From isn at c4i.org Wed Mar 1 02:46:46 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:46:46 -0600 (CST) Subject: [ISN] Korea to Fight Web Attacks From China Message-ID: http://times.hankooki.com/lpage/tech/200602/kt2006022817142511780.htm By Kim Tae-gyu Staff Reporter 02-28-2006 To counter the problem of identity theft, the Korean government will block the backdoor Internet pathway from abroad, which were used to steal personal data by getting bypass links to the country's Internet network. The Ministry of Information and Communication Tuesday revealed steps aimed at controlling the nation's rampant personal data leakage to overseas countries, especially China. ``Since last week, in collaboration with Internet service providers, we already intercepted 2,600 illegal IPs, which were found to be the main routes for penetrating the Korean network,'' Lee Sung-ok, director general at the ministry, said. Identity theft en masse surfaced last month after complaints piled up that hackers stole private data, including resident registration numbers, from Koreans in order to subscribe to ``Lineage,'' the popular online game. Chinese hackers are suspected of leading the cyber crimes via a bypass link based on unlawful IPs, an alternative path other than the legitimate, primary one. ``In the future, we will continue to keep tabs on such illegal IPs geared toward breaking into the Korean network and stealing personal information,'' Lee said. Lee said the ministry will also urge local Internet firms to use an alternative system other then resident registration numbers, the Korean version of social security numbers, for signing up to Web sites. ``Furthermore, we will recommend Web sites use cell phones as a certification method to deter illegal subscribers. They can require people to enter their mobile phone numbers together with resident numbers when signing up,'' Lee noted. ``The site then will send certification figures via mobile handsets and users will be have to enter the multi-digit number on the Web site for user verification,'' he added. The Chinese government will be asked to delete the personal data of many Koreans in circulation in China's cyberspace, he said. To prevent the recurrence of massive personal data leakage, the ministry also unveiled a package of measures including propagation of security patches as well as firewalls. ``Currently, the penetration rates of security patches stand at just 38 percent. We will increase the figure 80 percent and mandate gaming companies to install Web firewalls,'' Lee said. Toward that end, the country's main portal and game sites will have to be equipped with programs that automatically install security patches on subscribers' computers. The ministry also looks to check the security of the country's 70,000 most-visited Web sites every day to shield them from onslaughts by unscrupulous crackers. From isn at c4i.org Wed Mar 1 02:47:23 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:47:23 -0600 (CST) Subject: [ISN] Companies Contemplate Life Without BlackBerrys Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/02/28/AR2006022801480.html By Yuki Noguchi Washington Post Staff Writer March 1, 2006 Eugene Stein is thinking about Plan B for the 1,900 BlackBerry e-mail devices under his charge that could be rendered useless if their maker, Research in Motion Ltd., gets slapped with a court-ordered shutdown. "It'd be pretty significant," said Stein, chief technology officer for law firm White & Case LLP. His backup plan for keeping the firm's employees connected to wireless e-mail is to use more Palm Treo devices with Good Technology Inc. software, a rival to the BlackBerry system. "I would have to use all my technical guys" and sink at least $40,000 into buying new devices, he said. "I can't buy and replace them all in one shot," but he has secured assurances from vendors that he will be able to order some Treos overnight, putting them in the hands of attorneys traveling internationally or working on key deals first. After that, he would experiment with the software upgrade RIM says it has developed, or replace the remaining BlackBerrys as soon as possible. It's hard not to resent RIM for not resolving its legal issues, Stein said. "They shouldn't have put me in this position." Many BlackBerry users are in limbo, awaiting a federal judge's decision about whether to shut down the company's U.S. operations for infringing on patents. But life is even harder for people like Stein, who manage information technology and have to make educated guesses about the outcome of the case, then make contingency plans. There are lots of factors to consider. At a hearing last week, U.S. District Judge James R. Spencer indicated that he would honor a 2002 jury decision finding RIM guilty of infringing McLean-based NTP Inc.'s patents. At the same time, on the morning of Friday's hearing, the U.S. Patent and Trademark Office rejected the validity of the second of the five relevant patents it originally granted to NTP -- a move RIM was hoping would sway public and judicial opinion in its favor. If all other legal measures fail and the judge orders service cut off for most non-government users -- roughly two-thirds of the 3.2 million U.S. subscribers -- RIM has said it has a software solution that will work around its patent problem. But information technology officers like Stein haven't had a chance to test it yet. Iron Age Corp.'s chief information officer, Drew Farris, is divided about what to do with the 150 BlackBerry e-mail devices that sales executives at his specialty shoe business rely on. On the one hand, Farris thinks RIM will settle its long-running patent dispute before a possible court-ordered shutdown. That would spare Farris's company from having to replace its devices at an estimated cost of $1,500 per user for equipment, software and training. On the other hand, it may not. "Based on what I've read and seen, I'm at a loss; I'd say it's 50-50" for either outcome, said Farris, who follows the case closely on Internet news sites and newsletters. RIM's problems have been good for competitors' business, including Good and Visto Corp., both of which have received hundreds of inquiries from companies looking for alternatives, and both of which have licensing agreements with NTP. But most businesses are still waiting for the judge's decision, said Todd Kort, an analyst with Gartner Inc. who said he has talked to 75 to 80 technology officers since November about their contingency plans. "They're under a fair amount of pressure from their users, and they're getting pressure from above" to make sure systems keep running uninterrupted, Kort said. "But of those, only four or five are in the process of switching service," because changing out the service is expensive and time-consuming, he said. Among other things, longtime BlackBerry users are used to the software and the ergonomics of their palm-size devices, so deploying something new would mean losing productivity while people figure out a new system. Kort remains optimistic that his clients won't have to do that. He said RIM is far more likely to either settle or deploy its work-around than shut down service. John Stevenson is placing his bets on the work-around. He retired this week as chief information officer at Sharp Electronics' U.S. division, but not before having to decide what to do about the 300 BlackBerrys used by company executives. "Do we go back to the old way of doing things -- using cell phones, text messaging, and laptop computers," or should the company think about buying a new set of devices at great expense, Stevenson wondered, and he consulted his peers through a trade group, the Society for Information Management. For now, he said, "we're counting on a BlackBerry work-around. Is that a dangerous plan without a Plan C? Maybe." John Jones is among those information technology executives who think the case won't amount to a hill of beans. "I just see this going in RIM's favor the entire way," said Jones, who is vice president for information technology at Pulver.com Inc., an Internet telephony and technology conference company. But even Jones has a backup plan. "Right now my colleague is taking a look at the new Microsoft push e-mail technology -- just in case." ? 2006 The Washington Post Company From isn at c4i.org Wed Mar 1 02:47:35 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:47:35 -0600 (CST) Subject: [ISN] DDoS Attacks Target Prominent Blogs Message-ID: http://news.netcraft.com/archives/2006/02/28/ddos_attacks_target_prominent_blogs.html By Rich Miller February 28, 2006 Several prominent weblogs have been hit with distributed denial of service (DDoS) attacks in recent weeks, as the target list for digital attackers continues to broaden. While some of the attacks appear to be politically motivated, on Monday a DDoS struck one of the blogosphere's most financially successful bloggers. Australian Darren Rowse confirmed that an outage Monday on his ProBlogger weblog was caused by a DDoS, but provided no details about the attackers or their motives. Rowse gained international attention last year when he revealed that he would make more than $100,000 as a solo blogger in 2005, primarily through earnings from Google AdSense advertising and commissions from affiliate referral programs. Has the success of professional bloggers made them viable financial targets for professional DDoS attackers? Sites with large volumes of transactions are the primary targets for a cottage industry of digital extortionists using DDoS attacks, usually launched through large botnets of compromised computers. These attacks have previously targeted online betting sites, payment gateways, domain parking services and even online games. An earlier series of attacks targeted the blog of Michelle Malkin, who led a movement among bloggers to mirror the controversial cartoons of the Prophet Mohammad that initially appeared in a Danish magazine. The attacks began Feb. 15, and escalated on Feb. 23, when an attack from a botnet in Turkey forced Malkin to post on the Pajamas Media weblog until her main site was available again. The attacks on Malkin's blog appear to be part of a broader pattern of hacker activism targeting sites that have featured the cartoons, including the defacement of hundreds of sites as well as denial of service attacks. From isn at c4i.org Wed Mar 1 02:48:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:17 -0600 (CST) Subject: [ISN] Wh00ps - Email from CSI last week Message-ID: ---------- Forwarded message ---------- Date: Tue, 28 Feb 2006 15:54:41 -0600 From: "Chris Keating, Director Of CSI" Reply-To: chriskeating @ cmp.com To: wk at ........... Subject: Email from CSI last week [csi_letter_header2.jpg] Dear CSI Member, I'm writing to apologize for a mistake we made in an e-mail message you received from us last week. In the rest of this note, I will explain the mistake we made and why we believe it merits an apology (and an explanation). But since your time is valuable, let me summarize in my first paragraph that an error occurred, in which your name and address were inadvertently given to one other CSI member or potential event attendee. This was caused by a mail merge error, not any kind of breach of security, nor was your information generally broadcast or the mailing list as a whole exposed in any way. Though the inadvertent distribution was limited in scope, we still take it very seriously. To try to ensure there are no more such errors, we are taking the steps outlined below. If you have any questions about the error or our reaction, please read the paragraphs that follow and if you still have questions beyond this explanation, please don't hesitate to contact me at the address given below. The message we sent last week invited you to join us for an Editorial Perspective TechWebCast called Security: The Application Point of View. The invitation still stands--we'd love to have you join us and you can find out more by Clicking Here. In last week's letter, we made use of a feature we're rather proud of: to help speed the process if you decided to register for the event, the e-mail message included a pre-filled registration form. Obviously, what's supposed to be in the pre-filled form is information about you--information you've shared with us in the past such as your business mailing address and your telephone number. This information did not include traditionally sensitive categories of information such as credit card numbers or social security numbers. The data for the form is merged with the email message content as each message is sent out. In this particular mailing, the data used for the merge had been corrupted, such that each recipient record included in part certain data relating to another recipient. As a result, each form we emailed was incorrectly pre-filled with the information of a different individual in the database who was not the recipient of the message. The specific condition that caused the database error to occur on this occasion is being corrected. Additionally, we are examining the possibility of designing new code for the application that merges the data with e-mail messages to assist in addressing problems of this type. If these efforts and other efforts do not result in making us sufficiently confident in our ability to catch such errors, we plan to remove the pre-filled form feature from future mailings until we can achieve that level of confidence. Again, your information was released to only one other CSI member or potential event attendee and no credit card or information of similar sensitivity was involved. Even a small slip-up, though, doesn't show as much respect for the trust you've placed in us as we'd like. Please accept my apologies and my assurance that we consider your privacy an integral part of our success as a security organization. With best regards, Chris Keating, Director Computer Security Institute chriskeating @ cmp.com If you would prefer not to be contacted again about such events, please opt-out here. CMP Media LLC 600 Community Drive Manhasset, NY 11030 CMP Privacy Policy From isn at c4i.org Wed Mar 1 02:46:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:46:30 -0600 (CST) Subject: [ISN] Three Fidesz workers suspended over hacking of MSZP server Message-ID: http://www.budapesttimes.hu/index.php?art=1508 Michael Logan Budapest February 27, 2006 Main opposition party Fidesz has suspended the three men believed responsible for hacking into the election campaign website of the ruling Hungarian Socialist Party (MSZP). The unnamed men were blamed for using the Fidesz server to hack into the website and download around 3,000 files, something that Fidesz initially denied before shifting the blame onto the "overzealous" employees. Police have asked Fidesz for the three workers' names. Counter-claims appear effective Fidesz leader Viktor Orb?n has attempted to play down the incident, despite the fact that police are now investigating, and other party members have claimed that the MSZP has committed similar crimes in the past. Daily N?pszabads?g claimed that Prime Minister Ferenc Gyurcs?ny's campaign schedule has now been thrown into doubt, as have many of the documents related to his speeches and itinerary. The paper said that Gyurcs?ny would now have to change his route around the country and change his speeches. However, it would seem that, despite the MSZP's efforts to draw attention to what it believes is a serious incident, polls conducted after the goings-on found that people do not particularly care. Pollsters found that, despite the vast majority of people saying information should not be collected by illegal means, only 10% believed that either party had used underhand methods in the campaign so far. From isn at c4i.org Wed Mar 1 02:48:32 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:32 -0600 (CST) Subject: [ISN] Symantec ranks Houston high in WiFi security survey Message-ID: http://www.chron.com/disp/story.mpl/business/silverman/3689686.html By DWIGHT SILVERMAN Copyright 2006 Houston Chronicle Feb. 27, 2006 Wireless networking has become the dominant way in which home users network their computers. WiFi is fast, fairly easy to set up and relatively inexpensive. But it's also by nature insecure. With WiFi networking, you're spewing your data into the ether, and most wireless hardware comes with the most basic security features turned off by default. Understanding human nature - and acknowledging the technical cluelessness of the average home user - you'd think that the majority of wireless home networks would be wide open, allowing anyone with a WiFi-enabled computer to connect to the Internet and possibly access personal data. But, based on a drive-by survey conducted by software maker Symantec, not in Houston. For two days in mid-November, Symantec security experts drove through neighborhoods in seven areas of Houston: Galleria/Memorial, the Heights, the Third Ward, Midtown/Montrose, Shadow Creek/Silverlake near Pearland, the Villages off I-10 West, and parts of the Westchase/near-Katy area. The specific Zip codes: 77056, 77008, 77004, 77006, 77002, 77584, 77024, 77082 and 77079. As they drove, they used WiFi "sniffing" devices to look for signals from wireless routers, a practice known as wardriving. They checked each one to see if it was encrypted - meaning signals between the routers and the devices that connected to them are scrambled - and whether the owners of the routers had changed the default network name, or SSID. Although the methodology was hardly foolproof, which I'll discuss in a minute, the results are interesting: * Symantec's researchers found a total 1,985 WiFi access points. * More than 61 percent were using encryption. * More than 80 percent had nondefault SSIDs. * The more affluent neighborhoods had a higher incidence of nonencrypted access points, although there were far more residential WiFi networks in the richer areas. * The highest percentage of nonencrypted networks was in the Villages, at almost 47 percent. The lowest percentage was in the Third Ward and West Houston, with about 30 percent. Jonah Paransky, a senior manager for security products at Symantec, said four other cities had been surveyed in a similar fashion - New York, Los Angeles, Chicago and Washington, D.C. - and Houston had the highest percentage of encrypted residential networks. Symantec would not release the specific numbers for the other cities. Congratulations, gang! It's good to be No. 1 at something other than obesity and pollution - although you folks in the Villages obviously have some work to do. Now, while these numbers are interesting, a couple of aspects make the survey's results less than ironclad. The researchers primarily focused on the central and western parts of the area, and largely ignored the far-flung suburbs. Adding those into the mix might have produced dramatically different results. In addition, they only looked for encrypted versus open networks. But there are other ways to secure a WiFi network without encryption, including a technique known as MAC filtering. All network cards, whether wired or wireless, have a unique serial number. You can tell a WiFi router to only accept connections from computers with certain MAC numbers, thus locking out unknown users. It's possible that some of the unencrypted networks were using MAC filtering. Paransky argued that MAC filtering isn't truly secure, because it's possible to capture traffic between a PC and a router if it's not encrypted. He offered these tips for wireless network security, many of which should be familiar to readers of this column: * Turn on encryption. D'oh! * Change the default SSID in your router, and if the router allows it, turn off broadcasting of the SSID. This makes your home network invisible to those casually looking for wireless connections, although it can be spotted with the right software or equipment. * Place your wireless router as close to the middle of your house as possible, which decreases the chance its signal could be detected from the street. It also helps decrease WiFi dead spots. Newer routers that use range-boosting technologies such as MIMO, and the upcoming 802.11n routers, will blast signals for greater distances, so depending on your house's size, this may not have much effect. * Use a software firewall even though your router likely has one built in. Paransky said if intruders manage to penetrate your network, firewalls on each machine may keep others protected. And, of course, because the survey was done by Symantec ? which makes the Norton line of security software ? Paransky suggested users keep up-to-date antivirus and antispyware on all their computers. You didn't think the Symantec people went to all this trouble out of the goodness of their hearts, now did you? From isn at c4i.org Wed Mar 1 02:48:54 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 1 Mar 2006 01:48:54 -0600 (CST) Subject: [ISN] Who's Reading Your Cell's Text Messages? Message-ID: http://www.eweek.com/article2/0,1895,1931904,00.asp By Paul F. Roberts February 27, 2006 Have you ever hit "Send" on a text message on your mobile phone before addressing it? Ever wondered where all those lost SMS text messages go? If so, you might want to speak with Stan Bubrouski, whose cell phone has been channeling wayward text messages from across the country for years. Bubrouski, a computer science major at Northeastern University in Boston, is the proud owner of 'Null at vtext.com,' an account on the popular Verizon text messaging service that allows Internet users to send e-mail and IM messages directly to his cell phone as SMS text messages. Bubrouski said he was just being clever when he signed up for a Verizon vText account with the user name 'null,' after his parents bought him his first mobile phone during his freshman year at Northeastern, in 2001. "I've been paying for it ever since," Bubrouski told eWEEK. Bubrouski's new vText account didn't just hook him up with his friends, it also opened the door to a blizzard of unsolicited messages from individuals and companies that, for the last five years, have unwittingly forwarded reams of data to his phone. That data has become more sensitive in recent months, as companies rush to deliver everything from SAT test scores to medical information and automobile diagnostics to cell phones and PDAs. Bubrouski's experience, while unusual, could be a sign of growing pains in the wireless industry, as companies rush to provide wireless data services, overlooking steps that could secure the data in transit, according to one security expert. Bubrouski, who is finishing his senior year at Northeastern, noticed something strange about his vText account almost immediately after activating it in 2001. "I started getting phantom text messages with no callback number and an empty 'From:' field," Bubrouski wrote. Initially, the content of the messages was innocuous, he said. "It was things like 'don't forget to drop the car off at baker's' and to 'call mom at 781-XXX-XXXX', stuff like that," Bubrouski wrote. The problem worsened in mid-2002, when Bubrouski's phone began channeling what he claims were dozens of messages from an e-mail address used by General Motors' then-new "OnStar" system. The messages quickly filled up the memory on his cell phone and contained diagnostic response to tests on a beta version of OnStar. "Basically, peoples' cars were sending messages to my phone," Bubrouski wrote. Bubrouski contacted GM and was able to reach someone familiar with the OnStar tests, and get them to stop the messages after about a week. "I was happy again - for about two weeks," he wrote. Next, Bubrouski's phone started receiving SMS sports scores and news from ESPN, the sports cable network, which had struck up a partnership with Verizon. Bubrouski's phone was still getting dozens of messages from the service, but because the service wasn't public yet, he couldn't find anyone at Verizon or ESPN who had heard of it and could help him with his problem. Bubrouski said he deleted the messages from his phone. He was unable to provide proof of the OnStar or ESPN messages to eWEEK. In a pattern that would repeat itself in the years to come, Bubrouski simply blocked the ESPN e-mail address using a blocking list at vtext.com and waited for the next stream of messages to hit his phone. Over time, Bubrouski accumulated a block list of around 15 "offenders"?individuals and companies who were sending him large volumes of unsolicited information. Bubrouski theorizes that his choice of user name is the culprit in the data leaks. In the world of software design, "Null" is commonly used to represent "no value" or "0." Developers of mobile services use the "Null" address during testing routines, assuming that the messages won't be sent to anyone. Verizon may also be substituting "Null" for an invalid or missing "To" address in messages sent over Vtext, he said. Misplaced "Call Mom" messages aren't likely to harm anyone, but by late 2004, the unsolicited SMS problem exploded, and took on a darker nature, as mobile data services started popping up all over to take advantage of a new generation of feature-rich mobile phones, Bubrouski said. "I was getting people's grades, order information from unknown retailers, personal messages with people's credit card numbers [and] social security numbers," he wrote. Most of the messages were sent by individuals, but many arrived in volume from companies like eMbience Inc. of San Diego, Calif., which unwittingly sent reams of MapQuest Traffic data to Bubrouski's phone. An eMbience spokeswoman said that Bubrouski's vText account was the same as an account used by engineers for internal testing. Once eMbience was informed, in November, that MapQuest test messages were going to Bubrouski's phone, they changed the address used in testing for the company's services. Another company involved was Vocel Inc., also of San Diego, which develops mobile data services for companies including The Princeton Review and Random House. The company's Princeton Review service helps students study for a variety of standardized tests using their cell phone, including the SAT, GRE and LSAT, according to Tyler Jensen, vice president of operations at Vocel. A new Vocel service that is in testing called "Pill Phone" sends medication reminders to individuals' cell phones, he said. Messages from both the Princeton Review Service and Pill Phone were accidentally sent to Bubrouski's phone because of a flaw in a sharing feature in the service that allows test results completed on the phone to automatically be forwarded in SMS or e-mail format to a third party such as a parent or tutor, he said. Messages without a "To" address were not delivered by the service. However, because of a programming flaw in the client server software, messages with an invalid address, such as a blank space, were translated as "Null," and wound up on Bubrouski's phone, Jensen said. "The fault was entirely ours," he said. Vocel was informed of the problem by Bubrouski on Feb. 8 and had the problem fixed by Feb. 10. Verizon Wireless sues another spammer. Click here to read more. While the Princeton Review messages that Bubrouski received were from a service that is in production, the Pill Phone messages were merely test data generated by Vocel engineers, not actual reminders, he said. For example, text messages from server at vocel.com told Bubrouski that "A student at 4105704297 has just completed Princeton Review Word Set 1 with a score of 71%." A message from pillphone at vocel.com informed him that "A user at 7325894169 has not responded to his/her 01:45 PM dose of Pronestyl-SR," according to examples of data provided to eWEEK. Vocel does not channel sensitive data from third-party servers. All the data that is circulated, such as test scores and medication information?is entered by the cell phone user, or generated on his or her phone, Jensen said. Still, Vocel is taking the incident seriously. "This was a wake-up call for us from the standpoint of ensuring that back-end systems are doing verification and checking," he said. Jensen was loath to criticize Verizon, which provides SMTP gateways that route data sent from cell phone users and providers like Vocel to its customers. However, others said that Bubrouski's experience may be a sign of larger problems with the way that providers like Verizon are running their text messaging networks. SMS users, like e-mail users, rely on the fact that carriers like Verizon won't accidentally deliver improperly formatted messages, such as those with no addressee, to an unrelated address, said John Pescatore, a vice president at Gartner. "There's no way that this should be happening. No e-mail system would ever do that," he said. Verizon should be rejecting messages with improperly formatted addressee information, not forwarding it to an account, he said. Bubrouski agrees. "I'd have to say Verizon is at fault. Sure, service providers make mistakes, but Verizon shouldn't be accepting messages from no one to no one," he said. Verizon declined to comment in detail on Bubrouski's case. However, Verizon wireless spokesman Jeffrey Nelson thanked eWEEK for bringing the 'Null' account issue to the company's attention, and said Verizon is looking into the issue. The problems that Bubrouski experienced may be particular to Verizon's network. However, security is a larger problem in text messaging and e-mail, where trust is assumed between senders and receivers of message data, said Brian Berger, a vice president of marketing at Wave Systems Inc. and marketing chair at the TCG (Trusted Computer Group). TCG is developing specifications for hardware building blocks, including the TPM (Trusted Platform Module) chip that can secure transactions from mobile devices. Companies like Nokia, Motorola, ARM, Vodaphone, Wave Systems, as well as Intel and IBM are participating in the process, and specifications are expected this Summer, Berger said. As mobile devices become more powerful and are used to log into secure networks, and conduct high value transactions, users will need to have a way to authenticate themselves, manage passwords and prove their identity using mobile phones, he said. While Verizon works on the problem, Bubrouski said he's grown accustomed to his plight as a shepherd for lost text messages. "I've received thousands of text messages over the past five years," he wrote. "Probably only about 200 or so were actually meant for or even sent to me directly." Getting rid of his vText account would stop the stream of unwanted SMS message problem, but Bubrouski said he enjoys reading the messages he receives, and blocks companies and individuals when the volume of SMS they're sending him gets too high. "I've kind of gotten used to it," he wrote. From isn at c4i.org Fri Mar 3 05:29:30 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:29:30 -0600 (CST) Subject: [ISN] Fight Spam with Blacklists Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Availl http://list.windowsitpro.com/t?ctl=22685:4FB69 St.Bernard Software http://list.windowsitpro.com/t?ctl=22670:4FB69 ==================== 1. In Focus: Fight Spam with Blacklists 2. Security News and Features - Recent Security Vulnerabilities - Over 45,000 New Malware Threats Discovered in 2005 - Phishing Sites Increase Significantly in December 2005 - Combining LogParser and Sed 3. Security Toolkit - Security Matters Blog - FAQ - Security Forum Featured Thread - Share Your Security Tips 4. New and Improved - Block Bots and Other Web Malware ==================== ==== Sponsor: Availl ==== Ensure instant access to files at all remote servers and eliminate 95% of your network traffic. Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs? Get a free software trial, and register for the free seminar. http://list.windowsitpro.com/t?ctl=22685:4FB69 ==================== ==== 1. In Focus: Fight Spam with Blacklists ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net I'd guess that the biggest spam headache we all face is false positives--messages that are inadvertently flagged as spam. False positives can be a significant problem, particularly for businesses. After all, you don't want business associates to think you're ignoring them. I recently wrote in the Security Matters blog about my findings with one particular mail server's various filters (at the URL below). The system uses a dozen filters to help eliminate unwanted email. One thing to keep in mind about filters is that what works for one entity might not work as well for another. You should try several filters and monitor your systems to determine what works best to eliminate the particular types of unwanted mail you receive. http://list.windowsitpro.com/t?ctl=2267E:4FB69 That said, my findings for the organization in question might be interesting to you. After observing the filters process more than 254,000 messages, I found that the most effective one for this particular organization is a simple language filter. The filter drops messages written in character sets that aren't used by the organization. Language filters might not be appropriate for every business, particularly those that have international relations, but many businesses might find such filtering useful. The second most effective filter is an IP blacklist filter. IP blacklist filters query blacklist service providers about a given IP address, including the address of the message sender and any addresses that relayed a particular message along its delivery route. If the result of the query shows that the IP address is on the service provider's blacklist, then the probability is high that the message is spam. Some blacklist service providers also track addresses that are known to send viruses, Trojan horses, worms, back doors, and other sorts of malware. These blacklists can be useful in helping you keep such nuisances off your network. A reader of the Security Matters blog asked which blacklists are used by the organization that I wrote about, so I thought I'd share those names here. The list of blacklist service providers is ordered based on the success rate of discovering blacklisted IP addresses: sbl-xml.spamhaus.org blackholes.five-ten-sg.com dnsbl.sorbs.net t1.dnsbl.net.au bl.spamcop.net no-more-funn.moensted.dk sbl.csma.biz cn-kr.blackholes.us cbl.abuseat.org multihop.dsbl.org list.dsbl.org Another type of blacklist filtering is simple Uniform Resource Identifier (URI) filtering. Message content is scanned to locate all URIs in the body. Then those URIs can be checked against URI blacklist services to see whether any belong to known spammers. At the time I conducted my tests, I knew of only one URI blacklist provider, Spam URI Realtime Blocklists (SURBL), whose DNS address is multi.surbl.org. Since then, I've learned about another URI blacklist service provider, URIBL.COM, whose DNS server address is multi.uribl.org. I just started using URIBL.COM last week, so I'm not yet sure how well it performs. Keep in mind that blacklist filters can also produce false positives. However, most people agree that using a blacklist filter is highly effective. Other types of filters you might investigate or write your own scripts for are ones that check for weird spelling patterns (such as "s.A v.e. B 1 g.!!!") and SMTP header validators that check for standards compliance. For an explanation of how blacklist filters work, see "Dynamic Blacklists Demystified," at the first URL below. For links to other articles about blacklist filters on our Web site, use the second URL below. http://list.windowsitpro.com/t?ctl=22680:4FB69 http://list.windowsitpro.com/t?ctl=2266F:4FB69 Jeff Makey publishes a monthly report that shows which IP blacklist services perform best for his environment. Bookmark his report page URL (listed below) and check out the report once in a while--over time, you might learn about new IP blacklist service providers that you didn't know existed. http://list.windowsitpro.com/t?ctl=22684:4FB69 ==================== ==== Sponsor: St.Bernard Software ==== Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now! http://list.windowsitpro.com/t?ctl=22670:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=22676:4FB69 Over 45,000 New Malware Threats Discovered in 2005 According to Panda Software, more than 123 new malware threats were discovered every day in 2005. That adds up to more than 45,000 new malware threats being discovered last year. The figures represent a 240 percent increase over 2004, in which some 13,000 new threats were recorded by the company. Panda thinks there's a specific reason for the trend. Read about it in this news article on our Web site. http://list.windowsitpro.com/t?ctl=2267F:4FB69 Phishing Sites Increase Significantly in December 2005 The Anti-Phishing Working Group (APWG) published its Phishing Activity Trends Report for December 2005. According to data gathered by the group, more than 7197 new phishing sites were created in December 2005 and attacks are becoming more sophisticated. http://list.windowsitpro.com/t?ctl=2267C:4FB69 Combining LogParser and Sed Scrolling through the Windows event logs for specific information can be burdensome, and most administrators probably review the logs only when something bad happens or when something is broken. In this article on our Web site, Jeff Fellinge shows a method for extracting interesting data from event logs by using LogParser and parsing the data by using Sed. http://list.windowsitpro.com/t?ctl=2267D:4FB69 ==================== ==== Resources and Events ==== Dev Connections provides world-class education for developers, architects, DBAs, and IT professionals. *WinConnections (2 conferences for the price of 1): April 9-12, 2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22687:4FB69 *DevConnections (4 conferences for the price of 1): April 2-5, 2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22688:4FB69 *DevConnections Europe coming to Nice, France, April 24-27, 2006. EARLY BIRD SPECIAL ends 1 March! http://list.windowsitpro.com/t?ctl=2267B:4FB69 Learn why new features in Windows Server 2003 R2, including large clustering, increased RAM, and 64-bit support, make it the ideal platform for your collaboration tools. Live event: March 28; 12:00 pm EST http://list.windowsitpro.com/t?ctl=22671:4FB69 Find out or what policies help or hurt in protecting your company's assets and data. View this on-demand seminar today! http://list.windowsitpro.com/t?ctl=22672:4FB69 Learn how to leverage new features in SQL Server 2005 to extend your existing backup and restore capabilities. View the on-demand Web seminar now! http://list.windowsitpro.com/t?ctl=22673:4FB69 Implement real-time processes in your email and data systems--you could also win an iPod Nano! http://list.windowsitpro.com/t?ctl=22675:4FB69 ==================== ==== Featured White Paper ==== Get the tips you need to prepare for and comply with the PCI Data Security Standard, including how to define the 12 major requirements and how those requirements affect IT. http://list.windowsitpro.com/t?ctl=22674:4FB69 ==================== ==== Hot Spot ==== Cyclades AlterPath(TM) KVM/netPlus KVM over IP Switches Cyclades AlterPath(TM) KVM/netPlus is the industry's first KVM solution to offer Cyclades AdaptiveKVM(TM) technology that combines Microsoft(R) Remote Desktop Protocol (RDP) functionality with KVM over IP access. Download Cyclades AdaptiveKVM white paper at www.cyclades.com/wit and visit us at FOSE 2006 Washington, D.C., March 7-9, Booth 2807. http://list.windowsitpro.com/t?ctl=22689:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: How to Nip a Little More Spam in the Bud by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=22683:4FB69 Most spam filtering systems do a good job of tagging spam, but many can be tweaked for better detection and better performance. I ran a test on more than 254,000 email messages to see which filters work best. My tests were conducted against live incoming email on a legitimate mail server. Read what I found in this blog article. http://list.windowsitpro.com/t?ctl=2267E:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=22682:4FB69 Q: How can I use a script to delete a computer from a domain? Find the answer at http://list.windowsitpro.com/t?ctl=22681:4FB69 Security Forum Featured Thread: Running WSUS A forum participant would like to establish Windows Server Update Services (WSUS) on his Windows Server 2003 backup server. He knows that WSUS requires Microsoft IIS and wonders whether he should use a dedicated server and whether there are any related security concerns. Join the discussion at http://list.windowsitpro.com/t?ctl=2266E:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) VIP Subscribers have it all! Become a VIP subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs per year that contain the entire article database. Don't miss out--sign up now: http://list.windowsitpro.com/t?ctl=22679:4FB69 Save 44% Off the Windows Scripting Solutions Newsletter For a limited time, order Windows Scripting Solutions and SAVE up to $30 off the regular price. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article database (more than 500 articles). Subscribe now: http://list.windowsitpro.com/t?ctl=22677:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Block Bots and Other Web Malware Websense announced enhanced features in Websense Web Security Suite 6.2 and Websense Web Security Suite--Lockdown Edition 6.2, which are scheduled to ship in Q2. The new versions of the Web security and Web filtering software will block access to Web sites that host bot command-and-control centers, eliminate non-HTTP bot network traffic, block the launch and spread of bots, and extend protection to mobile employees. Websense also launched Websense Web Protection Services. Comprising three security services--SiteWatcher, BrandWatcher, and ThreatWatcher--Websense Web Protection Services give Websense Security Suite customers a view of their Web servers and external-facing Web sites and protection of customers' online brand. For more information, go to http://list.windowsitpro.com/t?ctl=2268A:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=22686:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=2267A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Fri Mar 3 05:29:59 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:29:59 -0600 (CST) Subject: [ISN] Phones stolen in Iraq used for sex chatlines Message-ID: http://www.guardian.co.uk/Iraq/Story/0,,1721387,00.html David Hencke Westminster correspondent March 2, 2006 The Guardian It certainly was not part of Britain's plans to win the hearts and minds of the people of Iraq. But the Foreign Office has been apparently paying for an adult sex chatline in a Baghdad street for 17 months without knowing it. The Foreign Office has had to tell MPs that an investigation into how a diplomat lost two satellite phones in Iraq has nothing to do with terrorism but more to do with a budding entrepreneur and a telephone porn network. FO officials had already admitted that the lost phones had cost them ?594,000 in unauthorised phone bills but it is now bracing itself for an extremely critical report from the Commons public accounts committee on how it came to pay phone bills, which at one stage hit ?212,000 in one month, without asking questions. Sir Michael Jay, permanent secretary at the FO, told MPs: "All the pattern of usage of these phones ... points to some kind of criminal activity ... It was almost as though they were taken and used as a kind of mobile phone booth at the end of the street where anybody could come along and use them. "After that, they appear to have been used for a couple of scams based on what are known as personal numbers and premium numbers." Sir Michael said the premium rate numbers were used for betting agencies or adult phone lines, and that one of the FO phones had been "on virtually full time with the person who is, as it were, making the call getting some benefit from it." Sir Michael said initial inquiries had revealed a series of blunders. The phones were already activated when they were sent to Baghdad and they were not properly logged in - so no one realised at first that they had been stolen. None of the bills were initially challenged until people realised the phones had gone missing. The rules at all embassies have now been changed and no phone is sent abroad already activated for use. Edward Leigh, chairman of the committee, told him: "In terms of this mobile phone being on permanently at the end of a street in Iraq, that gives a whole new meaning to winning hearts and minds in Iraq, but it is quite serious." Austin Mitchell, Labour MP for Great Grimsby, whose phone had been swiped and used to dial a betting agency, asked if the FO had tried to get its money back. Since the disclosure, Richard Bacon, Tory MP for Norfolk South, has made further inquiries: "It appears that they haven't been able to find the culprit or trace the phone. You would have thought having spent hundreds of millions of pounds setting up a sophisticated listening centre at GCHQ it would be very easy to trace a satellite phone and who was operating it in Iraq. But it doesn't appear anything was done. It just beggars belief that the FO kept paying the bills." Sir Michael has promised to try to get the money back. But so far the only thing FO staff appeared to have done is to try to ring the premium rate number. Sir Michael told MPs they did not get a reply. From isn at c4i.org Fri Mar 3 05:30:24 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:30:24 -0600 (CST) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-9 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-02-23 - 2006-03-02 This week : 66 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave Player, which can be exploited by malicious people to compromise a user's system. For additional details please refer to the referenced Secunia advisory below. Reference: http://secunia.com/SA19009 VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA18963] Mac OS X File Association Meta Data Shell Script Execution 2. [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow 3. [SA16280] IBM Lotus Notes Multiple Vulnerabilities 4. [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability 5. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability 6. [SA18989] The Bat! Email Subject Header Buffer Overflow Vulnerability 7. [SA19014] Website Generator PHP Code Injection Vulnerability 8. [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability 9. [SA18990] ArGoSoft Mail Server Pro Multiple Vulnerabilities 10. [SA19001] iCal "Calendar Text" Script Insertion Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow [SA19067] Mail Transport System Professional Mail Relay Vulnerability [SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion [SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability [SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities [SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection [SA19001] iCal "Calendar Text" Script Insertion Vulnerability [SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability [SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability [SA19006] SpeedProject Products ZIP and JAR Directory Traversal [SA19059] HP System Management Homepage Directory Traversal [SA19077] M4 Project enigma-suite Default Account Password Weakness [SA19057] Internet Explorer Iframe Folder Deletion Weakness UNIX/Linux: [SA19000] Mandriva update for metamail [SA19071] Flex Unspecified Scanner Vulnerabilities [SA19065] Debian update for gpdf [SA19041] Sun Solaris update for Perl [SA19036] iGENUS Webmail File Inclusion Vulnerability [SA19030] Gentoo update for graphicsmagick [SA19029] Debian update for bmv [SA19021] Debian update for pdftohtml [SA19016] Trustix update for sudo / tar [SA19012] SUSE Updates for Multiple Packages [SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow [SA18999] Ubuntu update for tar [SA19046] NuFW TLS Socket Handling Denial of Service [SA19038] SUSE update for kernel [SA19035] Ubuntu update for postgresql [SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service [SA19015] Trustix update for postgresql [SA19005] SUSE update for heimdal [SA19042] Sun Solaris HSFS File System Privilege Escalation Vulnerability [SA19027] Gentoo update for noweb Other: [SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting [SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability Cross Platform: [SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability [SA19055] PeHePe Membership Management System Two Vulnerabilities [SA19047] ShoutLIVE Multiple Vulnerabilities [SA19028] phpRPC Library Arbitrary Code Execution Vulnerability [SA19020] freeForum Multiple Vulnerabilities [SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities [SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities [SA19061] MyBB "comma" Parameter SQL Injection Vulnerability [SA19056] sendcard Unspecified SQL Injection Vulnerabilities [SA19053] DirectContact Directory Traversal Vulnerability [SA19048] LanSuite LanParty Intranet System "fid" SQL Injection [SA19045] EKINboard Multiple Vulnerabilities [SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability [SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability [SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities [SA19007] Calcium "EventText" Script Insertion Vulnerability [SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion [SA19003] iUser Ecommerce Unspecified Vulnerabilities [SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting Vulnerability [SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities [SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities [SA19050] WordPress Cross-Site Scripting Vulnerabilities [SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability [SA19031] JFacets "ProfileID" Profile Change Vulnerability [SA19026] 4images "template" Parameter File Inclusion Vulnerability [SA19014] Website Generator PHP Code Injection Vulnerability [SA19011] PEAR Archive_Tar Directory Traversal Vulnerability [SA19034] MySQL Query Logging Bypass Security Issue [SA19018] Issue Dealer Unpublished Content Disclosure Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19009] Macromedia ShockWave Player ActiveX Installer Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-24 Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19009/ -- [SA19067] Mail Transport System Professional Mail Relay Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-03-01 A vulnerability has been reported in Mail Transport System (MTS) Professional, which can be exploited by malicious people to use it as an open mail relay. Full Advisory: http://secunia.com/advisories/19067/ -- [SA19060] StoreBot 2002 Standard Edition "ShipMethod" Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 KeyShore and Yog have reported a vulnerability in StoreBot 2002 Standard Edition, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19060/ -- [SA19033] SPiD scan_lang_insert.php File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-28 Nemesis Security Audit Group has discovered a vulnerability in SPiD, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19033/ -- [SA19024] Pentacle In-Out Board SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-27 Mustafa Can Bjorn has discovered two vulnerability in Pentacle In-Out Board, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19024/ -- [SA19019] StoreBot 2005 Professional Edition "Pwd" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-03-01 KeyShore and Yog have reported a vulnerability in StoreBot 2005 Professional Edition, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19019/ -- [SA19001] iCal "Calendar Text" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 KeyShore and Yog have discovered a vulnerability in iCal, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19001/ -- [SA19043] bttlxeForum "err_txt" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 runvirus has reported a vulnerability in bttlxeForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19043/ -- [SA19025] Parodia "AG_ID" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-02-28 KeyShore and Yog have reported a vulnerability in Parodia, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19025/ -- [SA19013] WinACE RAR and TAR Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has discovered a vulnerability in WinACE, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19013/ -- [SA19010] StuffIt / ZipMagic Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has reported a vulnerability in StuffIt and ZipMagic, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19010/ -- [SA19006] SpeedProject Products ZIP and JAR Directory Traversal Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has reported a vulnerability in various SpeedProject products, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19006/ -- [SA19059] HP System Management Homepage Directory Traversal Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2006-03-01 A vulnerability has been reported in HP System Management Homepage, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19059/ -- [SA19077] M4 Project enigma-suite Default Account Password Weakness Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-03-01 A weakness has been reported in M4 Project enigma-suite, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19077/ -- [SA19057] Internet Explorer Iframe Folder Deletion Weakness Critical: Not critical Where: From remote Impact: Manipulation of data Released: 2006-02-28 cyber flash has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into deleting local folders. Full Advisory: http://secunia.com/advisories/19057/ UNIX/Linux:-- [SA19000] Mandriva update for metamail Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-02-23 Mandriva has issued an update for metamail. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19000/ -- [SA19071] Flex Unspecified Scanner Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-03-01 Some vulnerabilities have been reported in Flex, which has an unknown impact. Full Advisory: http://secunia.com/advisories/19071/ -- [SA19065] Debian update for gpdf Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-28 Full Advisory: http://secunia.com/advisories/19065/ -- [SA19041] Sun Solaris update for Perl Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-03-01 Sun has issued an update for perl. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable Perl application. Full Advisory: http://secunia.com/advisories/19041/ -- [SA19036] iGENUS Webmail File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-27 rgod has reported a vulnerability in iGENUS Webmail, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19036/ -- [SA19030] Gentoo update for graphicsmagick Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-27 Gentoo has issued an update for graphicsmagick. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19030/ -- [SA19029] Debian update for bmv Critical: Moderately critical Where: From remote Impact: System access Released: 2006-02-28 Debian has issued an update for bmv. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19029/ -- [SA19021] Debian update for pdftohtml Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-28 Full Advisory: http://secunia.com/advisories/19021/ -- [SA19016] Trustix update for sudo / tar Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2006-02-27 Trustix has issued updates for sudo and tar. These fix some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, and malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/19016/ -- [SA19012] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2006-02-27 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and HTTP response splitting attacks, cause a DoS (Denial of Service), and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19012/ -- [SA19002] Zoo "fullpath()" File Name Handling Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-24 Jean-S?bastien Guay-Leroux has discovered a vulnerability in zoo, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19002/ -- [SA18999] Ubuntu update for tar Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-02-23 Ubuntu has issued an update for tar. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/18999/ -- [SA19046] NuFW TLS Socket Handling Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-02-28 A vulnerability has been reported in NuFW, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19046/ -- [SA19038] SUSE update for kernel Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2006-02-28 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information, bypass certain security restrictions and cause a DoS (Denial of Service), and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/19038/ -- [SA19035] Ubuntu update for postgresql Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-27 Ubuntu has issued an update for PostgreSQL. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19035/ -- [SA19017] FreeBSD "nfsd" NFS Mount Request Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-02-27 Evgeny Legerov has reported a vulnerability in FreeBSD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19017/ -- [SA19015] Trustix update for postgresql Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-27 Trustix has issued an update for postgresql. This fixes two vulnerabilities, which can be exploited by malicious users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/19015/ -- [SA19005] SUSE update for heimdal Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2006-02-27 SUSE has issued an update for heimdal. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19005/ -- [SA19042] Sun Solaris HSFS File System Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2006-02-27 A vulnerability has been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/19042/ -- [SA19027] Gentoo update for noweb Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-02-27 Gentoo has issued an update for noweb. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/19027/ Other:-- [SA19069] Thomson SpeedTouch 500 Series Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-28 Preben Nyl?kken has reported a vulnerability in Thomson SpeedTouch 500 Series, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19069/ -- [SA19037] Compex NetPassage WPE54G Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-03-01 /dev/0id has reported a vulnerability Compex NetPassage WPE54G, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19037/ Cross Platform:-- [SA19058] RunCMS phpRPC Library Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-27 James Bercegay has reported a vulnerability in RunCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19058/ -- [SA19055] PeHePe Membership Management System Two Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-03-01 Yunus Emre Yilmaz has reported two vulnerabilities in PeHePe Membership Management System, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19055/ -- [SA19047] ShoutLIVE Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-27 Aliaksandr Hartsuyeu has reported some vulnerabilities in ShoutLIVE, which can be exploited by malicious people to conduct script insertion attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19047/ -- [SA19028] phpRPC Library Arbitrary Code Execution Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-02-27 James Bercegay has reported a vulnerability in phpRPC, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19028/ -- [SA19020] freeForum Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-02-28 Aliaksandr Hartsuyeu has reported some vulnerabilities in freeForum, which can be exploited by malicious people to conduct script insertion attacks and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19020/ -- [SA19068] N8cms Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-03-01 Liz0ziM has discovered some vulnerabilities in N8cms, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19068/ -- [SA19062] d3jeeb Pro "catid" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-28 SAUDI has reported two vulnerabilities in d3jeeb Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19062/ -- [SA19061] MyBB "comma" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-01 D3vil-0x1 has discovered a vulnerability in MyBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19061/ -- [SA19056] sendcard Unspecified SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-03-01 Sumit Siddharth has reported some vulnerabilities in sendcard, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19056/ -- [SA19053] DirectContact Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-02-28 Donato Ferrante has discovered a vulnerability in DirectContact, which can be exploited by malicious people to gain knowledge of potentially sensitive information. Full Advisory: http://secunia.com/advisories/19053/ -- [SA19048] LanSuite LanParty Intranet System "fid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-02-27 x128 has discovered a vulnerability in LanSuite LanParty Intranet System, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19048/ -- [SA19045] EKINboard Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data Released: 2006-02-28 Aliaksandr Hartsuyeu has reported some vulnerabilities in EKINboard, which can be exploited by malicious people to conduct SQL injection and script insertion attacks. Full Advisory: http://secunia.com/advisories/19045/ -- [SA19044] CrossFire "oldsocketmode" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-02-28 Luigi Auriemma has reported a vulnerability in CrossFire, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19044/ -- [SA19023] PwsPHP "sondage" Module SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2006-02-27 papipsycho has reported a vulnerability in PwsPHP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19023/ -- [SA19008] PEAR Auth DB / LDAP Multiple Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-02-23 Matt Van Gundy has reported some vulnerabilities in PEAR Auth, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19008/ -- [SA19007] Calcium "EventText" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 KeyShore and KeyYog have discovered a vulnerability in Calcium, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19007/ -- [SA19004] Simple Machines Forum "X-Forwarded-For" Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-24 Aliaksandr Hartsuyeu has reported a vulnerability in Simple Machines Forum, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19004/ -- [SA19003] iUser Ecommerce Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-02-23 Some vulnerabilities with unknown impacts have been reported in iUser Ecommerce. Full Advisory: http://secunia.com/advisories/19003/ -- [SA19070] TOPo "gTopNombre" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 Yunus Emre Yilmaz has discovered a vulnerability in TOPo, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19070/ -- [SA19066] CGI Calendar Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-28 Revnic Vasile has discovered some vulnerabilities in CGI Calendar, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19066/ -- [SA19052] MyPHPNuke Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-02-27 Mustafa Can Bjorn has reported some vulnerabilities in MyPHPNuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19052/ -- [SA19050] WordPress Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-03-01 K4P0 has discovered two vulnerabilities in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19050/ -- [SA19039] PunBB "header.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-03-01 A vulnerability has been reported in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19039/ -- [SA19031] JFacets "ProfileID" Profile Change Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-28 A vulnerability has been reported in JFacets, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19031/ -- [SA19026] 4images "template" Parameter File Inclusion Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-02-27 rgod has reported a vulnerability in 4images, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/19026/ -- [SA19014] Website Generator PHP Code Injection Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-02-24 Nemesis Security Audit Group has discovered a vulnerability in Website Generator, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19014/ -- [SA19011] PEAR Archive_Tar Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-02-24 Hamid Ebadi has discovered a vulnerability in PEAR Archive_Tar, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19011/ -- [SA19034] MySQL Query Logging Bypass Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-02-27 1dt.w0lf has discovered a security issue in MySQL, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19034/ -- [SA19018] Issue Dealer Unpublished Content Disclosure Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-02-28 A weakness has been reported in Issue Dealer, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19018/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri Mar 3 05:27:47 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:27:47 -0600 (CST) Subject: [ISN] Sourcefire Officials Hopeful Over Sale Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/03/02/AR2006030201907.html By Ellen McCarthy Washington Post Staff Writer March 3, 2006 Executives of Sourcefire Inc., the Columbia company whose sale to an Israeli firm has been delayed pending a national security review, said yesterday that they believe the concerns surrounding the deal can be resolved. In early October the information security firm announced an agreement to be acquired for $225 million by Check Point Software Technologies Ltd., the firm run by Israeli tech pioneer Gil Schwed. Though based in Ramat Gan, Israel, the firm has a U.S. headquarters in Redwood City, Calif., and is publicly traded on the Nasdaq Stock Market. The Sourcefire deal nevertheless has come under scrutiny, apparently because of the company's contracts with sensitive government clients, and is being investigated by the Committee on Foreign Investments in the United States. "I'm pretty stunned. Who would've figured 140 people in Columbia, Maryland, would be embroiled in a world controversy?" said Wayne Jackson, Sourcefire's chief executive. CFIUS is the interagency panel that is reviewing the potential purchase by a company from the United Arab Emirates of a British firm that operates U.S. ports. Five-year-old Sourcefire sells software that monitors computer networks for potential threats. About 13 percent of its revenue comes from federal clients, including civilian and defense agencies, Jackson said. Tony Fratto, a spokesman for the Treasury Department, which leads CFIUS, said, "Certain members of the committee have outstanding concerns that there's potential risks to national security were the transaction to proceed." Sourcefire is something of a darling of the local tech sector, in part because of its roots in the open-source community. The company was founded in 2001 by Martin Roesch, a programmer who started working on the basic product, "Snort," in an open-source forum that allows anyone to see the programming code and contribute to it. Though the product was eventually commercialized and Sourcefire brought in more than $30 million in revenue last year, the basic code remains freely available to anyone with an Internet connection. "What nobody's talking about is the fact that Snort, which is at the center of all this hubbub, is open source. . . . China could be using it. Iran could be using it. North Korea could be using it," Jackson said. "Nothing's being transferred except control, and those are issues that could certainly be addressed with the committee." Because such investigations are often kept secret, even from the parties involved, executives of Sourcefire and CheckPoint may not know which aspects of the deal are raising red flags for regulators. The companies would not comment on the details of the investigation or on their discussions with government officials. Still, Jackson said he is "confident that measures can be put in place to mitigate whatever risks the federal government believes might exist." He also said the firm will continue to serve its federal customers throughout the investigation, which is expected to conclude this month with a report to the president. Check Point, the Israeli firm, manufactures a widely used firewall program and has a separate federal sales office to market to the U.S. government. It has acquired U.S. firms in the past, including San Francisco-based Zone Labs Inc. in 2004. The Sourcefire deal is being closely watched regionally because it has a number of local investors, including Core Capital Partners LP of the District, New Enterprise Associates of Baltimore, and the Maryland Department of Business and Economic Development. Inflection Point Ventures of Newark, Del., and Sierra Ventures and Sequoia Capital, both of Menlo Park, Calif., also have invested in the firm. None of the venture capitalists would comment publicly on the investigation. Ray Rice, a limited partner in Core Capital, said he is confident that Sourcefire will have a number of other suitors if the Check Point deal is killed. "Frankly, I can wait six more months," Rice said. Jackson said the company is committed to seeing the Check Point acquisition through and is cooperating with the committee. ? 2006 The Washington Post Company From isn at c4i.org Fri Mar 3 05:30:45 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:30:45 -0600 (CST) Subject: [ISN] US man faces five years for hacking supervisor's PC Message-ID: http://www.theregister.co.uk/2006/03/02/us_education_hack/ By John Leyden 2nd March 2006 A former federal computer security expert faces a possible five year jail term after pleading guilty to hacking a US Department of Education computer. Kenneth Kwak, 34, of Chantilly, Virginia, admitted snooping on his supervisor's email and internet surfing activities while employed as a system auditor for the US Department of Education. Kwak placed unspecified software on his boss's computer that allowed him to access files on the system without permission. He shared snippets gleaned from his repeated spying forays with colleagues around the office. In a statement [1] the DoJ said: "Kwak carried out his crime and invaded his supervisor's privacy for personal entertainment; there is no indication he profited financially from his actions." As part of a plea bargaining agreement, Kwak pleaded guilty to one count of unauthorised access to a protected computer during a hearing in the District of Columbia federal court before US District Judge Royce Lamberth on Wednesday. He faces a maximum of five years in jail and a fine of $250,000 over the offence. Sentencing has been set for 12 May. The case was investigated by the Computer Crime Investigations Division of the Department of Education's Inspector General's Office. Kwak's prosecution was carried as part of the "zero-tolerance policy" recently adopted by the US Attorney's office over computer hacking offences. ? [1] http://releases.usnewswire.com/GetRelease.asp?id=61702 From isn at c4i.org Fri Mar 3 05:31:12 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:31:12 -0600 (CST) Subject: [ISN] OMB: Agency compliance with cybersecurity law improving Message-ID: http://www.govexec.com/story_page.cfm?articleid=33498 By Daniel Pulliam dpulliam at govexec.com March 2, 2006 Agencies improved slightly in fiscal 2005 at meeting computer security standards, according to a report released Wednesday by the Office of Management and Budget. The percentage of agency information technology systems certified and accredited rose from 77 percent in fiscal 2004 to 85 percent in 2005, just short of an administration goal of 90 percent, OMB stated. Furthermore, the number of systems with tested contingency plans increased from 57 percent to 61 percent over that same period, the report to Congress [1] on the implementation of the 2002 Federal Information Security Management Act found. The number of agency IT systems also grew in that time, rising 19 percent from 8,623 to 10,289. Contractors or other non-government organizations manage 1,105 of those systems on behalf of the government. The Defense Department, which houses 3,583 IT systems, went from 58 percent of systems certified and accredited to 82 percent, though the Pentagon inspector general gave the department a "poor" certification and accreditation rating in the OMB report. The Veterans Affairs Department, which reported 14 percent of its systems as certified and accredited in fiscal 2004, reported that all 585 of its systems were certified and accredited the next year. None of the inspector generals rated the certification and accreditation process as failing, but eight rated it as "poor." Four agency inspector generals rated it as "good," while the Social Security Administration IG was the only one to rate it as "excellent." Included in the report were goals needed to maintain a "green" status -- the highest available grade -- in e-government on the Bush administration's quarterly management score card. They involved certifying and accrediting all IT systems by July 1, 2006, installing and maintaining all systems with proper security configurations and including continuity of operations provisions in the agency's infrastructure. In fiscal 2005, agencies for the first time assigned risk levels to IT systems, with 1,646 categorized as "high impact" and another 2,497 as "moderate impact," the OMB report noted. Eighty-eight percent of those rated as "high impact" were certified and accredited, it said. Richard Tracy, chief technology and security officer of the Telos Corp., an IT contractor, said he was pleased to see that agencies were not "picking the low hanging fruit" by certifying and accrediting the low-impact systems in order to improve their cybersecurity scores. He said agencies are spending significant resources on the certification and accreditation process in order to improve the grades, but added that he would be curious to know whether they'll be able to continue monitoring the systems once FISMA compliance is reached. OMB highlighted the oversight of contractor systems as a reason for "strategic and continued management attention" and asked agency inspectors general to confirm that systems operated by contractors meet FISMA requirements. Inspectors general for the Pentagon and the Homeland Security and State departments told OMB their agencies "rarely" conduct oversight of contractor-operated IT systems. Inspectors for NASA and the Agriculture and Health and Human Services departments said their agencies "sometimes" oversee IT systems operated by contractors. Another area for concern according to OMB is the number of systems with tested security controls, which dropped from 76 percent in fiscal 2004 to 72 percent in fiscal 2005. Agencies' handling of incident reporting drew concern from OMB as well, with DHS finding "sporadic reporting by some agencies and unusually low levels of reporting by others." "Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event," the OMB report stated. Agencies' process for planning, implementing and evaluating deficient IT security policies -- known as POA&M -- drew concern because of ineffective processes at the Defense, Agriculture, DHS and the Interior, Transportation and Treasury departments. House Government Reform Committee staffers still are reviewing the report, according to Drew Crockett, spokesman for the panel's chairman, Rep. Tom Davis, R-Va. The committee is scheduled to release its annual cybersecurity grades and discuss the OMB report at a March 16 hearing with Karen Evans, administrator of OMB's Office of Electronic Government and Information Technology, testifying, Crockett said in a statement. [1] http://www.whitehouse.gov/omb/inforeg/reports/2005_fisma_report_to_congress.pdf From isn at c4i.org Fri Mar 3 05:31:55 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 3 Mar 2006 04:31:55 -0600 (CST) Subject: [ISN] Apple Fixes Critical Safari Bug, 16 Other Flaws Message-ID: http://www.informationweek.com/news/showArticle.jhtml;?articleID=181500394 By Gregg Keizer March 2, 2006 Apple Computer on Wednesday released its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines. The update, dubbed Security Update 2006-001, comes just over a week after news broke of a critical flaw in the operating system and the Safari Web browser, leading to intense defense of Mac security by Apple users. The Safari vulnerability could let attackers hijack a Mac simply by enticing its user to a malicious Web site in a so-called "drive-by download" that's a common menace to Windows users but unheard of in the Mac world. The problem stemmed from Safari's (and Mac OS X's) trust of certain file types, specifically ZIP archives. Attackers could pack a ZIP with malicious scripts that the Mac would automatically run, the German firm Heise Security said last week. "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)," Apple's alert read. The speed with which Apple patched the vulnerability may impress Windows users -- who are used to waiting weeks if not months for fixes from Microsoft -- but it's not unusual, said Mike Murray, director of research at vulnerability management vendor nCircle. "There are a couple of reasons why Apple could patch this so quickly," said Murray. "First of all, Safari's based on open-source code, and that code is pretty well understood. Second, the vulnerability didn't seem that complex. The biggest factor in Apple's quick turnaround, however, has nothing to do with the Safari code or the bug. "Internet Explorer is tied into the core of the [Windows] operating system," Murray said. "If you change IE, something could break on the OS. The QA cycle has to be much longer, since one little change could break the whole damn thing. "But Safari is a stand-alone browser, like Firefox. If a patch introduces a bug in Safari, big deal. It's not affecting the [Mac] OS." That's the reason why Apple could put together a patch within a week, and why, Murray added, Firefox developers can do the same when vulnerabilities are found in that cross-platform browser. "Microsoft's strategy of tying the browser into the operating system has made it so much more difficult to patch," Murray added. Apple's e-mail client has also been patched so that it will warn the user when a malicious attachment may be trying to disguise itself as a "safe" file type. Safari accounted for 4 of the 17 fixes, including one in its RSS implementation. All four were serious -- judged "critical" by Danish vulnerability tracker Secunia -- since they allowed for remote code or script execution. The update also fixes iChat, Apple's instant messaging client, so IM threats such as the recent OSX/Leap.a worm could be blocked. Leap.a was the first-ever Mac OS X worm. "With this update, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said in the alert. Other patches in the update fixed a problem with the PHP programming language within the Apache server module, solved two issues in Apple's Directory Services, corrected a potential problem mounting malicious network servers, and quashed bugs in FileVault and IPSec within virtual private network (VPN) sessions. Although the new Intel-based Macs have been issued an operating system update since they debuted in January -- from 10.4.4 to the current 10.4.5 -- this was the first security fix released for those machines. Separate downloads are available on Apple's download site for Mac OS X 10.3.9 (Panther) clients and servers, as well as Mac OS X 10.4.5 (Tiger) Intel and PowerPC editions. Mac users who have Software Update enabled will automatically receive the update. Copyright ? 2005 CMP Media LLC From isn at c4i.org Mon Mar 6 05:30:40 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:40 -0600 (CST) Subject: [ISN] Linux Advisory Watch - March 3rd 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 3rd 2006 Volume 7, Number 10a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave at linuxsecurity.com ben at linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gpdf, pdftohtml, tutos, bmv, xpdf, module-init-tools, udev, gnupg, gawk, dhcp, system-config-netboot, xterm, GraphicsMagick, noweb, metamail, mplayer, squirrelmail, unzip, gettext, tar, heimdal, and liby2util. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. ---- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi ---- ARC: A Synchronous Stream Cipher from Hash Functions By: Angelo P. E. Rosiello and Roberto Carrozzo Abstract We consider a simple and secure way to realize a synchronous stream cipher from iterated hash functions. It is similar to the OFB mode where the underlying block cipher algorithm is replaced with the keyed hash function, adopting the secret suffixx method[20]. We analyzed the key, the keystream and the necessary properties to assume from the underlying hash function for the stream cipher to be considered secure. Motivated by our analysis we conjecture that the most effcient way to break the proposed stream cipher is to break the hash function or through exhaustive search for the keyspace K of k bits, that requires O(2k) operations. Keywords : stream cipher, key, keystream, one-time pad cryptosystem, hash function, keyed hash function. 1.1 Algorithm Requirements The algorithm should have a flat keyspace allowing any random bit string to be a possible key. The algorithm should make easier the key-management for software implementations. The typed password should not become directly the key, else the actual keyspace is limited to keys constructed with the 95 characters of printable ASCII1. The algorithm should be easily modifiable satisfying minimum or maximum requirements. Moreover, according to basic engineering software theories, the algorithm does not have to bind developers with static u se of pre-defined logical block functions, but it is important to let wide alternatives during the implementation of the software[13, 17]. The algorithm should be simple to code, otherwise programmers could make implementation mistakes if the structure is too complicated[13]. 1.2 Areas of Application Nowadays encrypting information has become a 'must', which means that a good crypto algorithm must give to the community the possibility to manage safe data. Practical applications pertain to: * Bulk Encryption: data files or a continuous data stream (e.g. important information saved on hardisks such as databases or any kind of secret document); * Data Transmission: a lot of communication mediums need a secure way to crypt exchanged information (e.g. Internet packets, wireless connections, radio signals, etc.); * Small Encryption: banks and commercial companies need secure encryption methodologies to interact with customers by small encryption technologies. Definitely, a good algorithm should be suitable for lots of disparate situations. Read Full Paper http://www.linuxsecurity.com/images/stories/arc-hash.pdf ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New gpdf packages fix several vulnerabilities 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121760 * Debian: New pdftohtml packages fix several vulnerabilities 28th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121765 * Debian: New tutos package fixes several vulnerabilities 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121790 * Debian: new bmv packages fix arbitrary code execution 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121791 * Debian: New xpdf packages fix several problems 2nd, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121792 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: module-init-tools-3.2-0.pre9.0.FC4.4 23rd, February, 2006 This module-init-tools adds a stub /etc/modprobe.conf.dist which is included by older /etc/modprobe.conf config files. This avoids the printing of a warning Matrox framebuffer modules are also not autoloaded with this version. http://www.linuxsecurity.com/content/view/121727 * Fedora Core 4 Update: udev-071-0.FC4.3 23rd, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121728 * Fedora Core 4 Update: gnupg-1.4.2.1-3 24th, February, 2006 The previous update, to version 1.4.2.1, could produce errors when gpg attempted to read certain keyrings produced by earlier versions of GnuPG. This update includes a fix for that bug. http://www.linuxsecurity.com/content/view/121740 * Fedora Core 4 Update: gawk-3.1.4-5.4 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121741 * Fedora Core 4 Update: util-linux-2.12p-9.14 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121759 * Fedora Core 4 Update: dhcp-3.0.2-34.FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121787 * Fedora Core 4 Update: system-config-netboot-0.1.38-2_FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121788 * Fedora Core 4 Update: xterm-208-2.FC4 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121789 * Gentoo: GraphicsMagick Format string vulnerability 26th, February, 2006 A vulnerability in GraphicsMagick allows attackers to crash the application and potentially execute arbitrary code. http://www.linuxsecurity.com/content/view/121750 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: noweb Insecure temporary file creation 26th, February, 2006 noweb is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/121751 * Mandriva: Updated metamail packages fix vulnerability 23rd, February, 2006 Ulf Harnhammar discovered a buffer overflow vulnerability in the way that metamail handles certain mail messages. An attacker could create a carefully-crafted message that, when parsed via metamail, could execute arbitrary code with the privileges of the user running metamail. http://www.linuxsecurity.com/content/view/121722 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated mplayer packages fix integer overflow vulnerabilities 24th, February, 2006 Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. The updated packages have been patched to prevent this problem. http://www.linuxsecurity.com/content/view/121749 * Mandriva: Updated squirrelmail packages fix vulnerabilities 27th, February, 2006 Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188) http://www.linuxsecurity.com/content/view/121763 * Mandriva: Updated unzip packages fix vulnerabilities 28th, February, 2006 A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges. http://www.linuxsecurity.com/content/view/121764 * Mandriva: Updated gettext packages fix temporary file vulnerabilities 28th, February, 2006 The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext. These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack. The updated packages have been patched to address this issue.

http://www.linuxsecurity.com/content/view/121776 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: tar security update 1st, March, 2006 An updated tar package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux 4. This update has been rated as having Moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/121781 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:010) 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121738 * SuSE: Subject: [suse-security-announce] SuSE Security Announcement: heimdal (SUSE-SA:2006:011) 24th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121739 * SuSE: kernel various security problems 27th, February, 2006 Updated package. http://www.linuxsecurity.com/content/view/121756 * SuSE: gpg,liby2util signature checking 1st, March, 2006 Updated package. http://www.linuxsecurity.com/content/view/121777 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon Mar 6 05:30:54 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:54 -0600 (CST) Subject: [ISN] State college in Colorado warns 93,000 after laptop theft Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,109208,00.html By Robert McMillan MARCH 03, 2006 IDG NEWS SERVICE A state college in Denver believes it may have lost sensitive information on more than 93,000 students after one of the school's laptop computers was stolen from an employee's home late last month. The unnamed employee of Metropolitan State College had been using the information, including student names and Social Security numbers, to write a grant proposal, the college said Thursday. The data, which appears to have been unencrypted, was also being used by the employee to write a master's degree thesis, the school said. The laptop was stolen on Feb. 25, but Denver police asked the school to wait until March 1 to go public with news of the theft to help with the ongoing investigation. Students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester are now being notified of the incident via letter, the college said. Although there is no evidence that any of this data has been used for identity theft, there are a number of unanswered questions related to the incident. One question is whether or not the sensitive information was actually stored on the computer at the time of the theft, according to college President Stephen Jordan. "The employee, does not recall whether he had deleted those files from the laptop," he said in a statement. A second question is whether the employee should have been storing this type of data outside of school premises for the purposes of a masters thesis. The college is "investigating whether the employee had obtained permission ... to use the data in his thesis," the college said. The college is now reviewing its policies regarding laptops, particularly related to unencrypted information, Jordan said. The college Web site includes tips on avoiding laptop theft, and on preventing stolen information from being used following such an event. The college did not immediately return calls seeking comment for this story on Friday. From isn at c4i.org Mon Mar 6 05:31:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:31:12 -0600 (CST) Subject: [ISN] Hey Neighbor, Stop Piggybacking on My Wireless Message-ID: http://www.nytimes.com/2006/03/05/technology/05wireless.html By MICHEL MARRIOTT March 5, 2006 For a while, the wireless Internet connection Christine and Randy Brodeur installed last year seemed perfect. They were able to sit in their sunny Los Angeles backyard working on their laptop computers. But they soon began noticing that their high-speed Internet access had become as slow as rush-hour traffic on the 405 freeway. "I didn't know whether to blame it on the Santa Ana winds or what," recalled Mrs. Brodeur, the chief executive of Socket Media, a marketing and public relations agency. The "what" turned out to be neighbors who had tapped into their system. The additional online traffic nearly choked out the Brodeurs, who pay a $40 monthly fee for their Internet service, slowing their access until it was practically unusable. Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. As they do, new sets of Internet behaviors are creeping into America's popular culture. "I don't think it's stealing," said Edwin Caroso, a 21-year-old student at Miami Dade College, echoing an often-heard sentiment. "I always find people out there who aren't protecting their connection, so I just feel free to go ahead and use it," Mr. Caroso said. He added that he tapped into a stranger's network mainly for Web surfing, keeping up with e-mail, text chatting with friends in foreign countries and doing homework. Many who piggyback say the practice does not feel like theft because it does not seem to take anything away from anyone. One occasional piggybacker recently compared it to "reading the newspaper over someone's shoulder." Piggybacking, makers of wireless routers say, is increasingly an issue for people who live in densely populated areas like New York City or Chicago, or for anyone clustered in apartment buildings in which Wi-Fi radio waves, with an average range of about 200 feet, can easily bleed through walls, floors and ceilings. Large hotels that offer the service have become bubbling brooks of free access that spill out into nearby homes and restaurants. "Wi-Fi is in the air, and it is a very low curb, if you will, to step up and use it," said Mike Wolf of ABI Research, a high-technology market research company in Oyster Bay, N.Y. This is especially true, Mr. Wolf said, because so many users do not bother to secure their networks with passwords or encryption programs. The programs are usually shipped with customers' wireless routers, devices that plug into an Internet connection and make access to it wireless. Many home network owners admit that they are oblivious to piggybackers. Some, like Marla Edwards, who think they have locked intruders out of their networks, learn otherwise. Ms. Edwards, a junior at Baruch College in New York, said her husband recently discovered that their home network was not secure after a visiting friend with a laptop easily hopped on. "There's no gauge, no measuring device that says 48 people are using your access," Ms. Edwards said. When Mr. Wolf turns on his computer in his suburban Seattle home, he regularly sees on his screen a list of two or three wireless networks that do not belong to him but are nonetheless available for use. Mr. Wolf uses his own wired network at home, but he says he has piggybacked onto someone else's wireless network when traveling. "On a family vacation this summer we needed to get access," Mr. Wolf recalled, explaining that his father, who took along his laptop, needed to send an e-mail message to his boss on the East Coast from Ocean Shores, Wash.. "I said, 'O.K., let's drive around the beach with the window open.' We found a signal, and the owner of the network was none the wiser," Mr. Wolf said. "It took about five minutes." Jonathan Bettino, a senior product marketing manager for the Belkin Corporation, a major maker of wireless network routers based in Compton, Calif., said home-based wireless networks were becoming a way of life. Unless locking out unauthorized users becomes commonplace, piggybacking is likely to increase, too. Last year, Mr. Bettino said, there were more than 44 million broadband networks among the more than 100 million households in the United States. Of that number, 16.2 million are expected to be wireless by the end of this year. In 2003, 3.9 million households had wireless access to the Internet, he said. Humphrey Cheung, the editor of a technology Web site, tomshardware.com, measured how plentiful open wireless networks have become. In April 2004, he and some colleagues flew two single-engine airplanes over metropolitan Los Angeles with two wireless laptops. The project logged more than 4,500 wireless networks, with only about 30 percent of them encrypted to lock out outsiders, Mr. Cheung said. "Most people just plug the thing in," he said of those who buy wireless routers. "Ninety percent of the time it works. You stop at that point and don't bother to turn on its security." Martha Liliana Ramirez, who lives in Miami, said she had not thought much about securing her $100-a-month Internet connection until recently. Last August, Ms. Ramirez, 31, a real estate agent, discovered a man camped outside her condominium with a laptop pointed at her building. When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: "Oh my God. He could be stealing my signal." Yet some six months later, Ms. Ramirez still has not secured her network. Beth Freeman, who lives in Chicago, has her own Internet access, but it is not wireless. Mostly for the convenience of using the Internet anywhere in her apartment, Ms. Freeman, 58, said that for the last six months she has been using a wireless network a friend showed her how to tap into. "I feel sort of bad about it, but I do it anyway," Ms. Freeman said her of Internet indiscretions. "It just seems harmless." And if she ever gets caught? "I'm a grandmother," Ms. Freeman said. "They're not going to yell at an old lady. I'll just play the dumb card." David Cole, director of product management for Symantec Security Response, a unit of Symantec, a maker of computer security software, said consumers should understand that an open wireless network invites greater vulnerabilities than just a stampede of "freeloading neighbors." He said savvy users could piggyback into unprotected computers to peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography. "The best case is that you end up giving a neighbor a free ride," Mr. Cole said. "The worst case is that someone can destroy your computer, take your files and do some really nefarious things with your network that gets you dragged into court." Mr. Cole said Symantec and other companies had created software that could not only lock out most network intruders but also protect computers and their content if an intruder managed to gain access. Some users say they have protected their computers but have decided to keep their networks open as a passive protest of what they consider the exorbitant cost of Internet access. "I'm sticking it to the man," said Elaine Ball, an Internet subscriber who lives in Chicago. She complained that she paid $65 a month for Internet access until she recently switched to a $20-a-month promotion plan that would go up to $45 a month after the first three months. "I open up my network, leave it wide open for anyone to jump on," Ms. Ball said. For the Brodeurs in Los Angeles, a close reading of their network's manual helped them to finally encrypt their network. The Brodeurs told their neighbors that the network belonged to them and not to the neighborhood. While apologetic, some neighbors still wanted access to it. "Some of them asked me, 'Could we pay?' But we didn't want to go into the Internet service provider business," Mrs. Brodeur said. "We gave some weird story about the network imposing some sort of lockdown protocol." Andrea Zarate contributed reporting from Miami for this article, and Gretchen Ruethling from Chicago. From isn at c4i.org Mon Mar 6 05:31:30 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:31:30 -0600 (CST) Subject: [ISN] Symantec Takes Heat For Changing Adware Advice Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=181500850 By Gregg Keizer Mar 3, 2006 Symantec's out-of-court settlement with an adware maker is a loss for users, an anti-spyware researcher said this week. Friday, Feb. 24, the Cupertino, Calif. security company announced that it had dismissed its lawsuit against browser and e-mail toolbar maker Hotbar.com, Inc. Last June, Symantec filed a zero-dollar suit against the New York company, saying then that it was seeking a legal ruling that would affirm the position that Hotbar's programs "are indeed adware and can be treated as computer security risks." Under the new arrangement struck with Hotbar, Symantec has agreed to dismiss the lawsuit but will still classify the company's software as "adware." Symantec called it a victory. "What we got out of this was peace from these guys," said Joy Cartun, Symantec's senior director of legal affairs. "We didn't change our detection, so in that way we won." Hotbar, which had hounded Symantec with at least five litigation threats in the first half of 2005, is now blocked from any further action, said Cartun. "We get them to go away, but without having to make a change in our detection of them [as adware]." Hotbar's chief executive, however, was convinced that he had won. "Both sides now recognize that our application is disclosing its behavior," said Oren Dobronsky. "We've gained that recognition, so that when users scan for spyware, they don't get some kind of alert and by default, then remove it." Symantec acknowledged that although its security software will continue to detect Hotbar's products as adware, it has changed the recommendation it gives to customers. Previously, Symantec recommended that users delete Hotbar; now, says Symantec, it's reclassified Hotbar's toolbars as "low-risk" and recommends that users ignore the software and let it be. "We're telling users what it is, and assisting them to make a choice [whether to keep or remove Hotbar]," argued Symantec's Cartun. She also claimed that Symantec had been thinking of making the change long before Hotbar started complaining. "The change was driven not by Hotbar, but from what we learned what our customers wanted. They wanted guidance," she said. "The change was on a totally independent track [from the lawsuit]." Noted anti-spyware researcher Ben Edelman isn't buying that. By backing down on its recommendation from delete to ignore, said Edelman, Symantec's not serving its customers. "If I was an IT guy paying Symantec to defend my computers, I'd ask 'what are we paying them for, I still see Hotbar on a user's computer,'" said Edelman. "Something's gone wrong at Symantec." This isn't the first time that an anti-spyware maker has backed off from a vendor. A year ago, Microsoft quietly changed the advice it gave users on programs supplied by Claria, one of the largest adware purveyors. The resulting storm in the press and by bloggers forced Microsoft to issue an open letter to customers explaining why it made the changes. Symantec's move is more of the same, said Edelman. "They just don't get it. Whether software gets consent from users to install isn't the only thing they should be looking at." He questioned whether users of Hotbar understood they would get pop-up, pop-under, and auto-opening ads when they consented to the installation, and criticized the company for targeting kids with come-ons to download and install their toolbars. "Children may be less able to assess the merits of an Hotbar offer," Edelman wrote on his Web site in an analysis of Hotbar done last May. "[They're ] less able to determine whether Hotbar software is a good value, less likely to realize the privacy and other consequences of installing such software, less inclined to examine a lengthy license agreement." Symantec and other security vendors claiming to sniff out adware and spyware should take factors like those into account, Edelman told TechWeb. "Unfortunately, this isn't the kind of analysis that comes naturally to security experts," he said. "They're used to thinking of worms as all bad, and they're not in a position to shift gears to more subjective decisions." Still, Edelman's hopeful, if not because of the Symantec dismissal, then because of the general trend he sees shaping up. "What's interesting is how much things have changed since last spring. Then, there were new letters going out to anti-spyware companies every week. That's stopped as far as we know. "Why? I think the legal merits have sunk in, and that adware makers know they don't have a leg to stand on." From isn at c4i.org Mon Mar 6 05:30:12 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 6 Mar 2006 04:30:12 -0600 (CST) Subject: [ISN] Trojan horse couple indicted Message-ID: http://www.globes.co.il/serveen/globes/DocView.asp?did=1000067928&fid=1725 Yitzhak Danon Globes 5 Mar 06 The Office of the State Attorney today filed charges with the Tel Aviv District Court against the couple Ruth and Michael Haephrati. The office has also asked that the couple be remanded until the end of proceedings. The Haephrati couple are charged with numerous offences related to industrial espionage. Ruth Haephrati is to be charged with aggravated fraud, inserting material and viruses into a computer (the Trojan horse), unlawful wire tapping, invasion of privacy and unlicensed management of a database. Michael Haephrati is to be charged with aiding and abetting his wife in the committing of the offences listed above. According the indictment, Michael Haephrati conceived and developed the Trojan horse software back in 2000 and subsequently attempted to offer it lawfully to various security bodies. In mid-2004, he used Ruth Haephrati, who handled the marketing activities, to contact the private investigators involved in the affair, with a view to using the software for criminal purposes. The investigators in question used the software to access information regarding competitors or other private entities, on behalf of their corporate or private clients. The State Attorney's office stressed that the investigation into the companies and individuals who commissioned the industrial espionage was ongoing. It also listed the types of data that had been accessed by the Trojan horse software used to hack into victims? computers. These include documents created using word processing software, electronic spread sheets, slide presentations, scanned documents and others. The material accessed by the hackers contained expensive and sensitive intellectual property. The Trojan horse also provided real-time sensitive images of material being viewed on hacked computers as well as of recordings of voice communications conducted between infected ma