) via an attached text file that contains "Content-Disposition: inline" in the header, and a very long line in the body, which causes the client to repeatedly crash until the e-mail message is manually removed, possibly due to a buffer overflow, as demonstrated using an XML attachment. http://www.linuxsecurity.com/content/view/122002 * Mandriva: Updated sendmail packages fix remote vulnerability 22nd, March, 2006 A race condition was reported in sendmail in how it handles asynchronous signals. This could allow a remote attacker to be able to execute arbitrary code with the privileges of the user running sendmail. http://www.linuxsecurity.com/content/view/122048 * Mandriva: Updated kernel packages fix multiple vulnerabilities 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122049 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: sendmail security update 22nd, March, 2006 Updated sendmail packages to fix a security issue are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122035 * RedHat: Critical: sendmail security update 22nd, March, 2006 Updated sendmail packages to fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122036 * RedHat: Critical: RealPlayer security update 23rd, March, 2006 An updated RealPlayer package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux Extras 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122057 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: flash-player buffer overflow 21st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122006 * SuSE: xorg-x11-server local privilege 21st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122007 * SuSE: sendmail remote code execution 22nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/122037 * SuSE: RealPlayer security problems 23rd, March, 2006 This update fixes the following security problems in Realplayer: CVE-2006-0323, CVE-2005-2922. http://www.linuxsecurity.com/content/view/122060 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Mar 27 04:20:42 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 27 Mar 2006 03:20:42 -0600 (CST) Subject: [ISN] Inside Windows IT Security UPDATE Message-ID: ======================= This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows IT Security UPDATE. Winternals http://list.windowsitpro.com/t?ctl=24EFC:4FB69 SPI Dynamics http://list.windowsitpro.com/t?ctl=24EEC:4FB69 ======================= 1. What's New in the Latest Issue April 2006 Issue - Focus: Containing Your Wireless Network Signals - Feature: 3 Ways to Rein in Your Wireless Signals - Access Denied - Toolbox: Avoid Risky Rules with Netsh ==== Sponsor: Winternals ==== Winternals Protection Manager How will you protect your enterprise from zero-day attacks? Protection Manager blocks unknown applications from running until you specifically authorize them. No need to wait for an update--you're already protected. Plus, Protection Manager enables a secure successful least privilege network without compromising legacy applications by decoupling privilege levels of applications from users, and promotes culturally acceptable PC lockdown with real-time approval or denial of user application requests. Protection Manager forms a crucial layer of your defense-in-depth security strategy, helping enforce corporate technology policies, ensuring compliance with regulatory acts like HIPAA and Sarbanes-Oxley, and dramatically reducing the labor burden on IT. Download your 30-day evaluation copy of Protection Manager at: http://list.windowsitpro.com/t?ctl=24EFC:4FB69 ======================= Windows IT Security is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. In addition to receiving the monthly print newsletter, subscribers can access all the newsletter content, including the most recent issue, at the Windows IT Security Web site. http://list.windowsitpro.com/t?ctl=24EFB:4FB69 Subscribe today and access all the issues online! http://list.windowsitpro.com/t?ctl=24EEF:4FB69 ======================= ==== 1. What's New in the Latest Issue ==== April 2006 Issue Focus: Containing Your Wireless Network Signals Who knew that adding security to your wireless APs could be as simple as adding a reflector to their antennas? Learn about this low-cost safety mechanism, get instructions for configuring SSL/TLS, and find out about a new password-cracking tool. The following article is available at no charge to nonsubscribers for a limited time: 3 Ways to Rein in Your Wireless Signals You can use three basic methods to limit wireless network radio signals. Here's how they work. --Mark Joseph Edwards http://list.windowsitpro.com/t?ctl=24EEB:4FB69 Nonsubscribers now have access to the Access Denied and Toolbox columns: Access Denied --Randy Franklin Smith Locating the User Causing Failures on a Folder Examining event ID 560 and associated event IDs 528, 540, and 592 will give you the answers you need. http://list.windowsitpro.com/t?ctl=24EF2:4FB69 Determining Who Enabled an Account The answer might lie in the Security event log of your Windows DC. http://list.windowsitpro.com/t?ctl=24EF1:4FB69 Distinguishing User Account Reenablements from Creations User account creations create a telltale pattern in the Security log of event ID 624, followed by several instances of event ID 642 interspersed with event IDs 626 and 628. http://list.windowsitpro.com/t?ctl=24EF3:4FB69 Viewing the Security Settings on a Computer The GPMC Group Policy Results feature lets you obtain a report of all the effective Group Policy settings (including security settings) from a system. http://list.windowsitpro.com/t?ctl=24EF4:4FB69 The Two "Generate Resultant Set of Policy" Permissions Use the "Generate Resultant Set of Policy (Planning)" permission and report when you're testing what-if scenarios and the "Generate Resultant Set of Policy (Logging)" permission and report when you need to know the actual status of a computer or user. http://list.windowsitpro.com/t?ctl=24EF0:4FB69 Toolbox: Avoid Risky Rules With Netsh You can use Netsh's firewall context to audit Windows Firewall configurations on users' computers. --Jeff Fellinge http://list.windowsitpro.com/t?ctl=24EEA:4FB69 Subscribers have access to the entire contents of the April 2006 issue. For a list of the other articles available in this issue, go to http://list.windowsitpro.com/t?ctl=24EED:4FB69 ======================= ==== Sponsor SPI Dynamics ==== ALERT: PENETRATION TEST your Web Applications for FREE! WebInspect is a dynamic web application assessment tool that will automatically search for over 4,700 vulnerabilities and attack methods. Learn about the top web application Attack Methods and how to combat them with WebInspect. Run a FREE Test of your Web Apps via our FREE 15 Day Product Trial that delivers a comprehensive vulnerability report http://list.windowsitpro.com/t?ctl=24EEC:4FB69 ==== Events & Resources ==== (from Windows IT Pro and its partners) Windows Connections Conference, April 9-12, 2006 Don't miss the essential Windows technology conference. http://list.windowsitpro.com/t?ctl=24EFE:4FB69 When disaster strikes your servers, whether they are dedicated to Windows, SQL, or Exchange, you need answers. Make sure that if an emergency occurs, you're prepared. Get the full eBook and get started on your recovery plan today! http://list.windowsitpro.com/t?ctl=24EE9:4FB69 Learn to gather evidence of compliance across multiple systems and link the data to regulatory and framework control objectives. On-demand Web seminar. http://list.windowsitpro.com/t?ctl=24EE6:4FB69 Make sure your email server is secure. Learn everything from basic techniques to defense-in-depth strategies, including network-level access control lists, Web authentication, firewall protocol inspection, and perimeter filtering. Live Web seminar Thursday, March 23 http://list.windowsitpro.com/t?ctl=24EE7:4FB69 Use Windows Server 2003 R2 as a platform for SQL Server 2005 to support large- database requirements, including clustering and multiple processors. Register for this free Web seminar today! http://list.windowsitpro.com/t?ctl=24EE8:4FB69 ==== Featured White Paper ==== Use scripted deployments to ensure that all your Exchange servers are configured and deployed with exactly the same options and to maintain a record of your installation configurations. Learn how today! http://list.windowsitpro.com/t?ctl=24EEE:4FB69 ======================= ==== Hot Release ==== ALERT: PENETRATION TEST your Web Applications for FREE! WebInspect is a dynamic web application assessment tool that will automatically search for over 4,700 vulnerabilities and attack methods. Learn about the top web application attack methods and how to combat them. Test your Web Apps via our FREE 15 Day WebInspect Product Trial. http://list.windowsitpro.com/t?ctl=24EFA:4FB69 ======================= ==== Announcements ==== (brought to you by Windows IT Pro) Windows IT Pro Magazine Article Library--access available Sign up for a Monthly Online Pass and get INSTANT access to all articles, tools, and helpful resources published on WindowsITPro.com, including exclusive subscriber-only content. You'll get 24/7 access to the full Windows IT article library (which includes more than 9,000 articles) as well as the latest digital issue of Windows IT Pro delivered right to your inbox. Sign up now: http://list.windowsitpro.com/t?ctl=24EF6:4FB69 Windows IT Pro Magazine--SAVE 58% Windows IT Pro is a must-have in 2006! Subscribe now and plug into the largest independent Windows IT community in the world. Along with loads of how- to articles, time-saving advice, and expert tips and solutions, you'll gain exclusive access to the entire online Windows IT Pro article library FREE. This is a limited-time offer, so order now: http://list.windowsitpro.com/t?ctl=24EF5:4FB69 ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=24EFD:4FB69 About product news -- products at windowsitpro.com About your subscription -- securityupdate at windowsitpro.com About sponsoring UPDATE -- salesopps at windowsitpro.com ======================= Make sure your copy of Inside Windows IT Security UPDATE doesn't get mistakenly blocked by antispam software! Be sure to add Inside_WindowsITSecurity_Update at list.windowsitpro.com to your list of allowed senders and contacts. This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and internal users. Subscribe today! http://list.windowsitpro.com/t?ctl=24EF8:4FB69 View the Windows IT Pro Privacy policy at http://list.windowsitpro.com/t?ctl=24EF9:4FB69 Windows IT Pro is a division of Penton Media Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All Rights Reserved. From isn at c4i.org Tue Mar 28 01:18:22 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Mar 2006 00:18:22 -0600 (CST) Subject: [ISN] Linux Security Week - March 27th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 27th, 2006 Volume 7, Number 13n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week perhaps the most interesting articles include "Encrypt filesystems with EncFS and Loop-AES," "Revealing the myths about network security," and "Enterprise Security Threats Increasingly Come from Within." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Multiple Live CDs In One DVD 24th, March, 2006 Live CDs do a great job of advertising Linux distributions. In addition to general-purpose live CD distributions, there are lots of task-oriented live CDs. Wouldn't it be great if you could carry multiple live CDs on one DVD disc? Nautopia.net has put up a script that you can use to make a custom DVD to boot multiple live CDs. http://www.linuxsecurity.com/content/view/122084 * Tunnels in Hash Functions - MD5 Collisions Within a Minute 20th, March, 2006 In this paper we introduce a new idea of tunneling of hash functions. In some sense tunnels replace multi-message modification methods and exponentially accelerate collision search. We describe in one minute on a standard notebook PC (Intel Pentium 1.6 GHz). The method works for any intializing value. Tunneling is a general idea, which can be used for finding collisions of other hash functions, such as SHA-1, http://www.linuxsecurity.com/content/view/121996 * Encrypt filesystems with EncFS and Loop-AES 21st, March, 2006 Encrypted filesystems may be overkill for family photos or your resume, but they make sense for network-accessible servers that hold sensitive business documents, databases that contain credit-card information, offline backups, and laptops. EncFS and Loop-AES, which are both released under the GNU General Public License (GPL), are two approaches to encrypting Linux filesystems. I'll compare the two and then look at other alternatives. http://www.linuxsecurity.com/content/view/122011 * Linux Dictionary 19th, March, 2006 (SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP has been very well perceived by the market. Throughout the last couple of years, SWP becomes the top leading OSS training and service provider in Hong Kong. And in fact we are leading the market direction in some ways. http://www.linuxsecurity.com/content/view/121977 * Useful Firefox Security Extensions 21st, March, 2006 Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here's a roundup of some of the more useful ones I've found. http://www.linuxsecurity.com/content/view/122009 * Digital Forensics Wiki 22nd, March, 2006 This is the Forensics Wiki, devoted to information about digital forensics. We are just getting started, but still encourage you to browse the site and contribute whatever information you have available. http://www.linuxsecurity.com/content/view/122039 * Security Protocols: Google's FrSIRT Cache 23rd, March, 2006 As we previously reported, FrSIRT has decided that they want to start selling other security researchers exploits. Thanks to Layne, here is a list of 626 exploits from Google cache which were published on the FrSIRT website. FrSIRT also always seemed to fail to give the proper credit to the researchers who would submit code, and or advisories. http://www.linuxsecurity.com/content/view/122068 * International Body Adopts Network Security Standard 25th, March, 2006 The International Organization for Standardization (ISO) approved last month a comprehensive model that identifies critical requirements to ensure end-to-end network security. Specifically, the global standards group formally adopted ISO/IEC 18028-2, which defines a standard security architecture and provides a systematic approach to support the planning, design and implementation of information technology networks. http://www.linuxsecurity.com/content/view/122087 * The Effective Response To Computer Crime 23rd, March, 2006 The attraction of computer-based crime is obvious. Twenty years ago corporate spies would find it difficult to steal the entire contents of a filing cabinet, but today they can take far more by slipping a disc into their pocket or e-mailing data to an online electronic swag bag. http://www.linuxsecurity.com/content/view/122067 * Useful Firefox Security Extensions 18th, March, 2006 Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here.s a roundup of some of the more useful ones I've found. http://www.linuxsecurity.com/content/view/121975 * Old Physical Security Threats Still Working 20th, March, 2006 In "The Complete Windows Trojans Paper" that I released back in 2003 (you can also update yourself with some recent malware trends!) I briefly mentioned on the following possibility as far as physical security and malware was concerned: http://www.linuxsecurity.com/content/view/122000 * Revealing the myths about network security 20th, March, 2006 Many people and businesses unknowingly leave their private information readily available to hackers because they subscribe to some common myths about computer and network security. But knowing of the facts will help you to keep your systems secure. Here are some answers to these myths. http://www.linuxsecurity.com/content/view/121980 * Countering Cyber Terrorism 20th, March, 2006 Still using that tired and worn out password to log onto your PC? Is your mother's maiden name still the main prompt you use to log on and check your credit card statement? Worried that the PIN number you use to access your online banking is the same PIN you.ve given the children to access the Sky Digibox? You should be. The fact is that as individuals, we are not doing enough to guarantee user authentication. And if you think that's bad, the situation in organisations is even worse. http://www.linuxsecurity.com/content/view/121978 * Advances In Fingerprinting Could Bolster Network Security 23rd, March, 2006 New technology for matching fingerprints for security purposes is proving about as reliable but much more efficient than traditional techniques, according to a new study by the National Institute of Standards and Technology. NIST studied the use of "minutiae templates," which are mathematical representations of full-blown fingerprint images that are seen as being much easier for vendors of biometric security systems to exchange with each other. The study involved use of a new standard for minutiae data that makes data exchange simpler than when proprietary techniques for converting fingerprint images to minutiae data. http://www.linuxsecurity.com/content/view/122069 * Digging Security Tunnels With Spoons 24th, March, 2006 One of the biggest complaints I hear about security is the associated operational overhead. IT personnel are constantly adjusting multiple technologies in an effort to provide access to the good guys while locking out the bad guys. If you want to see a metric of this behavior in action, look no further than your network Access Control List (ACL) rules. http://www.linuxsecurity.com/content/view/122083 * HLBR - Hogwash Light BR 20th, March, 2006 HLBR is a brazilian project, started in november 2005, as a fork of the Hogwash project (started by Jason Larsen in 1996). This project is destined to the security in computer networks. HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in the layer 2 of the OSI model (so the machine doesn't need even an IP address). http://www.linuxsecurity.com/content/view/121995 * Detecting Botnets Using a Low Interaction Honeypot 23rd, March, 2006 This paper describes a simple honeypot using PHP and emulating several vulnerabilities in Mambo and Awstats. We show the mechanism used to 'compromise' the server and to download further malware. This honeypot is 'fail-safe' in that when left unattended, the default action is to do nothing . though if the operator is present, exploitation attempts can be investigated. IP addresses and other details have been obfuscated in this version. http://www.linuxsecurity.com/content/view/122064 * SOURCEFIRE AND CHECK POINT ANNOUNCE MUTUAL WITHDRAWAL FROM THE CFIUS PROCESS 24th, March, 2006 Sourcefire, Inc., the world leader in intrusion prevention, today announced that, with the consent of the US government, Sourcefire and Check Point Software Technologies have opted to withdraw their merger filing with the Committee on Foreign Investment in the United States (CFIUS). Sourcefire will continue to operate as the industry's largest private Intrusion Prevention System (IPS) vendor. http://www.linuxsecurity.com/content/view/122082 * Detecting Botnets Using a Low Interaction Honeypot 26th, March, 2006 This paper describes a simple honeypot using PHP and emulating several vulnerabilities in Mambo and Awstats. We show the mechanism used to 'compromise' the server and to download further malware. This honeypot is 'fail-safe' in that when left unattended, the default action is to do nothing though if the operator is present, exploitation attempts can be investigated. IP addresses and other details have been obfuscated in this version. http://www.linuxsecurity.com/content/view/122088 * OS X Sudo vs. Root: The Real Story 22nd, March, 2006 What are you really gaining by using sudo in the default Mac OS X configuration? First, you gain some comfort that nobody can login as root, either locally or remotely via SSH or FTP and tamper with your machine. Second, you get a log entry in /var/log/system.log every time sudo is used showing you who used it and what command was executed. These appear good enough reasons to endure the slight inconvenience of using sudo. http://www.linuxsecurity.com/content/view/122033 * Many Data Centers Still Have No Risk Management Plan 22nd, March, 2006 Business technology managers are facing tough challenges as data centers grow larger and more complex. More than 75% of all companies have experienced a business disruption in the past five years, including 20% who say the disruption had a serious impact on the business, according to a recent survey of data center managers. Despite the critical nature of data center operations to business, nearly 17% reported they have no risk management plan, and less than 5% have plans that address viruses and security breaches. http://www.linuxsecurity.com/content/view/122038 * Is Your DR Plan Vulnerable to an Attack? 24th, March, 2006 Sorry, I have to do this. I have to rant. Here's what I have to get off my chest. News item: "DHS Scores F on Cybersecurity Report Card." Last week, a congressional oversight committee gave the U.S. Department of Homeland Security a failing grade on its annual cybersecurity report card. Congress says that when it comes to protecting the country's data infrastructure -- an entity that in itself has become critical to the continued functioning of the U.S. economy -- the DHS is a D-U-N-C-E. Appalling. http://www.linuxsecurity.com/content/view/122086 * Finding Security's Next 'American Idol' 21st, March, 2006 It's like an "American Idol" for security geeks. Students at the Georgia Institute of Technology prep, sweat and show their stuff while a panel of critics decides their fates. But unlike the popular "reality" TV show, judges aren't determining who can best carry a tune. Instead they weigh students' ideas for making information security more user-friendly, with $50,000 -- enough cash to fund a project for 12 months -- hanging in the balance. http://www.linuxsecurity.com/content/view/122026 * Bringing Botnets Out of the Shadows 22nd, March, 2006 Nicholas Albright's first foray into some of the darkest alleys of the Internet came in November 2004, shortly after his father committed suicide. About a month following his father's death, Albright discovered that online criminals had broken into his dad's personal computer and programmed it to serve as part of a worldwide, distributed network for storing pirated software and movies. http://www.linuxsecurity.com/content/view/122040 * Social engineering reloaded 22nd, March, 2006 The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program. http://www.linuxsecurity.com/content/view/122032 * Forgotten password clues create hacker risk 23rd, March, 2006 Security flaws in the "forgotten password" feature of ecommerce websites leave half the UK's online retailers open to attack, according to security consultancy SecureTest. It warns that the log-in process of many transactional websites can be subverted by a "brute force" or enumeration attack. In a survey of 107 popular online retail websites in the UK, SecureTest found that 54 of the sites (or 50.5 per cent) are potentially vulnerable to this type of hack attack. http://www.linuxsecurity.com/content/view/122061 * Opinion: What a year it's been for e-crime 23rd, March, 2006 Looking back at the past year, it seems the security threats to businesses are only becoming more pervasive and more costly, says Simon Moores. In two weeks' time, leaders of the global law-enforcement, finance and online business communities will assemble in London for the annual e-Crime Congress. In the 12 months since they were here last, we've seen the financial services industry under almost constant Trojan horse attack, denial of service attacks increase by 50 per cent and phishing and identity theft attempts approach eight million per day, according to security company Symantec. http://www.linuxsecurity.com/content/view/122063 * Security Czar 23rd, March, 2006 In this column Scott Granneman takes the role of dictator of the security world and presents his ideas about mandatory reforms that would improve security for millions of people. http://www.linuxsecurity.com/content/view/122066 * Enterprise Security Threats Increasingly Come from Within 24th, March, 2006 While protecting corporate networks from outside intrusion remains a huge challenge for enterprise IT professionals, some experts contend that efforts to better police internal behavior and manage security policies have become every bit as important. Enterprises searching for the answers to their security problems should increasingly take a closer look at their internal operations before blaming outside threats, according to experts participating in an online IT security conference. http://www.linuxsecurity.com/content/view/122076 * IT Confidential: Choose Your Intrusion: Who's Your Friend? 20th, March, 2006 'm as big a fan of government intrusion as the next person, but things may have gotten a little out of hand lately. Take last week's legal contretemps between the Justice Department and Google. Forget for a minute that Google really faces no downside by refusing the government's request to turn over search data. Even if Google loses the case and has to turn over some (truncated) amount of (very general) information about a (random) selection of searches, it still wins in the court of public opinion as a defender of personal privacy. As my colleague Chris Murphy put it, Google should take the court costs out of its marketing budget. http://www.linuxsecurity.com/content/view/121984 * The Future of Privacy = Don't Over-empower The Watchers 20th, March, 2006 I blog a lot about privacy, anonymity and censorship, mainly because I feel not just concerned, but obliged to build awareness on the big picture the way I see it. Moreover, I find these interrelated and excluding any of these would result in missing the big picture, at least from my point of view. http://www.linuxsecurity.com/content/view/121999 * Security: A Continuing Federal Challenge 21st, March, 2006 The latest FISMA scorecards are out, with the grades for different agencies' efforts in the computer security arena. Amazingly, the overall grade--for all 24 major agencies in the federal government--has moved not a notch. Last year's D+ remains intact. For those who may be new to FISMA Fun, it works more or less like this: the General Accounting Office (GAO) and the Office of Management and Budget (OMB) ask each major agency's Inspector General (IG) to submit an independent report about computer security based on numerous guidelines and scoring criteria. http://www.linuxsecurity.com/content/view/122028 * US turns to tech to shore up its ports 23rd, March, 2006 Airport screeners are using new technology to find explosives instead of hunting for tweezers, Department of Homeland Security secretary Michael Chertoff said on Friday. http://www.linuxsecurity.com/content/view/122062 * Trojan Cryzip Extorts Decryption Fee 18th, March, 2006 A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989. http://www.linuxsecurity.com/content/view/121976 * The effective response to computer crime 21st, March, 2006 The attraction of computer-based crime is obvious. Twenty years ago corporate spies would find it difficult to steal the entire contents of a filing cabinet, but today they can take far more by slipping a disc into their pocket or e-mailing data to an online electronic swag bag. It is much easier to steal, leak, manipulate or destroy electronic data. But just as in the physical world, cyber-criminals leave their electronic fingerprints all over a digital crime scene. http://www.linuxsecurity.com/content/view/122010 * Getting Paid For Getting Hacked 21st, March, 2006 In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article: "As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. http://www.linuxsecurity.com/content/view/122019 * Lost Ernst & Young laptop exposes IBM staff 22nd, March, 2006 Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk. http://www.linuxsecurity.com/content/view/122034 * The effective response to computer crime 24th, March, 2006 The attraction of computer-based crime is obvious. Twenty years ago corporate spies would find it difficult to steal the entire contents of a filing cabinet, but today they can take far more by slipping a disc into their pocket or e-mailing data to an online electronic swag bag. http://www.linuxsecurity.com/content/view/122075 * Are You Liable If Someone Does Something Illegal On Your WiFi? 21st, March, 2006 For years, whenever the press has written one of their fear-mongering stories about open WiFi, they almost always include some tidbit about how if someone uses your network to do something illegal, you can be arrested for it. It's one of the popular open WiFi horror stories -- but is it true? Well, of course, you can be arrested, but it's unlikely that there would be any legal grounds for the arrest. http://www.linuxsecurity.com/content/view/122027 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Tue Mar 28 01:18:36 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Mar 2006 00:18:36 -0600 (CST) Subject: [ISN] S'kiddies get into spyware for just $15 Message-ID: http://www.theregister.co.uk/2006/03/27/spyware_diy/ By John Leyden 27th March 2006 A Russian website is selling a DIY spyware kit, called WebAttacker, for around $15 a throw. The site, which proudly boasts of its creator's credentials in the scumware industry, also offer technical supporter to potential buyers. The kits come in a script kiddie friendly form with code designed to make the task of infecting computers a breeze. All the buyers need do is send spam messages inviting potential marks to visit a compromised website. Spam samples trapped by internet security firm Sophos use newsworthy topics to lure unwary users. One presents itself as a warning about the deadly H5N1 bird flu virus, providing links to the bogus website, purporting to offer health advice. Another plays on claims that Slobodan Milosevic was murdered. Surfers visiting these websites will find themselves exposed to JavaScript code that attempts to take advantage of known web browser and Windows vulnerabilities to download malware. The exploit downloads a program that attempts to turn off the firewall and install malware, generally a password stealer, keylogger or a banking Trojan [1]. "This type of behaviour is inviting the return of script-kiddies," said Carole Theriault, senior security consultant at Sophos. "By simplifying the task of the potential hacker for a mere tenner, sites like this one will attract opportunists who aren't necessarily very skilled and turn them into cyber-criminals." ? [1] http://www.sophos.com/virusinfo/analyses/trojdloadradu.html From isn at c4i.org Tue Mar 28 01:18:49 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Mar 2006 00:18:49 -0600 (CST) Subject: [ISN] Offshore outsourcing cited in Florida data leak Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109938,00.html By Robert McMillan MARCH 26, 2006 IDG NEWS SERVICE Florida state employees are being warned that their personal information may have been compromised after work on the state's People First payroll and human resources system was improperly subcontracted to a company in India. Employees who worked for the state during the 18-month period between Jan. 1, 2003, and June 30, 2004, may be affected, according to an e-mail message sent to all state employees on March 16. The state's Department of Management Services (DMS), which oversees the People First system, estimates that 108,000 current and former state employees may be affected by the data breach, although that estimate could change as the department's investigation into the matter continues. The e-mail was sent after a subcontractor of outsourcing service provider Convergys Corp. improperly allowed subcontractors in India to index state personnel files, said DMS spokeswoman Tiffany Koenigkramer. The offshoring was done as part of Convergys's nine-year, $350 million contract to manage the state's personnel work. Convergys had subcontracted the indexing work to GDXdata Inc., in Denver, which itself turned to a subcontractor in India, a violation of the GDXdata contract with Convergys, the DMS said. Convergys has since cancelled its contract with GDXdata, the agency said. Convergys said the offshore work was done without its knowledge. "Convergys was misled by GDX, one of several subcontractors hired to perform work for the state of Florida," the company said in a statement. The offshore work was made public in late December, when documents were unsealed in a "whistle-blower" lawsuit brought against GDXdata by two former employees. The DMS is investigating the matter, but it has so far detected "no known cases of credit fraud or identity fraud that resulted from this work," Koenigkramer said. "It is common today for businesses and even government to use offshore companies," the DMS March 16 e-mail states. "However, the use of offshore services in this case was inappropriate and unacceptable." Convergys and the DMS expect to provide affected employees with a credit-protection plan this week, Koenigkramer said. That is not enough for one of the state's public-employee unions, which is calling for an end to the Convergys deal and saying that the People First system has been mismanaged. "We want this thing killed," said Doug Martin, communications director at the American Federation of State, County and Municipal Employees, Council 79. "This is a joke, and the sad thing is, we're paying for it." State Sen. Walter "Skip" Campbell, a Democrat who would also like to see the contract pulled, called the outsourcing a "critical security breach," in part because it inappropriately exposed sensitive information about the state's law enforcement agents. "We don't know how far the dissemination of this information has gone," he said. Based in Cincinnati, Convergys is a provider of billing, customer service and human resources outsourcing services. It reported $2.5 billion in revenue last year, according to the company's Web site. A spokeswoman for GDXdata declined to comment for this story. From isn at c4i.org Tue Mar 28 01:17:40 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Mar 2006 00:17:40 -0600 (CST) Subject: [ISN] Radioactive matter gets into U.S. in test Message-ID: http://www.sacbee.com/24hour/politics/story/3242550p-11996962c.html By LIZ SIDOTI Associated Press Writer March 27, 2006 WASHINGTON (AP) - Undercover investigators slipped radioactive material - enough to make two small "dirty bombs" - across U.S. borders in Texas and Washington state in a test last year of security at American points of entry. Radiation alarms at the unidentified sites detected the small amounts of cesium-137, a nuclear material used in industrial gauges. But U.S. customs agents permitted the investigators to enter the United States because they were tricked with counterfeit documents. The Bush administration said Monday that within 45 days it will give U.S. Customs and Border Protection agents the tools they need to verify such documents in the future. The Government Accountability Office's report, the subject of a Senate hearing Tuesday, said detection equipment used by U.S. customs agents to screen people, vehicles and cargo for radioactive substances appeared to work as designed. But the investigation, carried out simultaneously at both border crossings in December 2005, also identified potential security holes terrorists might be able to exploit to sneak nuclear materials into the United States. "This operation demonstrated that the Nuclear Regulatory Commission is stuck in a pre-9/11 mind-set in a post-9/11 world and must modernize its procedures," Sen. Norm Coleman, R-Minn., said Monday in a statement. The NRC, in charge of overseeing nuclear reactor and nuclear substance safety, challenged that notion. "Security has been of prime importance for us on the materials front and the power plant front since 9/11," commission spokesman David McIntyre said in an interview. The head of the Homeland Security Department's Domestic Nuclear Detection Office, Vayl Oxford, said the substance could have been used in a radiological weapon with limited effects. A Senate Homeland Security subcommittee, which Coleman leads, released details of the investigation and two GAO reports on radiation detectors and port security before hearings on the issues this week. The GAO, the investigative arm of Congress, also found that installation of radiation detectors is taking too long and costing more money than the U.S. expected. It said the Homeland Security Department's goal of installing 3,034 detectors by September 2009 across the United States - at border crossings, seaports, airports and mail facilities - was "unlikely" to be met and said the government probably will spend $342 million more than it expects. Between October 2000 and October 2005, the GAO said, the government spent about $286 million installing radiation monitors inside the United States. To test security at U.S. borders with Mexico and Canada, GAO investigators represented themselves as employees of a fake company. When stopped, they presented counterfeit shipping papers and NRC documents that allegedly permitted them to receive, acquire, possess and transfer radioactive substances. Investigators found that customs agents weren't able to check whether a person caught with radioactive materials was permitted to possess the materials under a government-issued license. "Unless nuclear smugglers in possession of faked license documents raised suspicions in some other way, CBP officers could follow agency guidelines yet unwittingly allow them to enter the country with their illegal nuclear cargo," a report said. It described this problem as "a significant gap" in the nation's safety procedures. Jayson Ahern, the assistant customs commissioner for field operations, said a system for customs agents to confirm the authenticity of government licenses will be in place within 45 days. Ahern noted the radiation detectors had sounded alarms. "We're pleased when a test like this is able to demonstrate the efficacy of our technology," Ahern said. False radiation alarms are common - sometimes occurring more than 100 times a day - although the GAO said inspectors generally do a good job distinguishing nuisance alarms from actual ones. False alarms can be caused by ceramics, fertilizers, bananas and even patients who have recently undergone some types of medical procedures. At one port - which investigators did not identify - a director frustrated over false alarms was worried that backed-up trains might block the entrance to a nearby military base until an alarm was checked out. The director's solution: simply turn off the radiation detector. Associated Press writer Ted Bridis contributed to this report. -- On the Net: Customs and Border Protection: http://www.cbp.gov/ Government Accountability Office: http://www.gao.gov/ From isn at c4i.org Tue Mar 28 01:19:02 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Mar 2006 00:19:02 -0600 (CST) Subject: [ISN] Palm Beach County schools learn tough lesson: Hackers can always break in Message-ID: http://www.sun-sentinel.com/news/local/palmbeach/sfl-pgrades27mar27,0,2175689.story?coll=sfla-news-palm By Marc Freeman South Florida Sun-Sentinel Education Writer March 27 2006 Despite numerous measures to protect its computer network and prevent hacking, Palm Beach County schools appear to be a victim again. A recent breach under police investigation -- possible grade changing by several students -- adds to a growing number of attacks on seemingly defenseless schools and colleges across Florida and the country. The sobering reaction among national experts and educators: Students and employees who want to cheat or attack computer networks are likely to be successful, regardless of high-tech security features and repeated warnings to abide by the rules. "It's going to happen more," warns Greg Lindner, director of technology for the 60,000-student Elk Grove Unified School District, near Sacramento, Calif. During the past two years, Elk Grove high school students hacked into computers in three incidents, stealing personal information and changing grades of three-dozen other students. The violators used illegal hacking software and keystroke-recording devices. "It captures [user] log-ins, their passwords, everything," Lindner said, who hopes recent network enhancements are more effective at blocking would-be hackers. Palm Beach County School District administrators declined to discuss details about their ongoing inquiry, but last week, in response to a request under the state open-records law, released confidential reports outlining their computer-security programs and procedures. "We don't go out and publicize what we do and what we don't do for obvious reasons," said Linda Mainord, district chief technology officer. "We are trying to use best practices as associated with a large computer installation." In April, administrators produced a plan outlining investigative and other security procedures to use after an incident. The blueprint followed the case of a high school student from Palm Beach Gardens who hacked into the district's computer systems in December 2003 and January 2004. Besides the incident-response guide, the district's Information Technology department oversees 19 ongoing computer-security projects, aimed at preventing attacks, documents show. In another proactive measure, the district requires all of its computer users to sign a form promising to avoid improper activity. In the schools, character-building lessons and behavior programs are aimed at preventing abuses, which helps curtail cheating and possibly computer hacking, district spokesman Nat Harrington said. "Everybody knows what the expectations are," he said. "Everybody knows what the consequences are. That has cut down on a lot of incidents." The district's measures to prevent computer crimes appear to follow strict guidelines recommended by the International Society for Technology in Education, a Washington, D.C., nonprofit organization that advocates expanding technology in schools. Leslie Conery, the group's deputy chief executive officer, said school systems must develop and promote policies regulating the acceptable use of computers. Second, the schools need to have an action plan for what steps to take after an incident, including how to conduct investigations and potential punishments for offenders. In June, Palm Beach County prosecutors dismissed a computer-offense charge against Ryan Duncan, the former student from Palm Beach Gardens caught breaching the district's network. Officials said he avoided the prospect of jail time because he did not attempt to crash the system or change grades. As part of a plea deal, he agreed to produce a video touting the evils of hacking, pay $2,025 in restitution and write an apology letter. While computer security is essential, it's also critical to convince cheaters they shouldn't cheat in the first place, said Timothy Dodd, executive director for The Center for Academic Integrity at Duke University in Durham, N.C. "A kid with computer skills with a conscience is not going to hack into a transcript," said Dodd, whose organization helps college and secondary-school educators stop "academic dishonesty." Dodd blames society for leading some students to hack away without fearing the consequences. There are "a terrible set of messages to students to do whatever it takes to get ahead," he said. "We want to fashion the mission that behavior with honesty matters." Still, student computer hackers have been refining their illicit skills ever since the 1983 film War Games. The problem has intensified in recent years as teachers and administrators began using online software to enter student grades and test scores. "It's a challenge we've dealt with forever," Palm Beach County Schools Superintendent Art Johnson said. Copyright ? 2006, South Florida Sun-Sentinel From isn at c4i.org Tue Mar 28 01:19:14 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 28 Mar 2006 00:19:14 -0600 (CST) Subject: [ISN] GAO: Security accreditation program a tough sell Message-ID: http://www.fcw.com/article92750-03-27-06-Web By Michael Arnone Mar. 27, 2006 The federal government's program for testing and accrediting the security of commercial technology has not been proven a success, according to a report by the Government Accountability Office. The National Information Assurance Partnership (NIAP), which is sponsored by the National Security Agency and the National Institute of Standards and Technology, was created to make it easier for agencies to find products that meet basic industry standards for security. NIAP officials are responsible for implementing the Common Criteria Evaluation and Validation Scheme, a rigorous set of security tests that adhere to international standards. Officials provide technical guidelines to commercial laboratories that conduct tests on the products vendors submit. Once approved, a product is listed on the NIAP Web site [1]. Unfortunately, agencies often find that the products they need are not on the list or that only older versions have been accredited, GAO's report states. The program has other problems, auditors said. Nearly 10 years after NIAP debuted, vendors still don't know much about the evaluation process. And the number of qualified validating experts has dropped in the past year, which could lead to delays in evaluations. On a more fundamental level, NIAP program managers have not established metrics by which to measure the program's effectiveness, GAO's report states. For example, they have not collected data on the findings, flaws and fixes that resulted from NIAP testing. The NIAP accrediting process does provide some benefits to the organizations that use it, the report states. It can improve agencies' confidence that products will work as promised, and vendors can fix flaws identified during the independent testing and evaluation. The process can also make life easier for vendors and agencies because it allows a broader range of international products, the report states. It can also improve the processes vendors follow when developing new products. The report made two recommendations to help remedy existing problems. The first would have Defense Secretary Donald Rumsfeld order NSA and NIST to develop workshops for agencies and vendors participating in the NIAP program, the report states. The Defense Department should also think about collecting, analyzing and reporting metrics on how effective NIAP tests and evaluations are, the report states. The metrics could include summaries of findings, flaws and fixes. Priscilla Guthrie, DOD's deputy chief information officer, agreed only partially with the report's first recommendation. In a response letter to GAO, she agreed that improving awareness and training is important. However, she added that both NIST and DOD have cut support for NIAP to fund other priorities, making it impossible to allot extra money to such efforts. DOD should instead direct partner vendors, evaluation laboratories and industry associations to create workshops using existing resources, Guthrie said. They should also bring in help from outside organizations, she added. She agreed fully with the report?s second recommendation. She said NIAP has been collecting such metrics since 2004 and is developing a template for an end-of-evaluation report that will review all changes to products and vendor procedures throughout the evaluation process. [1] http://niap.nist.gov/cc-scheme/vpl/vpl_type.html From isn at c4i.org Wed Mar 29 03:35:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:35:29 -0600 (CST) Subject: [ISN] eEye issues workaround against unpatched IE flaw Message-ID: http://www.theregister.co.uk/2006/03/28/eeye_ie_workaround/ By John Leyden 28th March 2006 Security firm eEye Digital Security has released a temporary fix to protect Windows users against an unpatched vulnerability in Internet Explorer. The critical vulnerability, which involves the way IE handles HTML Objects, affects even fully patched Windows XP systems. Exploits allow hackers to commandeer vulnerable machines by tricking surfers into visiting websites containing malicious code. Users are advised to disable Active Scripting from within Internet Explorer as a workaround pending the arrival of a patch from Microsoft, expected on Tuesday, 11 April. Disabling Active Scripting might prove problematic in some environments, however, so eEye has stepped in to fill the breach with a temporary workaround. "Users can protect themselves by manually making configuration changes, but eEye realises that not all organisations can take those steps. As a result, organisations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," eEye cofounder and chief hacking officer Marc Maiffret said. eEye stresses that its workaround shouldn't be seen as a substitute for a fully tested patch, but will provide "immediate protection in lieu of an available fix". In fact, eEye has engineered the patch to automatically remove itself when Microsoft's official patch comes through," Maiffret added. ? From isn at c4i.org Wed Mar 29 03:39:40 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:39:40 -0600 (CST) Subject: [ISN] Alleged expense violations by state official Message-ID: http://www.nevadaappeal.com/article/20060325/NEWS/103250082 Geoff Dornan Appeal Capitol Bureau March 25, 2006 The Department of Information Technology's chief of security is on administrative leave pending an investigation of a trip he took on state business to Denver, Colo. Randy Potts has gone to a number of meetings to deal with cyber-security and homeland security issues in his position charged with protecting the security of state computer systems. The trip was authorized by Terry Savage, head of the department. His reimbursement claim dated Dec. 27, 2005, states he was in Denver "for Homeland Security meeting" from Nov. 28 until Dec. 2, 2005. Potts requested $994.80 in expenses plus $762.39 for airfare - a total of $1,757.19. The payment was authorized by Savage on Jan. 31 this year. But questions have been raised as to whether there was a homeland security meeting in Denver on those dates. Potts submitted a two-page memo to Savage about the trip, citing his attendance at the Colorado Information Management Commission and meetings with Colorado's chief information security officer and other officials. The memo doesn't mention anything about a homeland security meeting and, according to the Colorado Information Management Commission's Web site, it meets the third Friday each month, which would have put its November meeting on Nov. 18, not Nov. 28. Colorado homeland security department and information technology officials who could resolve the question were not available Friday. One spokesman there said he couldn't remember any such meeting offhand, but that if Colorado didn't sponsor a conference, it could have been held by the Multi-state Information Sharing and Analysis Center. Officials at that organization didn't respond to an e-mail inquiry, but Potts made no mention of the organization in his report to Savage. The issue was turned over to the Nevada Attorney General's Office because of allegations the meeting was fictitious. Investigators seized expense records from the information department last week and interviewed Potts in an attempt to resolve the case. Attorney General George Chanos refused to confirm whether there was an investigation underway, saying his office doesn't comment even as to the existence of a probe. Director Terry Savage said he, too, would be unable to comment as it would be a personnel matter. He confirmed, however, that Potts has been placed on administrative leave. Savage said Potts has done "an excellent job" improving the security of Nevada's state computer systems and networks over the past three years. Potts could not be reached for comment. From isn at c4i.org Wed Mar 29 03:39:54 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:39:54 -0600 (CST) Subject: [ISN] Gov't pays ESU students $100K toward cyber security Message-ID: http://www.poconorecord.com/apps/pbcs.dll/article?AID=/20060328/NEWS/603280321/-1/NEWS Dan Berrett Pocono Record Writer March 28, 2006 EAST STROUDSBURG - East Stroudsburg University is fortifying the line of defense that protects cyberspace. ESU's computer science department, which launched the nation's first undergraduate major in computer security, announced earlier this month that five of its computer security students had received a total of $105,000 in scholarship money from the U.S. Department of Defense. "We really have to grow talent by means of scholarships," said Richard Amori, chairman of the school's computer science department. "This was an opportunity to provide opportunities to students and fill a national need. We're very vulnerable as a society." Cyber-security experts like Amori worry that terrorists will use computers to amplify the effects of their next attack. Here's an example: After terrorists flew airplanes into the World Trade Center on Sept. 11, 2001 and the media spread the news, what would have happened if the attackers used computers to shut off cell phones and other communications around New York City? "You would have seen absolute panic," said Glenn Watt, president and CEO of Backbone Security, a computer security firm in East Stroudsburg. After all, computer networks support every sector of the American economy: energy, transportation, finance, public health, emergency services, water, food and shipping, among others. And networks extend beyond cyberspace to control such terrorist targets as trains, pipelines, chemical vats and radar. Experts also worry that a few hackers can disrupt the lives of citizens, the transactions of companies and the affairs of whole sections of the government. "A small group of people can cause tremendous damage," said N. Paul Schembari, director of the school's computer security program. Watt has already experienced one hacker's effect on the government. As director of cyber-security for Langley Air Force Base in Virginia, Watt saw the base's servers disrupted for three days in 1998 by a hacker, based in Estonia, who was sending 60,000 spams per second. For those three days, the base couldn't order fuel or replacement parts. "There's a whole array of things we do on the Internet that just came to a screeching halt," said Watt. "I think it's a very interesting time to be doing this post-9/11," said Matt Davis, 22, of East Stroudsburg, one of the scholarship recipients. Davis and fellow seniors, Jess Meyer, 21, of Stroudsburg, Jason Goss, 21, of Marshalls Creek and Brian Diana of Pocono Mountain, received $20,000 per year. Joe Smith, 24, a graduate student from Bally, received $25,000. The money covers ESU's in-state tuition and expenses of about $11,200 per year, with money left over for a stipend so they can concentrate on school. For example, Goss said the money allowed him to pay off $8,000 in credit card bills and his student loans, and to stop working full time at a local office supply store. In exchange for each year's worth of scholarship money, the students must commit to working at the Department of Defense after they graduate. Some have already begun interning there. "A lot of us knew more than they did," said Smith, describing what he found as an intern. He said ESU's preparation in intrusion detection systems was particularly valuable. ESU's students cleared a field of 400 nationwide applicants for the scholarships. And, while many award recipients had to be certified by Defense, ESU's students were automatically cleared because of the school's high internal standards; ESU is one of 67 schools designated by Defense as a center of excellence. From isn at c4i.org Wed Mar 29 03:35:16 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:35:16 -0600 (CST) Subject: [ISN] Lenovo rejects security concerns over U.S. gov't contract Message-ID: http://www.computerworld.com/mobiletopics/mobile/laptops/story/0,10801,109941,00.html By Sumner Lemon MARCH 26, 2006 IDG NEWS SERVICE Lenovo Group Ltd. today rejected an assertion that the use of its PCs by the U.S. State Department would be a threat to U.S. national security and said it welcomed an inquiry into the matter. Last week, members of the U.S. China Economic and Security Review Commission reportedly voiced concerns that Lenovo's involvement in the $13 million contract to upgrade the department's computers was a threat to national security and would allow the Chinese government to spy on the State Department. The concerns follow an uproar in the U.S. over the management of port operations in several major cities by a United Arab Emirates-owned company. That company eventually agreed to give up those operations. The State Department contract was awarded to CDW Government Inc., of Vernon Hills, Illinois. "Lenovo's participation in the CDW contract, its ownership, and the sourcing of the units were all disclosed and discussed with the State Department, and the national security implications of Lenovo's ownership of IBM's PC division were exhaustively reviewed last year," Lenovo said in an e-mail. "While we think another exhaustive investigation is unnecessary, we very much want to make sure the facts are understood," the company said. Lenovo disputed the assertion that its computers would make the State Department vulnerable to spying by the Chinese government. "Lenovo products sold to U.S. government customers all have been certified for security and integrity as required to qualify for government procurement," it said. CDW was awarded three contracts as part of the State Department's Global Information Technology Modernization program. The contracts include a deal to provide more than 15,000 Lenovo ThinkCentre M51 desktops and large-format LCD (liquid crystal display) monitors worth around $11.7 million. The company will also supply 1,000 ThinkCentre M51 mini-tower PCs with support for Gigabit Ethernet connections, high-performance removable hard drives, and LCD monitors worth around $1.4 million. These PCs are being delivered to the State Department over a period of six months, with around 500 systems arriving each week, CDW said. From isn at c4i.org Wed Mar 29 03:40:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:40:10 -0600 (CST) Subject: [ISN] Lundquist's Guide To Not Getting Fired for Losing Your Laptop Message-ID: http://www.eweek.com/article2/0,1895,1943208,00.asp By Eric Lundquist March 27, 2006 Opinion: Keeping your sensitive data off your laptop can help you keep your job. Following these rules and guidelines to avoid becoming another in the long line of recent data theft victims. How often do we have to read about someone losing a laptop with a bunch of client data? I've included some links to recent stories: Stolen Fidelity Laptop Exposes HP Workers and Lost Fidelity Laptop Stirs Fear of ID Theft. Stop and think for a second. You are a high-powered road warrior jetting around the world making lots of complex but incredibly lucrative financial deals. You lose your laptop with all that important information. You have to call your boss back at the home office. Your next job involves asking customers if they want the large or the super-jumbo Slurpee. What follows is my guide to keeping from being a professional Slurpee machine operator for the rest of your career. The most important rule: 1. You will get fired for losing your data, but you will not get fired for losing your laptop. Well, maybe you will get fired for losing your laptop; I don't know your company's policies. But I do know I have never heard about a company being forced to make a public announcement because an employee lost a laptop. I have read lots of stories about companies being forced to announce they lost customer data. In this age of endless regulation, this public shaming will only increase. You don't want to be the one stuck in the laptop pillory. Therefore, remember: If the customer data does not exist on your laptop, it cannot be stolen from your laptop. Most articles on laptop security start backward. Here's how you can encrypt your data and your files. Here's how to change your BIOS. Here's how to etch and chain your laptop to the leg of the table. Here's how you can dismantle your infrared port. Here's how to secure your USB ports. I'll get into all of those, but the safest way to keep you from being a Slurpee-lever puller is to not have the data on the laptop in the first place. If the data you are displaying or manipulating for your big-time financial deal really resides only at the corporate headquarters, then your laptop is in the clear. It is up to the IT security staff at HQ to figure out how to build a secure channel, provide user authentication and make sure the valuable data is being displayed but not downloaded. Not your problem. If you are the entire IT staff, then it is your problem, but, then again, you know who you are, which makes authentication a whole lot easier. Far greater minds than mine have worked at making thin clients fast, secure and reasonable in price. I think this year will see a big shift to this architecture based on security considerations alone. Citrix is a good place to start looking at and understanding thin-client computing. Also, Sun, with its Sunray strategy, and CA (in particular, its affiliation with Wyse Technologies) are committed to thin-client strategies. Microsoft is more conflicted in offering thin computing. This is a hot area of enterprise startups. On the hardware side, there are several diskless laptop offerings. The second most important rule: If you are not going to leave your data back at the company HQ, then divorce your data from your laptop. People used to do this with floppy disks. Now you can put your data with relative security on a USB drive that travels with you rather than traveling in your laptop. I'll answer the question, "What if my USB is stolen?" in a moment. But, first, a little divergence to talk about data and data storage. When people kept paper files in folders, they used to set up a hierarchy of storage. The files you used all the time but weren't confidential were readily available. The files you only used once in a while were shifted to some file cabinet in the storeroom. The files that were private but not super-confidential were kept in a locked cabinet. The files that really, really mattered and were confidential were kept locked away and had to be signed out and signed in and, often, read only in certain areas to keep you away from copy machines. Remember all those spy movies with the files and the tiny cameras? Laptop computers and the software that runs those machines often treated all files as one big heap of files that any user, once logged on, could peruse as their curiosity led them. This is changing, but it is still a hassle. The file might be secure, but the presentation made from the data might not be secure. The file might be secure, but the spreadsheet that links to the data might not be secure. This leads to the odd situation where the data might be secure, but the information created from the data is not secure. If the best answer (see rule number one) is to keep your data back at HQ, then the second-best answer is to keep your data divorced from your laptop. There are many ways to do this today, but most of them involve a storage device being attached to a laptop via a USB port. Those drives can be further protected by passwords and encryption. This is still a second-best answer, in my opinion. Passwords can be stolen and encryption can be defeated; although, at the point where someone is hacking your password and defeating your encryption, you are up against a professional data thief. But you are still way ahead of the game of leaving your data on your laptop. If you treat the USB drive as what it is: the only thing standing between riches and the Slurpee machine, you can lose the laptop and still keep the job. But all your private data and presentations, files and so on associated with that data all have to reside on that drive. You can always back up the data at HQ where backed-up data is supposed to reside. Get a special little case for your USB drive rather keep it in your pocket, and make sure the drive is in that case when it is not attached to your computer. The USB drive market may be the fastest changing tech business on the planet. You can get drives that require fingerprint authentication. You can get drives that shred the data after a certain number of password attempts. All those products are intriguing. The better idea is to not lose the drive and to keep it separate from your laptop. Which gets us to the laptop. Your laptop is not secure and is an easy target for someone wanting to steal data or simply to steal your laptop. Your laptop isn't secure because it was never designed to be secure, and all the security features are bolt-ons added after the fact. That cool wireless connection always searching for the next Wi-Fi hot spot? Big hole. Those USB ports ready to accept all those nifty USB devices? They are ready to cough up your data. The password you always forget? The hackers are better guessers than you are and are more than ready to look over your shoulder. If you remember that your laptop is not designed to be secure, you will gain a lot more respect for rules 1 and 2. There is plenty you can do to make your laptop harder to hack, make your file folders more secure, make your files contain encrypted data and to shut down the easy access into your computer via all those nifty sockets. I'll go over those, but you should really read rules 1 and 2 again. A lost laptop is not a big deal if it doesn't have any confidential data on it. Try saying this, "Gee boss, somebody stole my laptop out of the hotel room while I was at dinner. What a bummer, but you should know first off that I made sure that all my data was (and here you can go off script) (1) safe back at the home office or (2) safe in the USB drive that I keep locked in the hotel safe." That is a far easier conversation to have. Here are some ways to secure your laptop: 1. Encrypt everything and make sure the encryption extends all the way to before you boot up of the system. I haven't tried it yet, but a product that intrigues me is from a company called WinMagic. The product is being incorporated into Toshiba notebooks in Japan. WinMagic is working with the Department of State on a Homeland Security project. 2. Make your Microsoft operating system password-protected and encrypted. This is at least a minimum starting point. 3. Use password protection in general. You can have passwords for your BIOS (the stuff your computer needs to know before it starts), for your operating system, for your files and probably for just about any other part of your computer. If you rely on passwords for your sole source of protection, you might as well leave the system wide open. Passwords will deter the curious but will not deter the determined. Don't store your passwords on your computer. They are safer on a piece of paper in your wallet than in any electronic file. Don't assume a password that keeps you from starting up your computer also protects the data on a disk drive. You'd be surprised how easy it is to take a disk drive out of one computer, put it in another system and start reading files. 4. Lock up all those leaky ports. I think your first (and maybe your last) stop should be Safend. Is was the first to bring to my attention over a year ago the vulnerabilities inherent in USB as well as Bluetooth wireless and all those other ports where data can flow. This company understands the problems associated with locking down the laptop. From isn at c4i.org Wed Mar 29 03:40:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:40:21 -0600 (CST) Subject: [ISN] Phishers Hack Bank Sites, Redirect Customers Message-ID: http://news.netcraft.com/archives/2006/03/27/phishers_hack_bank_sites_redirect_customers.html By Rich Miller March 27, 2006 Phishing scammers recently hacked the web sites of three Florida banks and redirected their customers to spoof pages, marking an apparent milestone in phishers' use of bank web sites to construct more credible frauds. Previous scams have managed to manipulate financial sites through cross-site scripting and cross-frame content injection, but didn;t gain access to the server hosting the banks' site. Not so for the attack on Capital City Bank, Wakulla Bank and Premier Bank in northern Florida. On March 14 hackers were able to break into the servers of ElectroNet, a Tallahassee, Fla. service provider which hosted the web sites for all three banks. The main business URL for the banks' were redirected to identical spoof sites on offshore servers, which asked customers to provide their login details. The intrusion was detected about an hour after it started, ElectroNet CEO Allen Byington told the Tallahassee Democrat. Byington said that ElectroNet stores no confidential data on its computers and that the company was "working closely" with law enforcement agencies investigating the incident. The banks' sites were shut down for several days, and bank officials said the financial losses were "minimal," and that any customers who lost money were reimbursed by their respective banks. Since the attackers redirected bank customers to spoof sites hosted elsewhere, this type of attack could be detected by users of the Netcraft Toolbar, which displays the name and location of a site's hosting service. From isn at c4i.org Wed Mar 29 03:40:43 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:40:43 -0600 (CST) Subject: [ISN] Interview: Theo de Raadt of OpenBSD Message-ID: http://os.newsforge.com/os/06/03/20/2050223.shtml By: Manolis Tzanidakis March 28, 2006 Theo de Raadt is the project leader for OpenBSD, a Unix-like operating system. We spoke with Theo about the upcoming release of OpenBSD, 3.9, the financial state of the project, and about companies that profit from free software without contributing back. NewsForge: Hello Theo. Could you tell us a few things about yourself and your involvement in the OpenBSD project? Theo de Raadt: I have been the project leader for OpenBSD now for more than 10 years, and along the way I have had some good adventures with the developers in the group. We've developed some side projects as well, which are heavily used by everyone in the Unix world, such as OpenSSH. NF: How many developers contribute to OpenBSD at the moment? TdR: Inside the project, the count has slowly grown. It was 40 in the early years, and now it is about 80. Of course, that is just counting internal developers. There are many more people on the outside who send us bug reports, fixes, or new code contributions. We also are able to take pieces of code from other sources if they are sufficiently free. But since internal developers have more responsibility -- they have really maintained the areas they are in -- the people on the outside really have an easier job, and should not envy the people on the inside. Instead, they should find a bug, write a fix, and send it in. When someone on the outside sends us many (good) bug fixes, we invite them to become a developer. NF: You regularly organize events called hackathons. What exactly is a hackathon? TdR: This is something we started many years ago. A bunch of us would fly to one location (typically before or after a conference) and we would sit down and code. These events really are about getting tasks done; there is very little chatter, as we already know basically what needs to be done. They are not meetings, no one presents talks, nor are they so-called summits. They are for taking action in the source tree, knowing that the guy you need to ask a question of really quickly is sitting at a table a meter away. NF: OpenBSD is considered one of the most secure operating systems currently available. What approaches do you take towards security? TdR: We've had 10 years of nearly fanatical devotion to anything which can make OpenBSD more secure. A very important part of that is that we have not been afraid to completely overhaul anything even if it breaks backward compatibility. Secondly, when we have found a flaw in any part of the system we have assumed that the same mistake was made elsewhere, and gone on a hunt to fix them all. Thirdly, we have developed and incorporated a collection of methods that make software flaws very difficult to attack. The important detail is that in all three of these areas we have not only been fanatical, but pretty much first. Other vendors are not treating their source code the way we treat ours -- with distrust, knowing that we should always actively churn it, so that it can slowly evolve into a better state. Someone on wikipedia has gone through a lot of effort to identify some of our security efforts, and there is the Exploit Mitigation Techniques paper which I have presented at a number of conferences. NF: Why should someone use OpenBSD instead of another operating system, besides security? TdR: I don't really take any position of advocacy. People should use what they want to, and I am not the right person to say anyone "should" do anything. But hey, if someone is adventurous, check it out. NF: A new stable version, 3.9, is about to be released on May 1. A complete changelog between 3.8 and 3.9 is available; would you comment on some of the new features of this release? Start with G5-based Mac support on macppc architecture. How well does it work at the moment? TdR: It works on some of the models. For some of the machines we have a strange bug in the Serverworks SATA chipset that we have not been able to fix yet. There is no documentation for that chipset, of course. NF:Hardware sensors support (ESM, IPMI, IIC) -- a useful feature, especially on servers. TdR: This has been a significant effort this release. These are three major subsystems that provide temperature, voltage, and fan sensor data. We have a unified system above that, that takes all this and makes it available to a daemon that can alert you when things go wrong. Regarding specifically the "i2c" subsystem: in the Linux world there is the lm-sensors package, which requires all sorts of hand-configuration for each specific machine. In OpenBSD, we carefully probe for the devices, and it should just work, on every single PC, without any configuration. Thus, pretty much every OpenBSD 3.9 machine will have some sort of sensor now. We have more work to do now that 3.9 is released, since the sensor daemon is a bit weak for reporting events. We want to make it fantastic. NF: The new ftp-proxy -- why write a new FTP proxy daemon when the previous one worked fine? TdR: FTP is a nasty protocol to begin with, and trying to proxy it perfectly is a very difficult task. The new daemon just has a better design, and IPv6 works as well. NF: NFE, the Nvidia nForce MCP Ethernet adapter. How did you manage to write this driver? Is it reverse-engineered? TdR: Nvidia did not give anyone documentation. Instead, they expect people to load a gigantic blob of binary code into their kernel, and just be happy with that. Some Linux people in Germany reverse-engineered the driver years ago, but the rough story I heard is that Nvidia asked them to stop, and they did. This just astounds me! In any case, Jonathan Gray (who started this effort) asked for their help with a few problematic technical details, and they refused. I could not believe that, so I asked as well -- and they refused again. These are Linux developers, basically placing the community in a situation where they have to run a binary blob of unknown code from a vendor, instead of sticking to their guns about open source? I must admit, I just don't understand some people. They must have much more flexibility to their belief systems than I have. Damien Bergamini joined Jonathan toward the end and got all the bugs out of the driver. We are happy to say that it appears to be working better than the Nvidia binary blob. It is also significantly smaller, and it is very clean source code. NF: In the past there was a movement in the OpenBSD community to press hardware vendors to release documentation about their products (Ethernet and wireless network adapters, RAID controllers, etc.) so that drivers could be written for OpenBSD or other open source projects. Some vendors did release documentation, but others didn't. Why do you think vendors do that? They don't want their products to be supported on OpenBSD? TdR: There are always at least a few efforts in the project to get more documentation out of vendors. But some vendors are still incredibly resistant. We often run into vendors who have signed NDA agreements with Linux developers, who will then happily write a Linux driver filled with magic numbers, which only one developer in the world understands. Having signed the NDA ensured that Linux got a working driver, sure, but the internals are indistinguishable from magic. It cannot be fixed by anyone else, because it is full of secrets. It is a source code version of a blob. There are many reasons why vendors will not give information out. I believe that all their reasons are a lie to the customer. I can get nearly complete data books for the parts that are in my car, and I should be able to get them for the parts in my computer. Once in a while we hear from vendors out of the blue, and they offer us hardware and software without us having to ask. It is happening more -- mostly from Asian hardware manufacturers eager to have their hardware supported by all systems. On the other hand, American companies in particular are becoming increasingly insular, and sometimes we think twice before wasting our time trying to contact them. As a result, our support for a few high-end or very new American products is lagging, because there just isn't documentation available. That is a problem, but it should not be overstated, because 99% of the world is buying these Asian products. For instance, Asian 802.11 vendors accounted for perhaps 1% of the market five years ago, but within a year or two the market is likely to be split between Intel (because of how they tie their wireless chipset into their laptop Centrino brand) and the Asian vendors, such as RAlink and Zydas. NF: Now that OpenBSD's user base seems to have increased a bit, do you have more success convincing vendors to release documentation for hardware? TdR: We are having more success getting documentation, but I am not sure if it is due in any way to our user base size. Part of it might be that many more products are coming from Asia (where business sense still applies -- the customer gets the documentation he wants). I think that the Asian businesses are just being smarter about this. When it comes to documentation requests, an Asian company that says no is rare. An American company that says yes is rare. NF: I understand that OpenBSD is financed from CD sales and donations. Does this money pay for all the projects needs? TdR: Our income varies year to year. Donations rise and fall, and so do the sales of our products. Meanwhile, our FTP servers just keep getting busier. We have built up some savings to deal with a rainy day, but our basic operation is perhaps falling behind slowly, or at least slowing our growth. We want to hold more hackathons, since that is where many amazing developments come from. If we had more money, we would also want to pay the travel expenses of some of the poorer developers, since we have some smart developers who are students or live in poorer countries. But with the finances we have, it is difficult to justify these things now. I want us to do much more, but we are constrained. Donations make the most difference, since our project does not get taxed on them. We have investigated becoming a non-profit organization, but the margins and savings really do not make sense for our project, especially since most of our donations do not come from the country where we operate. Also, there are numerous other constraints and rules. So for now we are sticking to clear cash donations, without tax receipts. NF: Lots of hardware vendors use OpenSSH. Have you got anything back from them? TdR: If I add up everything we have ever gotten in exchange for our efforts with OpenSSH, it might amount to $1,000. This all came from individuals. For our work on OpenSSH, companies using OpenSSH have never given us a cent. What about companies that incorporate OpenSSH directly into their products, saving themselves millions of dollars? Companies such as Cisco, Sun, SGI, HP, IBM, Siemens, a raft of medium-sized firewall companies -- we have not received a cent. Or from Linux vendors? Not a cent. Of course we did not set out to create OpenSSH for the money -- we purposely made it completely free so that the "telnet infrastructure" of the 1980s would die. But it sure is sad that none of these companies return even a fraction of value in kind. If you want to judge any entity particularly harshly, judge Sun. Yearly they hold interoperability events, for NFS and other protocols, and they include SSH implementation tests as well. Twice we asked them to cover the travel and accommodation costs for a developer to come to their event, and they refused. Considering that their SunSSH is directly based on our code, that is just flat out insulting. Shame on you Sun, shame, shame, shame. I will say it here -- if an OpenSSH hole is found that applies to SunSSH, Sun will not be informed. Or maybe that has happened already. -=- Links 1. "Theo de Raadt" - http://www.theos.com/deraadt/ 2. "OpenBSD" - http://www.openbsd.org/ 3. "3.9" - http://www.openbsd.org/39.html 4. "Someone on wikipedia" - http://en.wikipedia.org/wiki/OpenBSD_security_features 5. "Exploit Mitigation Techniques" - http://cvs.openbsd.org/papers/ven05-deraadt/index.html 6. "available" - http://www.openbsd.org/plus39.html From isn at c4i.org Wed Mar 29 03:40:58 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 29 Mar 2006 02:40:58 -0600 (CST) Subject: [ISN] State Computer Security: Did the Public Get the Full Story? Message-ID: http://www.nhpr.org/node/10492 By Jon Greenberg March 29, 2006 In February, state officials issued a warning that a bit of malicious software on a state computer might have put peoples' credit card information at risk. A few days later, the Office of Information Technology suspended one of its employees. That employee has never been named - nor has he been charge with any crime. Now, he has come forward and he says that the state's problems with hackers were much greater than officials discussed. New Hampshire Public Radio's Jon Greenberg has more. -=- A rough transcript follows: Before we meet the man who challenges the state's public position, let's go back to February 15th. Governor John Lynch, along with Rick Bailey, the state's chief information officer, held a hastily organized news conference. The office of information technology discovered this morning that someone has breached one of the state's smaller servers with a program that could allow them to watch activity on that server. At the press conference, the program was identified as something called Cain and Abel. The truth, in my mind, is that the server on which Cain and Abel was found installed, I personally don't think it was hacked at all. Doug Oliver is the employee who was suspended. He is quick to say, he was the person who used Cain and Abel on the state's computers. It is a program that can be used by hackers but can also have legitimate uses. More on that in bit. Oliver says that press conference was notable not for what was said, but for what wasn't. The most obvious security breach that caused the organization to respond quickly, intensely, wasn't even mentioned. Six days before the press conference, a Liquor Commission computer that handles wholesale purchases, including ones using credit cards, was hacked. On this point, there is no dispute. Bailey, the state's chief information officer confirms it. He also confirms that the hack put the department into high gear with a wide spread effort to plug security holes on other computers. What happened next in early February is much more subject to debate. Using a new widget that tracks suspicious activity when computers talk to each other, Oliver says he saw evidence of a widespread infection by a completely different computer threat. Not from Cain and Abel but from a virus or worm called SQL Slammer. There were events and incidences being reported by this device that I was seeing multiple network machines being touched by this worm. In addition, there were other signatures, other flags or events that this tool was firing at the same time that were strongly indicative of an attack against the network. A network wide assault by a worm is very different from finding something like Cain and Abel on one server. Now, several people in the office of information technology disagree that the network had been attacked by the worm SQL Slammer. Chief Information Officer Rick Bailey says the security tool that Oliver used is good, but not perfect. In any of the security monitoring tools, there is always the possibility of false positives. Because it looks for signatures and patterns. And sometimes those patterns are inappropriate and sometimes those patterns are caused by legitimate traffic. Bailey would not go into any more detail saying the entire situation is under investigation. However, a security specialist contacted by NHPR says with this particular worm, a false positive is unlikely. Pete Lindstrom is the research director for Spire Security in Pennsylvania. Lindstrom says SQL Slammer first appeared in 2003. We think of this as the low hanging fruit. Any worm older than a few months, can reliably be detected. If it pops up on the screen, you can be fairly confident that it was in fact SQL Slammer, a system has been infected. The age of the worm matters for another reason. Once a worm appears, software companies quickly come up with ways to block it. These are called patches and the Microsoft Corporation wrote a patch for SQL Slammer three years ago. One year ago, Bailey put Oliver on an ad hoc security team with the job of uncovering the weak points in the state's computer network. Oliver says, and Bailey confirms, that one of the team's recommendations was to get computers up to date on patches. For a variety of reasons, many of those patches were not installed. But now it's time to get back to that other piece of hacking software, Cain and Abel ? the program that led to the public warning about credit card safety. Oliver says, his work on that ad hoc security team has a direct connection to Cain and Abel. I who was the chief technical hacker you could say used Cain and Abel for the purpose of diagnosing problems with network vulnerability and to test the strength of certain passwords. Oliver says several people around the department knew he was using Cain and Abel. He says he thought he had removed the program from every computer. He supposes he made a mistake. Whatever the full details are, Oliver's name was on the program that was found and it made him the prime suspect in the state's investigation. The office of information technology has not stood still since it found both the hack on the Liquor Commission's server and Cain and Abel on a different computer. Bailey says much has been done to patch old computers and to make sure that security is considered first. Today, 5-6 weeks later, clearly our network is more secure than it was then. Next month it will be more secure than it is now. And we've continued on the path of improving and mitigating any of the risks that we can identify. Bailey says an overview of the state's computer network points to a fundamental problem. It is a network that was cobbled together over time. If you've got 50 servers and you're trying to watch them for unusual activity. If they're all built the same way, then it's pretty easy to detect an anomaly. If they're built 50 different ways, then you're not sure. Is that just because the way it was built or is it really an anomaly. And you waste a lot of time chasing down the false positives that we were talking about earlier. The challenges are large and Bailey says the resources are stretched thin. He is confident of the security of the system today. But he says it remains an ongoing effort. Proof of that came earlier this month. The same Liquor Commission server that was hacked in early February was hacked again. For NHPR News, I'm Jon Greenberg. From isn at c4i.org Fri Mar 31 01:24:19 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:24:19 -0600 (CST) Subject: [ISN] Black Hat Call for Papers and Registration open Message-ID: Forwarded from: Jeff Moss -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey ISN readers, This is just a quick note to let you know that Black Hat USA 2006 registration and Call for Papers is now open. We expect another outstanding program, and with the addition of more floor space at Caesars Palace we are able to bring you more selection in training classes as well as presentations during the Briefings. Good news all around! What is the Black Hat Briefings? The Black Hat Briefings was created to fill the need for computer security professionals to better understand the security risks and potential threats to their information infrastructures and computer systems. Black Hat accomplishes this by assembling a group of vendor-neutral security professionals and having them speak candidly about the problems businesses face and their solutions to those problems. No gimmicks -- just straight talk by people who make it their business to explore the ever-changing security space. Black Hat USA Briefings 2006 takes place at Caesars Palace Las Vegas, Nevada, August 2-3. Register now to take advantage of our early bird rate. http://www.blackhat.com/html/bh-registration/bh-registration.html#us Black Hat USA Training takes place July 29-30 and July 31-August 1. We have ten new training offerings for 2006, including ROOTKIT: Advanced 2nd Generation Digital Weaponry by Greg Hoglund and Jamie Butler, Advanced Malware Deobfuscation by Jason Geffner & Scott Lambert. We have tailored the training to help avoid overlap in subject matter, providing you with the best of breed of classes by instructors who are leaders in their field. http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html The Black Hat USA 2006 Call for Papers closes May 1. Don't hesitate to submit your presentation, as time is running out. http://www.blackhat.com/html/bh-usa-06/bh-usa-06-cfp.html The Black Hat Europe 2006 Briefings was a success, with our largest European turnout to date. All presentations and tools from the event are available at http://www.blackhat.com/html/bh-media-archives/bh-multi-media-archives.html#eu-0 6 Register for the Black Hat USA 2006 show. Our early bird rate closes May 15, so register now and save. http://www.blackhat.com/html/bh-registration/bh-registration.html#us Thanks for your support. I'll see you in Vegas! Jeff Moss -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBRCyZHkqsDNqTZ/G1AQIQ2wgAqOTlomHgL+ytWErJ/+394C6h3hNUx78G giAckat/XUh1XVUhm4IrRaoVo1natRYnYj0JuWaI5NcgI5pe5dBSsetlitgk9d51 P48fee/SneGQszgECaTeWkSFtoOLX7vVny8SABT+wYa0JgrKNx79WYgX7KkbWc59 ZgK/fyBr4GK2MCbT59e5BvGVV5pp/WsL/G2HdkhgL0RKzV1BuYCQxT/a0inhqOBr a6k6zpprIhjT5N8rAMW09JPBWmG4MIueIyUHfBxZYl1xGPMkQdXJoXqJ9rh1GnBZ FSFF9ywlXpjVRXGfKFbnakepG0Lx5Cns+ymJp984J3Uws+fpxxmVDA== =V8IB -----END PGP SIGNATURE----- From isn at c4i.org Fri Mar 31 01:23:05 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:23:05 -0600 (CST) Subject: [ISN] Ex-NSA worker gets six years; kept papers Message-ID: http://seattlepi.nwsource.com/national/1110AP_NSA_Employee_Trial.html By STEPHEN MANNING ASSOCIATED PRESS WRITER March 30, 2006 GREENBELT, Md. -- A former National Security Agency computer analyst was sentenced to six years in prison Thursday for taking home classified documents and storing them in boxes in his kitchen after he left his job. The federal sentencing guidelines called for at least nine years behind bars for Kenneth Ford, Jr., 34. But U.S. District Judge Peter Messitte departed from the guidelines because prosecutors never claimed Ford was engaged in espionage. He cited similar cases in which defendants received light punishments, such as former National Security Adviser Sandy Berger, who was given community service and a fine for taking records from the National Archives. Messitte also noted instances in which defendants who pleaded guilty to passing documents to other countries received sentences far below the punishment Ford faced under the guidelines. Federal agents arrested Ford in 2004 and found two boxes of computer records in his home. At the time, Ford acknowledged he took the records when he left his job at the super-secret intelligence agency, based at Fort Meade. He later claimed he was framed by an ex-girlfriend. A jury convicted him in December on the document charge and on a count of making a false statement for not properly revealing the investigation on an application for a job with defense contractor Lockheed Martin Corp. No clear motive was ever established in the case and prosecutors did not accuse Ford of trying to sell or distribute the documents. However, federal prosecutor David Salem said Thursday that the removal of the records from the NSA posed a grave security risk. "The disclosure of information Mr. Ford had in his kitchen could have jeopardized millions of dollars of worth of programs at the NSA," Salem said. From isn at c4i.org Fri Mar 31 01:23:34 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:23:34 -0600 (CST) Subject: [ISN] Inside Botnets Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Winternals Software http://list.windowsitpro.com/t?ctl=2548C:4FB69 Liquid Machines http://list.windowsitpro.com/t?ctl=25477:4FB69 ==================== 1. In Focus: Inside Botnets 2. Security News and Features - Recent Security Vulnerabilities - Check Point and Sourcefire Cancel Merger - MetaFisher Still Stealing Sensitive Data 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Security Test Web Apps as You Write Them ==================== ==== Sponsor: Winternals Software ==== Winternals Protection Manager How will you protect your enterprise from zero-day attacks? Protection Manager blocks unknown applications from running until you specifically authorize them. No need to wait for an update--you're already protected. Plus, Protection Manager enables a secure successful least privilege network without compromising legacy applications by decoupling privilege levels of applications from users, and promotes culturally acceptable PC lockdown with real-time approval or denial of user application requests. Protection Manager forms a crucial layer of your defense-in-depth security strategy, helping enforce corporate technology policies, ensuring compliance with regulatory acts like HIPAA and Sarbanes-Oxley, and dramatically reducing the labor burden on IT. Download your 30-day evaluation copy of Protection Manager at: http://list.windowsitpro.com/t?ctl=2548C:4FB69 ==================== ==== 1. In Focus: Inside Botnets ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net In the news recently was an interesting story about MetaFisher (also known as Spy-Agent), a Trojan horse program that steals personal financial information. What was particularly interesting about the news report that I received from iDefense was screenshots of the control interface used by the MetaFisher bot network (botnet) operators. The images give a good idea of what goes on behind the scenes of botnets. If you've already looked at the news story that I posted on our Web site and didn't see the images, be sure to check it again--I added the images on Monday. You can link to the story from the MetaFisher news story below. Botnets are a huge problem. Understanding how bots work helps us understand how to defend against them and how to shut down botnets. Every antivirus vendor and many other types of security vendors hold a wealth of information about untold numbers of bots. However, when these companies publish alerts and advisories about bots, the reports rarely contain greatly detailed information that describes the inner workings and capabilities of the bots. So learning how a bot behaves is typically rough work. Even if you manage to capture a bot, you're left to reverse-engineer it on your own. Paul Barford and Vinod Yegneswaran of the University of Wisconsin Computer Sciences Department wrote an excellent white paper, "An Inside Look at Botnets." The pair give detailed insight into four types of bots, including those based on Agobot, SDBot, GT Bot, and Spybot. If you read the white paper, you'll learn that although most bots today operate in conjunction with Internet Relay Chat (IRC) servers (which makes shutting down botnets somewhat less difficult), some bots are beginning to gain peer-to-peer functionality. This evolution of course means that shutting down botnets will become more difficult in many cases in the future. What I found particularly interesting about the white paper is that Barford and Yegneswaran reveal the complete command sets of the bot variants they examined. The commands include those used by bots during interaction with IRC servers and those used by bots for interactivity with the local host on which the bot is installed. For example, some bots can scan the registry to obtain CD-ROM keys, AOL account information, PayPal account information, and so on. Some bots can also lock down a host to some extent by disabling services selectively as well as starting the bot operator's services of choice. These commands give botnet operators a huge amount of control over infected systems. Other commands let the botnet operators perform exploits and attacks. For example, Agobot (which is among the most sophisticated of bots today) can scan for systems with vulnerabilities in DCOM, DameWare Development software, and Famtech International's RADMIN; scan for back doors left open by Bagle and MyDoom; and brute-force-crack NetBIOS and Microsoft SQL Server passwords. Agobot can also launch seven types of Distributed Denial of Service (DDoS) attacks. Adding to the danger level, Agobot is polymorphic to some extent, with four ways of obscuring its network communications. This is just a brief summary of some of the information you'll learn by reading "An Inside Look at Botnets." The paper (available in PDF format at the URL below) is a real eye-opener, particularly if you don't have much knowledge of how bots operate. The information can help you think of ways to detect some of the related activity on your networks. It's definitely worth the read. http://list.windowsitpro.com/t?ctl=2548A:4FB69 ==================== ==== Sponsor: Liquid Machines ==== Extend Microsoft Windows Rights Management Services (RMS) to support enterprise requirements for information protection, including proprietary business data. http://list.windowsitpro.com/t?ctl=25477:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=2547F:4FB69 Check Point and Sourcefire Cancel Merger We previously reported that Israeli-based Check Point Software and U.S.-based Sourcefire planned to merge pending review by the Committee on Foreign Investment in the United States. The merger has now been cancelled, with no official reason given. http://list.windowsitpro.com/t?ctl=25486:4FB69 MetaFisher Still Stealing Sensitive Data MetaFisher--a Trojan horse discovered over a month ago--is still wreaking havoc against unsuspecting users. Ken Dunham of iDefense provided screenshots (seen below) of the attacker's management interface for the bot network (botnet). Take a look! http://list.windowsitpro.com/t?ctl=25487:4FB69 ==================== ==== Resources and Events ==== Learn to secure your IM traffic--don't let your critical business information be intercepted! http://list.windowsitpro.com/t?ctl=2547C:4FB69 When disaster strikes your servers, whether they're dedicated to Windows, SQL, or Exchange, you need answers. Make sure that when an emergency occurs, you're prepared. Get the HA Solutions eBook and get started on your recovery plan today! http://list.windowsitpro.com/t?ctl=25479:4FB69 Use Windows Server 2003 R2 as a platform for SQL Server 2005 to support large-database requirements, including clustering and multiple processors. Register for this free Web seminar today! http://list.windowsitpro.com/t?ctl=25478:4FB69 Gain control of your messaging data with step-by-step instructions for complying with the law, ensuring your systems are working properly, and ultimately making your job easier. http://list.windowsitpro.com/t?ctl=2547E:4FB69 How do you ensure that your email system isn't vulnerable to a messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux tells you what you should do before you have an outage to increase your chances of coming out of it smelling like roses. http://list.windowsitpro.com/t?ctl=2547B:4FB69 ==================== ==== Featured White Paper ==== Learn to identify the top 5 IM security risks and protect your networks and users. http://list.windowsitpro.com/t?ctl=2547A:4FB69 ==================== ==== Hot Spot ==== LeftHand Networks Explore how the standardization of storage hardware will change market dynamics, focusing on the growth of iSCSI SANs and "glue software." http://list.windowsitpro.com/t?ctl=2547D:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Think IPsec by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2548B:4FB69 IPsec could help you improve security for your domains and servers. This blog article links you to resources that show you how. http://list.windowsitpro.com/t?ctl=25488:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=25489:4FB69 Q: How can I use a script to list all subnets in a site? Find the answer at http://list.windowsitpro.com/t?ctl=25485:4FB69 Security Forum Featured Thread: Marcus has been trying to configure a Juniper Networks NetScreen 5GT firewall to pass PPTP traffic to a VPN on Windows Small Business Server (SBS) 2003. He can connect and is prompted for a username and password, but then the connection just hangs. The event log shows an error (event ID 20209) indicating that Generic Routing Encapsulation (GRE) packets were unable to pass through the firewall. Marcus says he found a way to create a custom service for GRE passthrough, but this still didn't resolve the issue. Any ideas? Join the discussion at http://list.windowsitpro.com/t?ctl=25476:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Monthly Pass Subscribers have it all! Become a VIP Monthly Pass subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get the latest digital issue (just like the print edition, but delivered directly to your inbox) of Windows IT Pro each month. Subscribe now: http://list.windowsitpro.com/t?ctl=25483:4FB69 Save 44% off Exchange & Outlook Administrator For a limited time, order the Exchange & Outlook Administrator newsletter and SAVE up to $80 off the cover price. You'll discover endless tools and solutions you won't find anywhere else to help you migrate, optimize, administer, back up, recover, and secure Exchange and Outlook. You'll also get FREE, unlimited access to the full online Exchange article library (more than 1,000 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=25481:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Security Test Web Apps as You Write Them Compuware DevPartner SecurityChecker 2.0 identifies security vulnerabilities in Microsoft ASP.NET applications and pinpoints their location in source code. New features in DevPartner SecurityChecker 2.0 include full integration with Visual Studio 2005; improvements in creating and managing discovery maps; improvements in existing SQL injection and other vulnerability detection; and 30 new integrity rules, including rules for finding Google hacking vulnerabilities such as pages containing configuration information and hidden content. DevPartner SecurityChecker 2.0 is currently available for a U.S. list price of $12,000 per concurrent user. Volume discounts are available. http://list.windowsitpro.com/t?ctl=25480:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=2548D:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=25484:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Mar 31 01:23:54 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:23:54 -0600 (CST) Subject: [ISN] N.H. computer specialist says superiors ignored security warnings Message-ID: http://www.boston.com/news/local/new_hampshire/articles/2006/03/29/nh_computer_specialist_says_superiors_ignored_security_warnings/ March 29, 2006 CONCORD, N.H. -- A state computer specialist who was put on leave two days after a security breach was announced says bosses ignored his warnings about more serious weaknesses in New Hampshire's computer network. Doug Oliver of Tilton, 44, was suspended with pay last month after the announcement of the security breach affecting motor vehicle offices, the state veterans home in Tilton, the Liquor Commission and state liquor stores. Oliver spoke to the Concord Monitor and New Hampshire Public Radio, saying he wants to clear his name. He said officials underreported the extent of the hacking. And he said they knew as early as last summer that perhaps more than half the state's computer systems were at significant or severe risk of being attacked. "I'm not looking to do any harm to anybody," Oliver told the Monitor. "I'm just looking to make sure that the debate and the right questions are getting asked, because I'm not convinced the right questions are getting asked." Rick Bailey, New Hampshire's chief information officer and Oliver's boss, declined to comment on Oliver's allegations, citing personnel issues. "It's a difficult situation," he said, declining to name the employee who was suspended. "An investigation was ongoing. The FBI and the Department of Justice recommended that this individual not be in the environment while the investigation ran its course, and we followed that direction. Administrative-leave scenarios are not intended to suggest guilt or innocence." In February 2005, a hacker defaced the state's NH.gov Web site with internet graffiti. In response, Bailey compiled a three-person team, including Oliver, which was directed to act like hackers to test state computer security. The testing, which concluded last summer, revealed that more than 60 percent of the sampled servers were at risk for "significant to severe" security breaches, Oliver said. One of the biggest problems the team identified was a failure to upgrade databases to protect them from a worm that caused widespread damage on the internet a few years ago. Microsoft has provided patches to protect against that worm since 2003, Oliver said, but had not been applied. "There were events and incidences being reported by this (security tool) that I was seeing multiple network machines being touched by this worm," Oliver told NHPR. "In addition, there were other signatures, other flags or events that this tool was firing at the same time that were strongly indicative of an attack against the network." Bailey said the security tool Oliver used is good, but not perfect, raising the possibility of false alerts. No reports of illegal activity were reported as a result of the security breach the state announced, but officials asked people who used credit cards in the previous six months to report any suspicious purchases to the state Consumer Protection Bureau. State information technology experts became aware of the breach when they spotted software in the system that can allow a hacker to watch transactions, but not to recover earlier records, said Bailey. Oliver said the program also can be used as a security test, and that he installed it last year during the security checking. It was supposed to have been removed. Oliver, who has worked for the state since 2002, was a technical support specialist who had written software and performed security checks on computer servers that handle credit card transactions. He says he was scanning state servers for hacker vulnerability on Feb. 16 when his supervisors asked him to speak with the FBI. Shortly after that interview, he said he was locked out of his network account, and told he was placed on leave. He was not given a specific reason. "I feel that I'm coming under fire inappropriately," he said. "Perhaps (I'm) being scapegoated or retaliated against because of what I know." In his last days on the job, he said, his supervisor accused him of "being chicken little, or being disgruntled somehow, and of being overzealous because of a new toy"- an expensive security device the state had been testing. From isn at c4i.org Fri Mar 31 01:24:34 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:24:34 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-13 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-03-23 - 2006-03-30 This week : 89 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: The vulnerability in Microsoft Internet Explorer published last week has been upgraded to Extremely Critical since exploit code is now publicly available. All users of Microsoft Internet Explorer are strongly advised to review the referenced Secunia advisory below for a temporary workaround. Reference: http://secunia.com/SA18680 Companies have the option of requesting a Secunia account for immediate notification when a patch is released by Microsoft. Request Secunia Account: https://ca.secunia.com/?page=requestaccount&s -- Multiple vulnerabilities have been reported in Veritas Netbackup, which can be exploited by malicious people to compromise a vulnerable system. The vendor has released patches. Please see the referenced Secunia advisory. Reference: http://secunia.com/SA19417 -- Various RealNetworks products, including the popular RealOne and RealPlayer, are affected by several vulnerabilities, which can be exploited by malicious people to compromise a user's system. The complete list of vulnerable products may be found in the referenced Secunia advisory. All users of RealNetworks products are advised to check for available patches. Reference: http://secunia.com/SA19358 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 2. [SA19342] Sendmail Signal Handling Memory Corruption Vulnerability 3. [SA19118] AVG Anti-Virus Updated Files Insecure File Permissions 4. [SA19358] RealNetworks Products Multiple Buffer Overflow Vulnerabilities 5. [SA19378] Internet Explorer Unspecified Automatic .HTA Application Execution 6. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 7. [SA19406] Microsoft .NET Framework SDK ildasm Buffer Overflow 8. [SA19357] Linux Kernel IPv4 "sockaddr_in.sin_zero" Information Disclosure 9. [SA19360] Sun Solaris Sendmail Signal Handling Memory Corruption 10. [SA19331] Debian Network Installation Insecure Default Directory Permissions ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19378] Internet Explorer Unspecified Automatic .HTA Application Execution [SA19441] EzASPSite "scheme" Parameter SQL Injection Vulnerability [SA19415] Absolute Live Support XE Script Insertion Vulnerability [SA19406] Microsoft .NET Framework SDK ildasm Buffer Overflow [SA19385] Metisware Instructor Task Script Insertion Vulnerability [SA19451] McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability [SA19430] couponZONE Cross-Site Scripting Vulnerabilities [SA19427] classifiedZONE "rtn" Cross-Site Scripting Vulnerability [SA19416] Web Quiz Pro Multiple Cross-Site Scripting Vulnerabilities [SA19401] Toast Forums Cross-Site Scripting Vulnerabilities [SA19399] ssCMS "keywords" Cross-Site Scripting Vulnerability [SA19398] dotNetBB "em" Cross-Site Scripting Vulnerability [SA19397] uniForum "wbsecadmin.aspx" Cross-Site Scripting [SA19396] Absolute FAQ Manager "question" Cross-Site Scripting [SA19386] EZHomepagePro Cross-Site Scripting Vulnerabilities [SA19381] E-School Management System "msg" Cross-Site Scripting [SA19375] Helm Web Hosting Control Panel Cross-Site Scripting Vulnerabilities UNIX/Linux: [SA19466] NetBSD Sendmail Memory Corruption Vulnerability [SA19450] F-Secure Messaging Security Gateway Sendmail Vulnerability [SA19407] OpenBSD update for sendmail [SA19404] Avaya Products Sendmail Signal Handling Memory Corruption [SA19394] HP-UX update for sendmail [SA19390] Gentoo update for realplayer [SA19380] Debian update for evolution [SA19463] NetBSD racoon IKE Message Processing Denial of Service [SA19449] PHPCollab "Forgot password" SQL Injection Vulnerability [SA19436] Debian update for netpbm-free [SA19425] Sourceworkshop newsletter "email" SQL Injection Vulnerability [SA19424] Debian update for flex [SA19418] MPlayer AVI "indx" Chunk and ASF Handling Vulnerabilities [SA19408] SUSE Updates for Multiple Packages [SA19377] SCO OpenServer update for xpdf [SA19374] Debian update for kernel-source-2.6.8 [SA19371] Trustix update for curl [SA19369] Debian update for kernel-source-2.4.27 [SA19457] UnixWare update for curl [SA19429] realestateZONE Cross-Site Scripting Vulnerabilities [SA19387] BlankOL "bol.cgi" Cross-Site Scripting Vulnerability [SA19405] SUSE update for freeradius [SA19395] Avaya PDS HP-UX swagentd Denial of Service Vulnerability [SA19373] HP-UX swagentd Denial of Service Vulnerability [SA19465] NetBSD mail Insecure Record File Creation [SA19464] NetBSD if_bridge Kernel Memory Disclosure Vulnerability [SA19444] Sun Cluster SunPlex Manager File Disclosure Vulnerability [SA19442] Gentoo bsd-games Privilege Escalation Vulnerability [SA19433] Gentoo update for openoffice / openoffice-bin [SA19426] Sun Solaris Process Environment Disclosure Security Issue [SA19376] Gentoo nethack / falconseye / slashem Privilege Escalation [SA19402] Linux Kernel IP ID Value Increment Weakness Other: Cross Platform: [SA19438] Virtual War "vwar_root" File Inclusion Vulnerability [SA19428] PHP Live Helper "abs_path" File Inclusion Vulnerability [SA19389] csDoom Format String and Buffer Overflow Vulnerabilities [SA19452] NetOffice "Forgot password" SQL Injection Vulnerability [SA19448] VBook Multiple Vulnerabilities [SA19447] Tilde CMS "id" SQL Injection Vulnerability [SA19446] OneOrZero "id" SQL Injection Vulnerability [SA19439] Cholod Mysql based message board Script Insertion and SQL Injection [SA19435] VNews Multiple Vulnerabilities [SA19422] vCounter "url" SQL Injection Vulnerability [SA19421] Pixel Motion Blog SQL Injection Vulnerabilities [SA19420] VSNS Lemon Multiple Vulnerabilities [SA19414] G-Book "g_message" Script Insertion Vulnerability [SA19413] Null news Multiple SQL Injection Vulnerabilities [SA19410] TWiki Restricted Content Access and Denial of Service [SA19403] Vihor Design Local File Disclosure Vulnerability [SA19400] WEBalbum Local File Inclusion Vulnerability [SA19392] Mambo AkoComment Module SQL Injection Vulnerabilities [SA19391] phpNewsManager Multiple SQL Injection Vulnerabilities [SA19388] Vavoom Two Denial of Service Vulnerabilities [SA19384] phpPgAds / phpAdsNew Two Vulnerabilities [SA19382] Nuked-Klan "m" SQL Injection Vulnerability [SA19417] Veritas NetBackup Multiple Buffer Overflow Vulnerabilities [SA19460] Explorer XP "chemin" Cross-Site Scripting and Directory Traversal [SA19445] Arab Portal "title" Cross-Site Scripting Vulnerability [SA19443] PHP Script Index "search" Cross-Site Scripting Vulnerability [SA19440] PHP Classifieds "searchword" Cross-Site Scripting Vulnerability [SA19434] Connect Daily Cross-Site Scripting Vulnerabilities [SA19432] CONTROLzx HMS Multiple Cross-Site Scripting Vulnerabilities [SA19431] ActiveCampaign SupportTrio "terms" Cross-Site Scripting [SA19423] Greymatter gm-upload.cgi File Upload Vulnerability [SA19419] phpCOIN "fs" Cross-Site Scripting Vulnerabilities [SA19412] PHP Ticket "frm_search_in" SQL Injection Vulnerability [SA19411] TFT Gallery "passwd" Exposure of User Credentials [SA19409] phpmyfamily "name" Cross-Site Scripting Vulnerability [SA19393] Calender Express Cross-Site Scripting Vulnerability [SA19383] PHP "html_entity_decode()" Information Disclosure Vulnerability [SA19379] CoMoblog "img.php" Cross-Site Scripting Vulnerability [SA19372] Meeting Reserve Cross-Site Scripting Vulnerability [SA19370] EasyMoblog "img.php" Cross-Site Scripting Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19378] Internet Explorer Unspecified Automatic .HTA Application Execution Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-27 Jeffrey van der Stad has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19378/ -- [SA19441] EzASPSite "scheme" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-30 Mustafa Can Bjorn has discovered a vulnerability in EzASPSite, which can be exploited by malicious people conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19441/ -- [SA19415] Absolute Live Support XE Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in Absolute Live Support XE, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19415/ -- [SA19406] Microsoft .NET Framework SDK ildasm Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-27 A vulnerability has been discovered in Microsoft .NET Framework SDK, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19406/ -- [SA19385] Metisware Instructor Task Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in Metisware Instructor, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19385/ -- [SA19451] McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-03-30 A vulnerability has been discovered in McAfee VirusScan, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19451/ -- [SA19430] couponZONE Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-28 r0t has reported some vulnerabilities in couponZONE, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19430/ -- [SA19427] classifiedZONE "rtn" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-28 r0t has reported a vulnerability in classifiedZONE, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19427/ -- [SA19416] Web Quiz Pro Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported some vulnerabilities in Web Quiz Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19416/ -- [SA19401] Toast Forums Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has discovered some vulnerabilities in Toast Forums, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19401/ -- [SA19399] ssCMS "keywords" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in ssCMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19399/ -- [SA19398] dotNetBB "em" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in dotNetBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19398/ -- [SA19397] uniForum "wbsecadmin.aspx" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in uniForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19397/ -- [SA19396] Absolute FAQ Manager "question" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in Absolute FAQ Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19396/ -- [SA19386] EZHomepagePro Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported some vulnerabilities in EZHomepagePro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19386/ -- [SA19381] E-School Management System "msg" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in E-School Management System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19381/ -- [SA19375] Helm Web Hosting Control Panel Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has discovered some vulnerabilities in Helm Web Hosting Control Panel, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19375/ UNIX/Linux:-- [SA19466] NetBSD Sendmail Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-30 NetBSD has acknowledged a vulnerability in sendmail, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19466/ -- [SA19450] F-Secure Messaging Security Gateway Sendmail Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-29 F-Secure has acknowledged a vulnerability in F-Secure Messaging Security Gateway, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19450/ -- [SA19407] OpenBSD update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-27 OpenBSD has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19407/ -- [SA19404] Avaya Products Sendmail Signal Handling Memory Corruption Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-27 Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19404/ -- [SA19394] HP-UX update for sendmail Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-28 HP has issued an update for sendmail. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19394/ -- [SA19390] Gentoo update for realplayer Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-27 Gentoo has issued an update for realplayer. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19390/ -- [SA19380] Debian update for evolution Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-24 Debian has issued an update for evolution. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19380/ -- [SA19463] NetBSD racoon IKE Message Processing Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-30 NetBSD has acknowledged a vulnerability in racoon, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19463/ -- [SA19449] PHPCollab "Forgot password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-29 rgod has discovered a vulnerability in PHPCollab, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19449/ -- [SA19436] Debian update for netpbm-free Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-29 Debian has issued an update for netpbm-free. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19436/ -- [SA19425] Sourceworkshop newsletter "email" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-29 Aliaksandr Hartsuyeu has discovered a vulnerability in Sourceworkshop newsletter, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19425/ -- [SA19424] Debian update for flex Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-28 Debian has issued an update for flex. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19424/ -- [SA19418] MPlayer AVI "indx" Chunk and ASF Handling Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-29 xfocus has reported some vulnerabilities in MPlayer, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19418/ -- [SA19408] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-27 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19408/ -- [SA19377] SCO OpenServer update for xpdf Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-24 SCO has issued an update for xpdf. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19377/ -- [SA19374] Debian update for kernel-source-2.6.8 Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS Released: 2006-03-24 Debian has issued an update for kernel-source-2.6.8. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information, cause a DoS (Denial of Service), gain escalated privileges, and bypass certain security restrictions, or by malicious people to cause a DoS, bypass certain security restrictions, and disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/19374/ -- [SA19371] Trustix update for curl Critical: Moderately critical Where: From remote Impact: System access Released: 2006-03-24 Trustix has issued an update for curl. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19371/ -- [SA19369] Debian update for kernel-source-2.4.27 Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS Released: 2006-03-24 Debian has issued an update for kernel-source-2.4.27. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, cause a DoS (Denial of Service), and gain escalated privileges, or by malicious people to cause a DoS and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19369/ -- [SA19457] UnixWare update for curl Critical: Less critical Where: From remote Impact: Unknown Released: 2006-03-30 SCO has issued an update for curl. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/19457/ -- [SA19429] realestateZONE Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-28 r0t has reported some vulnerabilities in realestateZONE, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19429/ -- [SA19387] BlankOL "bol.cgi" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 r0t has reported a vulnerability in BlankOL, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19387/ -- [SA19405] SUSE update for freeradius Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2006-03-28 SUSE has issued an update for freeradius. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19405/ -- [SA19395] Avaya PDS HP-UX swagentd Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-27 Avaya has acknowledged a vulnerability in Avaya Predictive Dialing System (PDS), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19395/ -- [SA19373] HP-UX swagentd Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-24 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19373/ -- [SA19465] NetBSD mail Insecure Record File Creation Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-30 A security issue has been reported in NetBSD, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19465/ -- [SA19464] NetBSD if_bridge Kernel Memory Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-30 A vulnerability has been reported in NetBSD, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19464/ -- [SA19444] Sun Cluster SunPlex Manager File Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-30 A vulnerability has been reported in Sun Cluster, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19444/ -- [SA19442] Gentoo bsd-games Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-03-30 Tavis Ormandy has reported some vulnerabilities in the bsd-games package, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19442/ -- [SA19433] Gentoo update for openoffice / openoffice-bin Critical: Less critical Where: Local system Impact: Unknown Released: 2006-03-28 Gentoo has issued updates for openoffice / openoffice-bin. These fix a vulnerability, which has an unknown impact. Full Advisory: http://secunia.com/advisories/19433/ -- [SA19426] Sun Solaris Process Environment Disclosure Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-03-28 A security issue has been reported in Solaris, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19426/ -- [SA19376] Gentoo nethack / falconseye / slashem Privilege Escalation Critical: Less critical Where: Local system Impact: Manipulation of data, Privilege escalation Released: 2006-03-24 Gentoo has reported some vulnerabilities in the nethack / falconseye / slashem packages, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19376/ -- [SA19402] Linux Kernel IP ID Value Increment Weakness Critical: Not critical Where: From remote Impact: Security Bypass, Exposure of system information Released: 2006-03-28 Marco Ivaldi has reported a weakness in the Linux kernel, which can be exploited by malicious people to disclose certain system information and potentially to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19402/ Other: Cross Platform:-- [SA19438] Virtual War "vwar_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-29 [Oo] has discovered a vulnerability in Virtual War, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19438/ -- [SA19428] PHP Live Helper "abs_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-03-28 rUnViRuS has reported a vulnerability in PHP Live Helper, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19428/ -- [SA19389] csDoom Format String and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-03-27 Luigi Auriemma has reported some vulnerabilities in csDoom, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19389/ -- [SA19452] NetOffice "Forgot password" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-29 rgod has discovered a vulnerability in NetOffice, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19452/ -- [SA19448] VBook Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2006-03-30 Aliaksandr Hartsuyeu has discovered multiple vulnerabilities in VBook, which can be exploited by malicious people to conduct script insertion attacks and SQL injection attacks, and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19448/ -- [SA19447] Tilde CMS "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-29 Preddy has reported a vulnerability in Tilde CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19447/ -- [SA19446] OneOrZero "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-29 Preddy has discovered a vulnerability in OneOrZero, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19446/ -- [SA19439] Cholod Mysql based message board Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-29 kspecial has discovered some vulnerabilities in Cholod Mysql based message board, which can be exploited by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19439/ -- [SA19435] VNews Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, System access Released: 2006-03-30 Aliaksandr Hartsuyeu has reported some vulnerabilities in VNews, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct script insertion and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19435/ -- [SA19422] vCounter "url" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-29 Aliaksandr Hartsuyeu has discovered a vulnerability in vCounter, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19422/ -- [SA19421] Pixel Motion Blog SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-28 Morocco Security Team has discovered two vulnerabilities in Pixel Motion Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19421/ -- [SA19420] VSNS Lemon Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-03-28 Aliaksandr Hartsuyeu has discovered multiple vulnerabilities in VSNS Lemon, which can be exploited by malicious people to conduct script insertion attacks, to bypass certain authentication, and to conduct SQL injection attack. Full Advisory: http://secunia.com/advisories/19420/ -- [SA19414] G-Book "g_message" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 matrix_killer has discovered a vulnerability in G-Book, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19414/ -- [SA19413] Null news Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-29 Aliaksandr Hartsuyeu has discovered some vulnerabilities in Null news, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19413/ -- [SA19410] TWiki Restricted Content Access and Denial of Service Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2006-03-27 A vulnerability and a security issue have been reported in TWiki, which can be exploited by malicious people to cause a DoS (Denial of Service) and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19410/ -- [SA19403] Vihor Design Local File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-03-27 Patriotic Hackers has discovered a vulnerability in Vihor Design, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19403/ -- [SA19400] WEBalbum Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-27 rgod has discovered a vulnerability in WEBalbum, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19400/ -- [SA19392] Mambo AkoComment Module SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-28 Stefan Keller has reported two vulnerabilities in the AkoComment module for Mambo, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19392/ -- [SA19391] phpNewsManager Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-30 Aliaksandr Hartsuyeu has reported multiple vulnerabilities in phpNewsManager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19391/ -- [SA19388] Vavoom Two Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-03-27 Luigi Auriemma has reported two vulnerabilities in Vavoom, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19388/ -- [SA19384] phpPgAds / phpAdsNew Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 Two vulnerabilities have been reported in phpPgAds / phpAdsNew, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19384/ -- [SA19382] Nuked-Klan "m" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-28 Moroccan Security Team has discovered a vulnerability in Nuked-Klan, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19382/ -- [SA19417] Veritas NetBackup Multiple Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: System access Released: 2006-03-28 Multiple vulnerabilities have been reported in Veritas Netbackup, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19417/ -- [SA19460] Explorer XP "chemin" Cross-Site Scripting and Directory Traversal Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-03-30 Silitix has discovered a vulnerability and a weakness in Fabien Gauharou Explorer XP, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19460/ -- [SA19445] Arab Portal "title" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-29 stranger-killer has discovered a vulnerability in Arab Portal, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19445/ -- [SA19443] PHP Script Index "search" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-29 Preddy has reported a vulnerability in PHP Script Index, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19443/ -- [SA19440] PHP Classifieds "searchword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-29 Preddy has discovered a vulnerability in PHP Classifieds, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19440/ -- [SA19434] Connect Daily Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-28 r0t has discovered some vulnerabilities in Connect Daily, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19434/ -- [SA19432] CONTROLzx HMS Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-28 r0t has reported multiple vulnerabilities in CONTROLzx HMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19432/ -- [SA19431] ActiveCampaign SupportTrio "terms" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-03-28 r0t has reported a vulnerability in ActiveCampaign SupportTrio, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19431/ -- [SA19423] Greymatter gm-upload.cgi File Upload Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-03-28 syst3m_f4ult has discovered a vulnerability in Greymatter, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19423/ -- [SA19419] phpCOIN "fs" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-28 r0t has discovered some vulnerabilities in phpCOIN, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19419/ -- [SA19412] PHP Ticket "frm_search_in" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-03-27 undefined1_ has discovered a vulnerability in PHP Ticket, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19412/ -- [SA19411] TFT Gallery "passwd" Exposure of User Credentials Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-27 undefined1_ has discovered a security issue in TFT Gallery, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/19411/ -- [SA19409] phpmyfamily "name" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-03-28 matrix_killer has discovered a vulnerability in phpmyfamily, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19409/ -- [SA19393] Calender Express Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 Pratiksha Doshi has reported a vulnerability in Calendar Express, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19393/ -- [SA19383] PHP "html_entity_decode()" Information Disclosure Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-03-29 A vulnerability has been discovered in PHP, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19383/ -- [SA19379] CoMoblog "img.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-24 FarhadKey has discovered a vulnerability in CoMoblog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19379/ -- [SA19372] Meeting Reserve Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-27 Pratiksha Doshi has reported a vulnerability in Meeting Reserve, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19372/ -- [SA19370] EasyMoblog "img.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-24 FarhadKey has discovered a vulnerability in EasyMoblog, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19370/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 31 01:24:51 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:24:51 -0600 (CST) Subject: [ISN] Hacker hits Georgia state database via hole in security software Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110094,00.html By Jaikumar Vijayan MARCH 30, 2006 COMPUTERWORLD An unpatched flaw in a "widely used security program" was exploited by an unknown hacker to gain access to a Georgia Technology Authority (GTA) database containing confidential information on more than 570,000 members of the state's pension plans. The intrusion occurred sometime between Feb. 21 and Feb. 23 and involved a hacker who used "sophisticated hacking tools" to break through several layers of security after accessing the server hosting the database via the software flaw, said Joyce Goldberg, a GTA spokeswoman. Goldberg refused to name the security vendor whose software was exploited, citing an ongoing investigation. She added, however, that the vulnerability exploited by the hacker had already been publicly disclosed by the vendor, "We were in the midst of fixing the flaw that the software vendor had identified. But the hacker got in before we were able to do that," she said. "Shortly after the breach, we saw some unusual activity, and in looking at that, we discovered the breach." Goldberg declined to elaborate on what that unusual activity was. The breached server contained information on a total of eight pension plans administered by the state. The core database itself was managed by the state Employees Retirement System, though the server it was hosted on was administered by the GTA. At this point, there is no evidence that confidential information, including names, Social Security numbers and bank-account details, have been misused, Goldberg said. Even so, the GTA is sending out letters to 180,000 affected employees for whom it has contact information, she said. The state does not have current addresses for the remaining 373,000 individuals affected and is relying on media reports and its own outreach efforts to inform them of the potential compromise of data, Goldberg said. The Georgia Bureau of Investigation is investigating the incident. The GTA is also bringing in outside security advisers to do a security assessment, the agency said in a note posted on its site. This is the second major breach involving the GTA in the past year. In April 2005, the GTA disclosed that a state employee had downloaded confidential information belonging to more than 450,000 members of the state's health benefit plan onto a home computer. Since that breach, the GTA has implemented several measures to tighten security, including stricter password controls, more timely reviews of logs and alerts, more extensive employee background checks and stricter control of access confidential data, according to the GTA's Web site. Incidents such as this highlight the dangers companies face when the software they rely on to protect their data itself turns bad, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to financial companies. "The most important point to remember [from such incidents] is that you don't want to be overly dependent on a single vendor's product" for security, Hession said. Earlier this month, a faulty antivirus update from McAfee Inc. mistakenly identified hundreds of legitimate programs as a Windows virus, resulting in the accidental deletion of significant amounts of data from company computers that had the faulty software installed on them. Two years ago, the Witty worm, which was reported to have damaged 15,000 to 20,000 computers worldwide, took advantage of a flaw involving the BlackIce and RealSecure intrusion-prevention products from Atlanta-based Internet Security Systems Inc. The worm wrote random data onto the hard disks of vulnerable systems, causing the drives to fail and making it impossible for users to start up the systems. Such incidents highlight quality lapses that sometimes occur when security vendors try to rush out products to keep up with security threats, Hession said. "Security vendors have to adapt very quickly to new threats," resulting in very short development and testing cycles, he said. With security products, "the perception is that it should be more reliable than other software," which is not always the case, said Ken Dunham, director of the rapid response team at VeriSign Inc.'s iDefense Labs unit. IT managers need to remember that all software is susceptible to errors that pose security risks, he said. From isn at c4i.org Fri Mar 31 01:25:02 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:25:02 -0600 (CST) Subject: [ISN] Packet-sniffing techie uncovers spousal infidelity Message-ID: http://www.theregister.co.uk/2006/03/30/ethereal_relationship_break-up/ By John Leyden 30th March 2006 Technology has been instrumental in ending yet another long-standing relationship. Hot on the heels of tales of a woman who blames a bug in Firefox for exposing the flaws in her relationship with a fianc? and a man whose relationship was hit by the spam filtering shortcomings of Thunderbird, comes the story of a software programmer who unearthed evidence of his partner's infidelity using Ethereal, the packet sniffing software. Len Holgate usually writes about Windows software development and programming in C++. But in a break from the norm he recently wrote about how he installed (with some difficulty) a packet sniffer on his network after becoming suspicious that Michelle, his partner of 17 years, was cheating on him. "The sniffer provided me with evidence that Michelle had been having an affair since mid-January. I confronted her and we decided to try and see if we could 'work it out' during our ski trip to Colorado. During the trip I decided that the relationship couldn't continue and so on our return she moved out. We're currently doing the separation of assets thing. We hope to be able to remain friends. Since I don't hate her, I figure that nobody else is allowed to," Len writes. The coder offers the following sage advice to the less technically adept: "If you plan to use technology when cheating it's probably best to understand the technology involved better than the person that you're cheating on," he adds. We'd add that if you maintain any kind of relationship you might want to throw out your computer and mobile and invest in an abacus, if recent Reg stories (and a thread on digg.com generated by Len's post) are anything to go by. ? From isn at c4i.org Fri Mar 31 01:25:15 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:25:15 -0600 (CST) Subject: [ISN] BBC stories used as bait for IE exploit Message-ID: http://news.com.com/BBC+stories+used+as+bait+for+IE+exploit/2100-7349_3-6056217.html By Joris Evers Staff Writer, CNET News.com March 30, 2006 Cybercrooks are spamming e-mail messages to trick people into visiting malicious Web sites that exploit a recent Internet Explorer flaw, experts warned Thursday. The Web sites take advantage of the vulnerability in the omnipresent Microsoft Web browser to install a keystroke logger on vulnerable computers, according to San Diego-based Websense Security Labs. "This keylogger monitors activity on various financial Web sites and uploads captured information back to the attacker," Websense said in an alert. The malicious software could capture log-in names and passwords for the sites, information criminals could sell or possibly use to plunder a victim's account. The e-mail messages used to lure people to the Web sites contain excerpts from BBC news stories and offer a link to "read more," Websense said. This link leads to a forged BBC Web page where the malicious software is dropped onto a vulnerable PC by exploiting the "createTextRange()" vulnerability in IE, according to Websense's alert. The vulnerability has to do with how Internet Explorer handles the createTextRange() tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and Trojan horses on vulnerable PCs. Microsoft has said it is working on a fix for the browser. That update is currently scheduled for delivery April 11, Microsoft's regular monthly patch day. However, the Redmond, Wash., company has said it's considering an earlier release. Meanwhile, two security companies have beaten Microsoft to the punch. eEye Digital Security and Determina both released unofficial fixes for the IE flaw earlier this week. Experts, however, have warned users to be cautious with non-Microsoft fixes and instead suggest using a Web browser other than IE, or disabling Active Scripting, which is also Microsoft's advice. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Fri Mar 31 01:25:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 31 Mar 2006 00:25:29 -0600 (CST) Subject: [ISN] More glitches trigger halt in testing of new county voting machines Message-ID: http://www.post-gazette.com/pg/06089/678087-85.stm By Tracie Mauriello Post-Gazette Harrisburg Bureau March 30, 2006 HARRISBURG -- A state voting-machine examiner yesterday halted testing of the machine Allegheny County intends to use in the May primary, saying it was pointless to continue until a critical software problem is resolved. "It's not useful to continue because [the software] clearly is not stable," said Michael Shamos, a Carnegie Mellon University professor. Sequoia Voting Systems, the Oakland, Calif.-based manufacturer of AVC Advantage voting machines, will have a chance to fix the software and have it retested in a week or two. Otherwise, it's unlikely the machines will be certified for use in Pennsylvania. If they aren't, Allegheny County must scramble for new ones before the May 16 primary and might lose a $12 million federal grant for the replacement of its lever-style machines. Secretary of State Pedro A. Cortes will discuss the issue today in a conference call with Allegheny County Manager Jim Flynn. "We're going to see what he has to say," Mr. Flynn said. "No matter what, we're going to have a primary here on May 16." The problem also could affect Montgomery County, which has been using the Advantage machines since 1996 and is in line for a grant to make them accessible to the blind. Dr. Shamos encountered yesterday's problem during a test for vote tampering. In an instant, he said, he was able to transform a handful of votes into thousands. Developers quickly fixed the problem by replacing a file in the tabulation software, but that didn't alleviate Dr. Shamos' concerns. A malicious hacker could easily make the same switch, allowing votes to be changed, he said. "What control is there over the software package if different files can be swapped in and out?" he asked. Also yesterday, Dr. Shamos uncovered a series of unusual error messages and a fluke that causes the program to shut down when the "print" button is used. A day earlier, he detected a problem transferring data between voting machines and the tabulation software. That problem has since been fixed. Larry Tonelli, Sequoia's state manager for Pennsylvania and New York, said he was confident the latest problem can be resolved, too. "We know the hardware is fine. It's been out there for eight or nine years so we're moving ahead with training and shipping machines [to Allegheny County]. The software doesn't need to work until just before the election so we've got time. It's no big deal," he said. Sequoia has been under scrutiny because of tabulation problems last week in Chicago and surrounding Cook County. Those problems involved two different kinds of voting machines and may have been caused by poll workers rather than the equipment, Sequoia officials said. "The problems are not necessarily inherent in the equipment itself, but in the initial intersection of the new technology and the people who use it," said Sequoia spokeswoman Michelle Shafer. She said -- and Dr. Shamos agreed -- that the Chicago-area problems aren't relevant to the Pennsylvania certification process. The process involves casting dozens of mock ballots, verifying vote totals, reading thousands of lines of computer code and even checking the brightness of illuminated indicators on voting machines. One goal is to ensure that disabled voters can easily participate in elections. Department of State employee Jim Criss, who is visually impaired, helped test the equipment. Instructions and candidate names were given verbally and Mr. Criss voted using a keypad with four large buttons, one shaped like a triangle, one like a circle and two like triangles with points in opposite directions. The process was simple and the instructions were straightforward, Mr. Criss reported after casting a mock ballot while 11 observers huddled around him. The onlookers included state employees, Sequoia representatives and three members of voters' rights groups that oppose the use of Advantage machines because they don't provide paper records that can be verified by voters before they leave the polls. "We're not confident that these machines have a clear track record and today doesn't make us feel any better," said Stephen Strahs, founder of the Election Reform Network based in Montgomery County. "We've been told, 'Don't worry. It will all be taken care of.' Well, it's almost April and there are still questions." The testing is required as part of the Help America Vote Act, which provides grants to municipalities that replace old voting machines with new ones that meet federal standards.