From isn at c4i.org Mon May 1 01:41:00 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:00 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - April 28th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 28th, 2006 Volume 7, Number 18n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for zgv, xzgv, blender, gdm, abc2ps, SASL, abcmidi, Mozilla, OpenVPN, kernel, gnome-pilot, qt, tzdata, procps, procinfo, beagle, jwhois, cscope, ethereal, system-config-data, pygtk, crossfire, fbida, dia, xine-ui, php, mozilla-firefox, ruby, module-init-tools, thunderbird, and ipsec-tools. The distributors include Debian, Fedora, Gentoo, Fedora, Mandriva, Red Hat, SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Introduction: Buffer Overflow Vulnerabilities In exploiting the buffer overflow vulnerability, the main objective is to overwrite some control information in order to change the flow of control in the program. The usual way of taking advantage of this is to modify the control information to give authority to code provided by the attacker to take control. According to Shaneck, "The most widespread type of exploit is called 'Smashing the Stack' and involves overwriting the return address stored on the stack to transfer control to code placed either in the buffer, or past the end of the buffer." (Shaneck, 2003) The stack is a section of memory used for temporary storage of information. In a stack-based buffer overflow attack, the attacker adds more data than expected to the stack, overwriting data. Farrow explains this in an example, "Let's say that a program is executing and reaches the stage where it expects to use a postal code or zip code, which it gets from a Web-based form that customers filled out." (Farrow, 2002) The longest postal code is fewer than twelve characters, but on the web form, the attacker typed in the letter "A" 256 times, followed by some other commands. The data overflows the buffer allotted for the zip code and the attacker's commands fall into the stack. After a function is called, the address of the instruction following the function call is pushed onto the stack to be saved so that the function knows where to return control when it is finished. A buffer overflow allows the attacker to change the return address of a function to a point in memory where they have already inserted executable code. Then control can be transferred to the malicious attack code contained with the buffer, called the payload (Peikari and Chuvakin, 2004). The payload is normally a command to allow remote access or some other command that would get the attacker closer to having control of the system. As Holden explains, "a computer is flooded with more information than it can handle, and some of it may contain instructions that could damage files on the computer or disclose information that is normally protected- or give the hacker root access to the system." (Holden, 2004) The best defense against any of these attacks is to have perfect programs. In ideal circumstances, every input in every program would do bounds checks to allow only a given number of characters. Therefore, the best way to deal with buffer overflow problems is to not allow them to occur in the first place. Unfortunately, not all programs are perfect and some have bugs that permit the attacks discussed in this paper. As described by Farrow, "because programs are not perfect, programmers have come up with schemes to defend against buffer overflow attacks." (Farrow, 2002) One technique entails enforcing the computer to use the stack and the heap for data only and to never to execute any instructions found there. This approach can work for UNIX systems, but it can't be used on Windows systems. Farrow describes another scheme using a canary to protect against buffer overflows, but only the kind that overwrite the stack. (Farrow, 2002) The stack canary protects the stack by being put in sensitive locations in memory like the return address (that tells the computer where to find the next commands to execute after it completes its current function). As described by Farrow, "before return addresses get used, the program checks to see if the canary is okay." (Farrow, 2002) If the canary has been hit, the program then quits because it knows that something has gone wrong. As a user of the programs, the best countermeasure is to make sure your systems are fully patched in order to protect yourself from exploits targeting vulnerabilities. Read Full Article: http://www.linuxsecurity.com/content/view/118881/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zgv packages fix arbitrary code execution 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122512 * Debian: New xzgv packages fix arbitrary code execution 22nd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122518 * Debian: New blender packages fix several vulnerabilities 24th, April, 2006 Several vulnerabilities have been discoverd in in blender, a very fast and versatile 3D modeller/renderer. The Common Vulnerability and Exposures Project identifies the following problems: CVE-2005-3302, CVE-2005-4470 http://www.linuxsecurity.com/content/view/122526 * Debian: New gdm packages fix local root exploit 24th, April, 2006 A vulnerability has been identified in gdm, a display manager for X, that could allow a local attacker to gain elevated privileges by exploiting a race condition in the handling of the .ICEauthority file. http://www.linuxsecurity.com/content/view/122527 * Debian: New abc2ps packages fix arbitrary code execution 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122544 * Debian: New Cyrus SASL packages fix denial of service 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122564 * Debian: New abcmidi packages fix arbitrary code execution 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122571 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 Several security related problems have been discovered in Mozilla Firefox. http://www.linuxsecurity.com/content/view/122578 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 http://www.linuxsecurity.com/content/view/122581 * Debian: New OpenVPN packages fix arbitrary code execution 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122591 * Debian: New Mozilla packages fix several vulnerabilities 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122592 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122490 * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122491 * Fedora Core 5 Update: gnome-pilot-2.0.13-7.fc5.6 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122492 * Fedora Core 4 Update: gnome-pilot-2.0.13-5.fc4.2 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122493 * Fedora Core 4 Update: qt-3.3.4-15.5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122494 * Fedora Core 5 Update: tzdata-2006d-1.fc5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122495 * Fedora Core 4 Update: tzdata-2006d-1.fc4 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122496 * Fedora Core 5 Update: procps-3.2.6-3.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122506 * Fedora Core 5 Update: procinfo-18-18.2.2 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122507 * Fedora Core 5 Update: gnome-user-share-0.9-4 21st, April, 2006 Fixes login when using password. http://www.linuxsecurity.com/content/view/122508 * Fedora Core 5 Update: beagle-0.2.5-1.fc5.1 21st, April, 2006 This upgrade to 0.2.5 fixes various bugs, including making the firefox extension work again. It also contains fixes for a minor security issue where you could inject command line argument into the indexer helpers. http://www.linuxsecurity.com/content/view/122509 * Fedora Core 4 Update: jwhois-3.2.3-3.3.fc4.1 21st, April, 2006 Updates jwhois to 3.2.3 and updates the default configuration. http://www.linuxsecurity.com/content/view/122510 * Fedora Core 5 Update: cscope-15.5-13.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122513 * Fedora Core 5 Update: ethereal-0.99.0-fc5.1 25th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122561 * Fedora Core 4 Update: ethereal-0.99.0-fc4.1 26th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122574 * Fedora Core 4 Update: system-config-date-1.8.3-0.fc4.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122586 * Fedora Core 5 Update: system-config-date-1.8.3-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122587 * Fedora Core 5 Update: pygtk2-2.8.6-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122588 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Cyrus-SASL DIGEST-MD5 Pre-Authentication Denial of Service 21st, April, 2006 Cyrus-SASL contains a vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. http://www.linuxsecurity.com/content/view/122498 * Gentoo: zgv, xzgv Heap overflow 21st, April, 2006 xzgv and zgv attempt to decode JPEG images within the CMYK/YCCK colour space incorrectly, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122499 * Gentoo: Crossfire server Denial of Service and potential 22nd, April, 2006 The Crossfire game server is vulnerable to a Denial of Service and potentially to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122519 * Gentoo: Mozilla Firefox Multiple vulnerabilities 23rd, April, 2006 Several vulnerabilities in Mozilla Firefox allow attacks ranging from execution of script code with elevated privileges to information leaks. http://www.linuxsecurity.com/content/view/122520 * Gentoo: fbida Insecure temporary file creation 23rd, April, 2006 fbida is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/122521 * Gentoo: Dia Arbitrary code execution through XFig import 23rd, April, 2006 Buffer overflows in Dia's XFig import could allow remote attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/122522 * Gentoo: xine-ui Format string vulnerabilities 26th, April, 2006 Format string vulnerabilities in xine-ui may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122579 * Gentoo: xine-lib Buffer overflow vulnerability 26th, April, 2006 xine-lib contains a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122580 * Gentoo: Ethereal Multiple vulnerabilities in protocol dissectors 27th, April, 2006 Ethereal is vulnerable to numerous vulnerabilities, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122590 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated cyrus-sasl packages addresses vulnerability 24th, April, 2006 A vulnerability in the CMU Cyrus Simple Authentication and Security Layer (SASL) library < 2.1.21, has an unknown impact and remote unauthenticated attack vectors, related to DIGEST-MD5 negotiation. http://www.linuxsecurity.com/content/view/122541 * Mandriva: Updated php packages address multiple vulnerabilities. 24th, April, 2006 A cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP <= 5.1.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. http://www.linuxsecurity.com/content/view/122542 * Mandriva: Updated mozilla-firefox packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Firefox browser that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122543 * Mandriva: Updated mozilla packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Suite that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122565 * Mandriva: Updated ethereal packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Ethereal network analyzer. These issues have been corrected in Ethereal version 0.99.0 which is provided with this update. http://www.linuxsecurity.com/content/view/122566 * Mandriva: Updated mozilla-thunderbird packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Thunderbird email client that could allow a remote attacker to craft malicious web emails that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, or other nformation. http://www.linuxsecurity.com/content/view/122567 * Mandriva: Updated ruby packages fix vulnerability 25th, April, 2006 A vulnerability in how ruby's HTTP module uses blocking sockets was reported by Yukihiro Matsumoto. By sending large amounts of data to a server application using this module, a remote attacker could exploit it to render the application unusable and not respond to other client requests. http://www.linuxsecurity.com/content/view/122570 * Mandriva: Updated module-init-tools packages fix CUPS-related bug 27th, April, 2006 The default configuration of module-init-tools was to send a HUP signal to the CUPS daemon whenever the "usblp" kernel module is loaded, for example when a USB printer is plugged in. Due to udev also sending a HUP signal to the CUPS daemon on pluggin in a USB printer there were two HUPs one shortly after the other which often makes the CUPS daemon crashing. http://www.linuxsecurity.com/content/view/122589 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: thunderbird security update 21st, April, 2006 An updated thunderbird package that fixes various bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122511 * RedHat: Moderate: ipsec-tools security update 25th, April, 2006 Updated ipsec-tools packages that fix a bug in racoon are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122550 * RedHat: Moderate: php security update 25th, April, 2006 Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122551 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Mozilla Firefox, Mozilla Suite 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122489 * SuSE: MozillaThunderbird various problems 25th, April, 2006 Multiple vulnerabilities fixed. http://www.linuxsecurity.com/content/view/122549 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 1 01:41:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:15 -0500 (CDT) Subject: [ISN] Pentagon Hacker Compromises Personal Data Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/28/AR2006042801540.html By ROBERT BURNS The Associated Press April 28, 2006 WASHINGTON -- An intruder gained access to a Defense Department computer server and compromised confidential health care insurance information for more than 14,000 people, the department said Friday. William Winkenwerder Jr., the assistant defense secretary for health affairs, said the affected individuals have been advised by letter that the compromise of personal information could put them at risk for identity theft. "Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve," he said in a brief statement. The Pentagon established a toll-free telephone number (1-800-600-9332) for affected people to call if they have questions. The computer server is for people insured under the Pentagon's TRICARE health care system. The type of information that was compromised was not disclosed in the Pentagon announcement, but Winkenwerder said it varied and investigators do not know the intent of the crime or if the compromised information will be misused. A spokesman for Winkenwerder, who asked not to be identified, said the information included names, Social Security numbers, credit card numbers and some personal health information. Routine monitoring of one of the health care insurance system's public servers detected unusual activity, and an investigation led to the discovery on April 5 that an intrusion had occurred and information was compromised. As a result, additional monitoring tools were installed to improve security of existing networks and data files, Winkenwerder said. ? 2006 The Associated Press From isn at c4i.org Mon May 1 01:41:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:38 -0500 (CDT) Subject: [ISN] Your computer is not secure. Message-ID: http://hartfordadvocate.com/gbase/News/content?oid=oid:153106 By Meir Rinde April 27, 2006 When agents from the federal Bureau of Alcohol, Tobacco and Firearms arrested convicted felon Michael Crooker on a charge of illegally shipping a firearm across state lines, they searched his apartment in the Feeding Hills neighborhood of Agawam, Mass. and found substances that gave them pause. They called in military and civilian hazardous material units, and a bomb squad, and police closed off all areas within 1,000 feet. A story spread that investigators found the poison ricin in the apartment; in reality, they found castor beans, which have commercial uses but do contain ricin. They also found lye, which is used in ricin production, and rosary peas, which contain a toxin called abrin. In Crooker?s car they found powerful homemade fireworks, and they conducted a controlled explosion of at least one device. That was almost two years ago. He?s now locked up at the state correctional facility in Suffield Connecticut, awaiting trial on a single charge of trying to ship an air-gun silencer to a man in Ohio. The 52-year-old ex-con fills his time studying his case and writing letters to the judge, as well as filing lawsuits against the government and other parties, as he has done all his life. Among the entities he has targeted is the computer maker Hewlett Packard. In his suit, Crooker traces back the history of his Compaq Presario notebook computer, which the ATF seized when he was arrested. He bought it in September 2002, expressly because it had a feature called DriveLock, which freezes up the hard drive if you don?t have the proper password. The computer?s manual claims that ?if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq?s headquarters staff,? Crooker wrote in the suit. Crooker has a copy of an ATF search warrant for files on the computer, which includes a handwritten notation: ?Computer lock not able to be broken/disabled. Computer forwarded to FBI lab.? Crooker says he refused to give investigators the password, and was told the computer would be broken into ?through a backdoor provided by Compaq,? which is now part of HP. It?s unclear what was done with the laptop, but Crooker says a subsequent search warrant for his e-mail account, issued in January 2005, showed investigators had somehow gained access to his 40 gigabyte hard drive. The FBI had broken through DriveLock and accessed his e-mails (both deleted and not) as well as lists of websites he?d visited and other information. The only files they couldn?t read were ones he?d encrypted using Wexcrypt, a software program freely available on the Internet. Despite the exposure of his e-mails, Crooker isn?t in prison on a chemicals or explosives charge. Rather, he?s been detained for two years on a single firearms charge because the judge thinks he?s too dangerous to let out on bail. A six-page rap sheet included in his firearms charge file lists arrests going back to March 1970, when he was 16 and committed an armed robbery while wearing a ski mask, according to the Springfield Republican. In 1977, he was accused of threatening to kill President Gerald Ford; he was cleared, but convicted of mailing death threats to the police chief of Southwick, Mass., where he grew up, and to a probation officer. In 1986, he was charged with rape and attempted murder; the charges stemmed from a phone argument with his wife, he says, and were dropped. In 1993, he plead guilty to a conspiracy to possess guns, witness tampering -- he admits he blew up a witness?s car -- and IRS fraud. He and an accomplice had filed about 70 false tax returns and pocketed the refunds. The judge who ordered him to remain incarcerated described Crooker as ?a real threat to the community at large, if not particular individuals as well.? The judge wrote that prosecutors believe Crooker has made ricin in the past; that he is accused of keeping three hundred rounds of ammunition at his parents? house; that in letters he refers to Timothy McVeigh as a ?martyr? and ?expresses admiration for Osama bin Laden?s brilliance.? If the government agrees Crooker is so dangerous he can?t stay at home while he awaits trial, should he be allowed to use purportedly unbreakable computer security systems to hide potentially criminal activity? Because of cases like Crooker?s, some might argue the government should have access to security backdoors to discourage criminals or at least catch them more easily, much as the technology in the movie Minority Report allows police to prevent crime by arresting criminals before they act. Of course, Crooker does not agree. Sitting in a low-ceilinged prison visiting room last week, his bright yellow prison jumpsuit hanging loosely on his narrow six-foot frame, Crooker rifled through stacks of legal documents and criticized what he described as HP?s deception in not admitting up front that DriveLock was flawed, and in selling him out to the feds. ?Even if it?s the CIA and the NSA, it?s wrong for HP to say, ?we can?t help you if you lose your password?,? he said. ?It?s causing people to hide things on their computers, and they?re not secure.? Crooker argues that by providing the FBI with a way to circumvent DriveLock, and claiming the system was impenetrable when there was actually a backdoor, HP committed a breach of contract. We left a message for HP?s lawyer, Thomas W. Evans of Cohen & Fierman in Boston, and got a call back from Ryan Donovan, a company spokesman in Palo Alto, Calif. ?We don?t comment on pending litigation,? he said. In a legal response sent to Crooker but not yet available in court, Evans says HP didn?t help the FBI, and argues it was unreasonable for Crooker to expect that data he entered on the laptop would remain inaccessible to others. Crooker?s goal is primarily to get money from HP. He?s demanded $350,000, and would probably accept much less. But he has also stepped into a much larger debate over computer security: whether HP and other companies are providing their customers with sufficiently strong protection and whether the government should allow anyone access to security systems so strong that even federal law enforcement agents have a hard time breaking through them. Crooker has spent many years in prison, but he?s had some success with the law as well. In 1984, when he faced a charge of having an unregistered machine gun, a federal District Court panel reviewed his claims that he should have access to certain ATF documents. Although he ultimately didn?t get everything he wanted, the judges ruled ATF hadn?t given a specific enough reason for withholding the documents, and Crooker v. BATF became an important footnote to discussions of Freedom of Information law. In his current criminal case, he argues that although the silencer would fit on an actual firearm, it was only intended for use on the air gun it was attached to. ?You wouldn?t believe the hearings and motions we?ve filed on this,? he said. He knows firearms law inside and out. He?s published a pamphlet called A Felon?s Guide to Legal Firearms Ownership , which you can buy online for $4.95. But his lawsuit against HP may be a long shot. Crooker appears to face strong counterarguments to his claim that HP is guilty of breach of contract, especially if the FBI made the company provide a backdoor. ?If they had a warrant, then I don?t see how his case has any merit at all,? said Steven Certilman, a Stamford attorney who heads the Technology Law section of the Connecticut Bar Association. ?Whatever means they used, if it?s covered by the warrant, it?s legitimate.? If HP claimed DriveLock was unbreakable when the company knew it was not, that might be a kind of false advertising. But while documents on HP?s web site do claim that without the correct passwords, a DriveLock?ed hard drive is ?permanently unusable,? such warnings may not constitute actual legal guarantees. According to Certilman and other computer security experts, hardware and software makers are careful not to make themselves liable for the performance of their products. ?I haven?t heard of manufacturers, at least for the consumer market, making a promise of computer security. Usually you buy naked hardware and you?re on your own,? Certilman said. In general, computer warrantees are ?limited only to replacement and repair of the component, and not to incidental consequential damages such as the exposure of the underlying data to snooping third parties,? he said. ?So I would be quite surprised if there were a gaping hole in their warranty that would allow that kind of claim.? That point meets with agreement from the noted computer security skeptic Bruce Schneier, the chief technology officer at Counterpane Internet Security in Mountain View, Calif. ?I mean, the computer industry promises nothing,? he said last week. ?Did you ever read a shrink-wrapped license agreement? You should read one. It basically says, if this product deliberately kills your children, and we knew it would, and we decided not to tell you because it might harm sales, we?re not liable. I mean, it says stuff like that. They?re absurd documents. You have no rights.? Schneier entered the field of computer security as a cryptographer. He invented an algorithm called Blowfish, which is used in many software programs including Wexcrypt, which Crooker used on some of his files, and which the FBI has apparently been unable to crack. In recent years Schneier has been a prominent critic of most computer security schemes, saying that they?re not reliable in part because companies aren?t financially liable for failures. He described Crooker?s lawsuit as ?kind of funny.? ?Part of me says, ?Well, go get them,?? Schneier said. ?Because the industry, for years, makes all of these false promises. So here?s someone who?s saying, ?Look, goddammit, I believed them, and I got arrested,? or something. So that?s kind of neat, actually.? Online, self-declared computer geeks have discussed at length how to unlock DriveLock?ed hard drives. The general consensus is that, unlike many computer password systems, DriveLock is a hard-drive-only system, a technology added to the drive, rather than a routine in the computer software. Only a chip on the hard drive knows where the password is stored, and the chip simply will not allow the drive to spin if the password is not provided. Putting the drive in a different computer, or tinkering with computer system files, doesn?t help. Encryption isn?t the problem, either: your files may just be sitting there, in readable form, but the drive refuses to work. The computer geeks seem to throw up their hands at devising a home-office method of getting around DriveLock. However, in a ?clean room? laboratory setting it should be possible to take apart a hard drive and scan the platters where magnetic information is stored. A few companies advertise password removal services for a fee, such as Nortek Computers Limited, in North Bay, Ontario, Canada. For $85, the company will simply erase your hard drive, which removes the password and at least makes the drive useable again. For $285, the company will copy your information off the drive, wipe the drive, and put the information back on, sans the password, said Chris Boyer, a support specialist at Nortek. He wouldn?t describe how it?s done, except to say that some computer drives can be penetrated using ?non-invasive? methods, while others are more difficult. ?There?s quite a bit involved, engineering-wise and facility-wise,? Boyer said. The company is alert to suspicious clients who seem to be trying to break into someone else?s computer, and keeps records of device serial numbers, he said. It has removed passwords for law enforcement agencies in the U.S., Canada, England, Denmark and other countries. The availability of commercial password removal suggests HP may be sincere when it says it didn?t help the FBI. But Crooker said that?s no obstacle to his lawsuit. ?Why are HP and Compaq still advertising this DriveLock system when they have to know about the Canadian operation for $285?? he asked. ?They?re lulling us into this sense of security, when for $285 it can be exposed? It ain?t right.? In the recent past the federal government has attempted to build in backdoors to certain computer systems: In the early 1990s, the National Security Agency tried to require the installation of a chip in phone transmission systems, so agents could eavesdrop on encrypted conversations. The Electronic Frontier Foundation and other civil liberties groups attacked the proposal, which eventually died (although recently AT&T reportedly allowed the NSA to monitor millions of phone calls without warrants, using specially installed supercomputers). So while DriveLock may not be wholly secure, software that uses Blowfish and other encryption methods remains widely available. To civil liberty advocates, that?s good news, even if it means individuals like Michael Crooker can hide their secrets from law enforcement. ?Encryption software is becoming a very ordinary thing. That?s a very positive development in terms of limiting the erosion of privacy in certain ways,? said Seth Schoen, a staff technologist at the Electronic Frontier Foundation. Crooker said he understands the argument for allowing the government to penetrate computer security systems. ?I can see both sides of it,? he said. But that doesn?t mean he?s letting HP off the hook for pretending DriveLock was really secure. That?s a point security experts would agree with: undisclosed flaws are the Achilles? heel of any security scheme, because then the user of the system doesn?t even know what kind of incursions to watch out for. For Bruce Schneier, the key to preventing such flaws is the kind of legal liability that Michael Crooker is trying to create, forcing companies to pay though the nose until they develop security that really works. ?Unfortunately, this probably isn?t a great case,? Schneier said. ?Here?s a man who?s not going to get much sympathy. You want a defendant who bought the Compaq computer, and then, you know, his competitor, or a rogue employee, or someone who broke into his office, got the data. That?s a much more sympathetic defendant.? Copyright ? 1995-2006 New Mass Media. All rights reserved From isn at c4i.org Mon May 1 01:40:25 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:40:25 -0500 (CDT) Subject: [ISN] Ag firm employee charged with hacking into county data base Message-ID: http://www.lititzrecord.com/pages/news/local/4/22302 By Michael Yoder - Record Express Staff Lititz Record Express Apr 27, 2006 LITITZ, PA - A Lancaster man has been charged with illegally logging into the county's web-based computer assisted dispatch program while working at a local agricultural firm. Duane Kline, of Lancaster, was charged on April 20 with the unlawful use of a computer and other computer crimes by using the East Hempfield Township Police Department's login and password to access the Lancaster County-Wide Communications World Wide Web based Computer Assisted Dispatch site. Kline, who is an employee of Northeast Agri Systems, 139A W. Airport Rd., Lititz, is accused of logging into the computer system on 161 separate occasions between June 27 and Nov. 7, 2005. He is accused of gaining information on restricted police intelligence and investigative information he did not have access to see and also disseminating portions of the information verbally. According to the affidavit filed in Manheim Township, Lancaster County Detective Peter J. Savage Jr. investigated an anonymous tip received in February that Kline was logging into the computer system on his computer at Northeast Agri Systems and sharing privileged information with friends. Savage was able to determine that Kline did access the computer system though Northeast's Internet protocol address and was logging into the system using the East Hempfield Township Police Department password. Kline is a lieutenant with the West Hempfield Fire and Rescue Company. On March 15 Savage interviewed Kline and asked him about accessing the site. According to the affidavit, Kline admitted logging into the restricted site. He said initially he would log in for curiosity, but later he admitted running names in the system to look for background information. Kline admitted running the name in the system of an ex-employee at Northeast Agri Systems after the individual was fired from the company. From isn at c4i.org Mon May 1 01:41:52 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:52 -0500 (CDT) Subject: [ISN] Schools scramble to safeguard computer systems Message-ID: http://www.boston.com/news/local/massachusetts/articles/2006/04/29/schools_scramble_to_safeguard_computer_systems/ By Maria Sacchetti Globe Staff April 29, 2006 Private industry long ago adopted safeguards against hacking, but public schools, which just began putting student records online in recent years, are only starting to recognize their vulnerability. The allegations that a student gained access to a teacher's computer at Boston Latin School and saw tests and student records apparently took officials by surprise. Boston Public Schools had begun to talk about improving computer security at all schools before the alleged incident, but immediately tightened security afterward. ''For lack of a better term, this is sort of a test case to figure out where security breaches might be," said Jonathan Palumbo, a school system spokesman. Lexington High officials are debating whether to e-mail report cards to parents, weighing the convenience against the security risks. Brookline High forced teachers to make their passwords tougher to guess this year after students broke into the computer system to change grades. ''You can't assume that you're smarter than the kids about computers," said Michael Frantz, assistant headmaster at Brookline High. ''It certainly is a wake-up call. . . . This kind of thing can really happen to us." Decades ago, public schools were untroubled with computer security. But now 95 percent of the state's classrooms are wired for the Internet, according to the state Department of Education. Teachers store grades on the Internet. Clerks track student absences and tardiness online. Some even share that with parents: letting them check online to make sure their child went to school or to monitor their grades. A year ago, Lexington High investigated a student on allegations that he altered his attendance records, which had been posted online. The school now wants to e-mail report cards, but officials said they are not sure whether the school has protected itself well enough against hackers. ''I really worry about that. We're certainly behind," said Bill Cole, a dean at the school. ''We definitely have a population here that would see it as a challenge here and break in." This school year, Brookline High officials suspended the two students it caught breaking into the computer system and changing grades. ''You can't make a guarantee that it wouldn't happen again," Frantz said. ''We're more careful, and things are tighter than they were. I think it would be a lot more difficult for it to happen." Charlie Lyons, superintendent and director at Shawsheen Valley Technical High School, in Billerica, said he spends $50,000 a year on computer updates and security. He also hired a director of computer services because the school has nearly 700 computers. ''There's no system that's unbreakable. There's going to be some kid from MIT that's probably going to . . . be able to break into any system in the world," Lyons said. Francis Cahill, who taught Latin at Boston Latin School for 33 years before retiring in June 2005, said more teachers who used to keep grades on paper and tests in files are relying on computers. Students are ''a lot more sophisticated than a lot of the teachers," said Cahill, who had never heard of a student breaking into the school's computer system during his time at Latin. ''Kids are always looking for a leg up no matter what school they're in. It doesn't surprise me at all. ''I would guess that in any kind of school where kids are trying to get into college, the same kind of thing could happen." Tracy Jan of the Globe staff contributed to this report. ? Copyright 2005 The New York Times Company From isn at c4i.org Mon May 1 01:42:04 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:42:04 -0500 (CDT) Subject: [ISN] Pentagon Halts Contractor Clearances Message-ID: http://www.washingtonpost.com/wp-dyn//content/article/2006/04/28/AR2006042801878.html By Renae Merle Washington Post Staff Writer April 29, 2006 The Pentagon stopped processing security clearances for government contractors this week, potentially exacerbating a shortage of employees authorized to work on the government's most secret programs. The Defense Security Service blamed overwhelming demand and a budget shortfall for the halt, which caught the government contracting community by surprise. Already, 3,000 applications have been put on hold, said Cindy McGovern, a DSS spokeswoman. "We're holding them [the applications] now to see if we can resolve the issue. The more drastic step would be not accepting them" at all, McGovern said, a step the agency considered but dropped for now. The demand for security clearances among private companies has grown dramatically since the Sept. 11, 2001, terrorist attacks as the government increasingly relies on contractors to do intelligence gathering and work on classified programs. There has been growing frustration with the wait time, which some companies have described as up to a year, to obtain clearances for new employees. Some firms have reverted to gimmicks and large bonuses to attract employees with pre-existing clearances, and industry officials worry that this week's action will increase competition and salary demands. The move affects not only defense contractors, but also those who work on projects for more than 20 other agencies, including NASA and the Department of Homeland Security. "We have companies right now that have positions that are funded that they can't find people for," said Stan Soloway, president of the Professional Services Council. "This could completely shut the system down." The Defense Security Service blames, in part, the sheer volume of requests. Between October and March, more than 100,000 security-clearance applications were submitted. The service is also struggling with a budget shortfall, McGovern said, noting that its funding was cut by $20 million this year. McGovern said she did not know how much of a shortfall the agency faces. Last year, the Office of Personnel Management took over the job of conducting background investigations. But the Defense Security Service picks up the tab, which can be as much as $3,700 for a top-secret clearance. The Office of Personnel Management can also charge a premium of 19 to 25 percent for the work, which was not factored into the DSS budget, said David Marin, staff director for the House Government Reform Committee. Marin estimates the agency's shortfall at between $75 million and $100 million. The agency's efforts to cut costs began earlier this month when it alerted contractors that it would no longer offer a more expensive expedited application process. On Tuesday, the agency stopped forwarding new applications to the OPM altogether. The decision is "both baffling and disturbing," Rep. Thomas M. Davis III (R-Va.), chairman of the Government Reform Committee, said in a letter to the agency yesterday. Davis expects to hold a hearing on the issue, according to his office. "It sure could get to be a real problem really fast," said John Douglas, president of the Aerospace Industries Association, a lobby group that represents companies including Lockheed Martin Corp. and Boeing Co., the Pentagon's largest contractors. "There doesn't seem to be any exceptions, and you would think that if you were working on a classified project to stop IEDs [improvised explosive devices], there would be." ? 2006 The Washington Post Company From isn at c4i.org Mon May 1 01:42:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:42:15 -0500 (CDT) Subject: [ISN] NIST releases standards for security logs Message-ID: http://www.fcw.com/article94229-04-28-06-Web By Wade-Hahn Chan Apr. 28, 2006 The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs. The guidelines cover log generation, transmission, storage, analysis and disposal. The guidelines, NIST Special Publication 800-92: Guide to Computer Security Log Management [1], include suggestions for creating a log management policy, prioritizing log files and creating a centralized log management infrastructure to include all hardware, software, networks and media. The 64-page document notes that agencies must deal with larger quantities, volumes and varieties of security logs. They also must comply with a growing number of legislative requirements such as the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act. [1] http://csrc.ncsl.nist.gov/publications/drafts/DRAFT-SP800-92.pdf From isn at c4i.org Tue May 2 04:42:33 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:42:33 -0500 (CDT) Subject: [ISN] Iridium trumpets latest satellite phones for emergency response Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,111058,00.html By Todd R. Weiss MAY 01, 2006 COMPUTERWORLD Just a month before the official U.S. hurricane season begins on June 1, Iridium Satellite LLC today unveiled satellite telephone communications equipment that will interoperate with existing UHF and VHF radio systems already used by police, rescue agencies, firefighters and other first responders. In an announcement today, the Bethesda, Md.-based vendor said the equipment can prevent much of the widespread communications troubles that plagued the Southeast U.S. after Hurricanes Katrina and Rita pummeled the area last year. In the wake of the storms, land-line and cellular telephone systems were largely devastated in Louisiana, Mississippi and parts of other nearby states due to downed lines, destroyed towers and other communications infrastructure failures. Emergency workers had to use radios, satellite telephones and other means to communicate until telephone service was restored. The Iridium systems offer interoperable voice and data communications, will work anywhere and are portable, according to the company. The data services include integration of radio frequency identification tags to help track vehicles, supplies and personnel wirelessly during emergencies so that response efforts can be monitored, the company said. Iridium services are already being used in some states, including Florida, Georgia, Louisiana, Mississippi, Missouri, South Carolina and Texas. The Iridium systems can interoperate with other communications systems, including VHF and UHF radios, making them flexible in times of emergency, Greg Ewert, executive vice president for Iridium, said in a statement. "Many states that could be affected by hurricanes this season are still far from being prepared from a communications perspective," he said. The Iridium systems also offer quick setup and do not use a land-based infrastructure that can be damaged in a disaster, according to the company. "Iridium may typically be thought of as a satellite phone in the hands of a first responder," Ewert said. "Increasingly, government customers are seeking Iridium for tracking and redirecting of important assets in an emergency, including critical supplies, vehicles and even personnel. This is done through communications systems based on our data-only transceiver. Many first responders [during Hurricanes Katrina and Rita] were left vulnerable when it came to asset tracking. Supplies sat by the side of the road because communications were hampered with a lack of deployed mobile satellite services. They were unable to redirect supplies as needed. With our solution, they can stay in touch and stay in control." Ted O'Brien, vice president of market development at Iridium, said today that the systems can be expanded as needed. Satellite telephone handsets are priced at about $1,500 each, while a fixed base station that can be used in a rescue facility costs about $3,000, including an external antenna. The interoperability system that allows satellite telephone users to communicate with VHF and UHF radio users -- as well as more than two-dozen other systems -- costs about $10,000. Small mobile wireless modems that can be attached to vehicles and supply containers for wireless tracking cost about $500 each if tracking capabilities are to be deployed. The equipment can be used with solar chargers so it can be recharged when power is out, or vehicle battery charger adapters can be used. "First responders using Iridium tell us time and again that we're often the only line of communications they have, particularly during and right after a disaster strikes," Ewert said in a statement. "When communications infrastructure goes down, they need to get to the disaster scene and connect back to headquarters to coordinate their rescue and relief mission. ... It usually takes several days for first responders to set up more permanent, fixed communications services in a disaster scene. They use Iridium to keep in touch and to coordinate their rescue mission as it unfolds." Iridium provides global satellite voice and data communications using 66 cross-linked satellites, according to the company. Since revamping its operations five years ago following the bankruptcy of its predecessor (see "Iridium Refocuses on B2B" [1]), the new Iridium Satellite LLC has positioned itself as a business and government satellite communications provider for fail-safe communications. The original Iridium LLC was about to decommission its satellite network in 2001 when it was purchased by a consortium of buyers for $25 million. The satellite system cost $5 billion when it was built in 1998 by Schaumburg, Ill.-based Motorola Inc. and others. [1] http://www.computerworld.com/industrytopics/defense/story/0,10801,59152,00.html From isn at c4i.org Tue May 2 04:43:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:43:31 -0500 (CDT) Subject: [ISN] Hacker turns Canadian PM into baby eater Message-ID: http://www.theinquirer.net/?article=31390 By Nick Farrell 02 May 2006 COMMUTERS ON ONE of Canada's busiest trade routes were amused when the LED message board announced that Prime Minister Stephen Harper eats babies. Instead of announcing the next stop, the LED board on the GO trains, seemed to feel that it was very important that the world knew about Harper's dining habits. Alas, no one seems to have snapped a picture of the phenomenon, but the story has been confirmed by the people running the possessed LED board, Exclusive Advertising. The outfit said that its LED board had been hacked and the message had not been authorised by it, or GO trains. Exclusive Advertising said that it was sprucing up on its security after the incident. However, the press release, here [1], seems more interested in catching the hacker than apologising to Harper. It also repeats the LED comments in big bold letters in case you were left wondering what the Hacker claimed. ? [1] http://www.c4i.org/StephenHarperBabies.jpg From isn at c4i.org Tue May 2 04:43:45 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:43:45 -0500 (CDT) Subject: [ISN] SANS Institute updates list of 'Top 20 Internet Security Vulnerabilities' Message-ID: http://www.networkworld.com/news/2006/050106-sans-top-20.html By Ellen Messmer NetworkWorld.com 05/01/06 SANS Institute Monday updated its list of "Top 20" vulnerabilities discovered in products or types of exploits and attacks that threaten users on the Internet. The SANS "Spring Update" of its Top 20 Internet Security Vulnerabilities cites a growth in critical vulnerabilities discovered in the Mac OS/X operating systems, as well as vulnerabilities associated with the Mozilla Firefox open-source Web browsers that had to be patched. Rohit Dhamankar, editor of the SANS Top 20 and manager of security research at 3Com's TippingPoint division, said the good news is that software patches for the Mozilla Firefox open-source browsers are usually more quickly issued compared with Microsoft's patch process for its Internet Explorer. "The [Mozilla Firefox] patches arrive much faster, typically within a week," said Dhamankar, adding that Microsoft generally waits for its scheduled second Tuesday of the month to issue software patches. He added that so many zero-day exploits have been discovered recently in association with Microsoft Explorer, the browser's name should be changed to "Internet Exploiter." Other trends cited by SANS Institute include SQL injection vulnerabilities and attacks against databases, as well as the "scourge" of successful "spear phishing" attacks, especially against U.S. defense and nuclear-energy sites. In spear phishing, an attacker sends e-mail pretending to be a trusted source to a targeted victim who turns over sensitive information to the attacker. While SANS Director of Research Alan Paller declined to reveal the names of specific agencies that had been the target of spear phishing, this type of attack has caused so much concern in the U.S. government, he said, that there's been a new word coined for such an attack: "exfiltration." A play on the word "infiltration," the word "exfiltration" is "being used a lot around Washington these days," because of a number of successful spear-phishing attacks, says Paller. From isn at c4i.org Tue May 2 04:44:00 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:00 -0500 (CDT) Subject: [ISN] NCSoft to Appeal Ruling on Data Theft Case Message-ID: http://times.hankooki.com/lpage/200604/kt2006043016491310160.htm By Kim Tae-gyu Staff Reporter 04-30-2006 NCSoft, Korea??s biggest online game developer, is likely to appeal last week??s verdict that mandated it to pay 500,000 won ($530) to five holders of hacked accounts for cyber game ``Lineage II.???? ``We cannot accept the ruling because there was no report of actual damage from the case, which involves just the potential risk of information leakage,???? NCSoft spokeswoman Lee Hwa-su said. Last Friday, the Seoul District Court ordered NCSoft, the maker of the famous role-playing game Lineage II, to pay out 500,000 won to five plaintiffs, who lodged a civil complaint last autumn. NCSoft is expected to receive the notice of the ruling this week or next. It may at least indirectly affect two similar cases filed by about 8,500 subscribers to Lineage I, the precedent for Lineage II, and by 414 against Kookmin Bank, the nation??s biggest lender. In its ruling, the court said that NCSoft managed personal information in a manner that made it vulnerable to leakage. While conducting a regular game upgrade in May 2005, NCSoft failed to encrypt a database log file that contained usernames and passwords, the court observed. As a result, the account data of numerous Lineage II subscribers, who logged onto the online game during May 11 to May 16 last year, were available at a computer used for the game. Five subscribers filed a lawsuit last autumn, seeking 5 million won each in compensation and could partially win the case in a half-year litigation last Friday. But NCSoft still denies its responsibility for the plaintiffs, who the company claims have failed to prove any practical damages from the data leakage. ``The account data in question were kept in a computer file, where even an expert would struggle to find out, for very short period of time or six days at longest,???? Lee said. ``There is little likelihood that the data was leaked outside and we have yet to receive any damage report from it. We think this is a different case compared to other identity theft,???? she said. Observers also point out NCSoft would not comply with the verdict, which might cause the company to collapse due to resultant court actions. ``Should NCSoft obey the compensation ruling, other Lineage II users would try to gain windfalls by taking the firm to the court. How can the outfit take such a risk????? asked Han Ik-hee, an analyst at Prudential Securities. Indeed, subscribers who pay a monthly fee of 29,600 won for the Lineage II membership amount to 1 million, the potential beneficiary of the compensation verdict. The legal battle marks back-to-back bad news for NCSoft, which already suffered from setbacks due to the identity theft case related to Lineage I, which caught the nation off guard early this year, and triggered lawsuits by roughly 8,500. Complaints piled up in February that hackers were stealing private data from millions of Korean people. The stolen data is believed to be have been collected mostly by Chinese crackers, who used it to sign up for Lineage I. From isn at c4i.org Tue May 2 04:42:17 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:42:17 -0500 (CDT) Subject: [ISN] 'Second Life' fending off denial-of-service attacks Message-ID: http://news.com.com/Second+Life+fending+off+denial-of-service+attacks/2100-1043_3-6067003.html By Daniel Terdiman Staff Writer, CNET News.com May 1, 2006 The popular virtual world "Second Life" was shut down twice over the weekend as its publisher, Linden Lab, fended off denial-of-service attacks. The attacks took the form of someone creating self-replicating objects in the world that began to crash servers and forced San Francisco-based Linden Lab to temporarily close down the entire "Second Life" grid. This is not the first time "Second Life" has been hit by denial-of-service attacks. Last fall, it was hit with similar assaults. Shortly thereafter Philip Rosedale, the company's CEO, told "Second Life" members that the company planned to turn the responsible parties in to the FBI. "Second Life" is an open-ended virtual world that allows its users to create, buy and sell nearly any kind of avatars, vehicles, attire and buildings they can imagine. Users can play for free, and Linden Lab makes money through the sale of virtual "land" and subsequent land-maintenance fees. "Second Life" is not the only virtual world to suffer recent server problems. Over the past month, Blizzard Entertainment's "World of Warcraft" has been dealing with a variety of ongoing server problems that prevented users from getting into the game, kicked some out with no warning and deactivated their accounts due to billing problems. Those issues, however, are not related to any kind of outside attack. This weekend's attacks took advantage of the fact that any "Second Life" member can create nearly any kind of objects in the virtual world that they like. "What happened is people create an object that then replicates itself, and then of course, it's like cell division," said Robin Harper, vice president of community development and support. First there's "two and then four, and pretty soon you've got objects sprouting and they go across boundaries and they crash servers." Harper said that Linden Lab had been able to contain the object replication, and indeed, a check by CNET News.com Monday morning showed that "Second Life" was up and running normally. Still, she said that the attacks are serious business and that Linden Lab is once again getting federal authorities involved. "It's certainly a very important issue because it disrupts commerce," said Harper. "It disrupts events. People have weddings planned or a party or something, and it gets in the way. It's (also) costing our customers money, and that's what makes it something we can discuss with the federal authorities, because it's a significant economic disruption." Ginsu Yoon, Linden Lab's general counsel, said that he expects federal authorities to take action, but isn't sure when that will happen. He said law enforcement action on the previous attacks is forthcoming as well, and that the perpetrators shouldn't take heart in any delay in prosecution. "People who are thinking that they're off free because there's been grid attacks before and nothing happened--they will be surprised," said Yoon. "It's just a matter of time." And while Linden Lab won't say who the perpetrators are, citing the ongoing investigation and the company's policy not to give out the names of its customers, it hinted that it knows. "We have very specific information about the identities of individuals involved in the attacks," Yoon wrote to CNET News.com on Monday in an e-mail originally drafted in January. "There are people who think that bringing down our grid is fun, and that it's not breaking the law. I'd encourage those people to read the federal code" about denial-of-service attacks. From isn at c4i.org Tue May 2 04:44:13 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:13 -0500 (CDT) Subject: [ISN] Ohio U. alumni at risk for identity theft Message-ID: http://www.cantonrep.com/index.php?ID=283728 By Melissa Griffy Seeton REPOSITORY EDUCATION WRITER May 2, 2006 Bob Tscholl has contributed to Ohio University in many respects: He's a Bobcat as are his three children. A recent security breach may mean he'll give a little more. But the Canton attorney has faith the university will do all it can to prevent that. "It kind of goes with the territory," Tscholl said. "Anytime you belong to an organization nowadays, you have to be aware there is some risk ... . I'm not too concerned." Ohio University President Roderick McDavis announced at a press conference Monday that he, too, is among the more than 300,000 alumni and friends of Ohio University - not current students - whose personal information may have been compromised when unauthorized access was gained to a computer system supporting alumni relations. "We are doing everything in our power to reduce the impact of this data theft," Ohio University Associate Provost for Information Technology and Chief Information Officer Bill Sams said in a press release. "At this point, we have no evidence of illegal use of the breached information." The breached computer system contained biographical information on more than 300,000 individuals and organizations, including the Social Security numbers of more than 137,000 people, according to university officials. The files did not contain credit-card or bank information. The security violation was discovered on April 24 when, according to Sams, "The university immediately began assessing the situation to determine its extent. Once it became clear that personal information was involved, we began the process of notifying the affected individuals." University officials were unable to confirm Monday how many Ohio University alumni are from the Stark County area. A search of recent college graduates revealed 12 local residents graduated from the school in December and eight received diplomas last May. The FBI is investigating the incident, and university officials said the college will hire an outside consultant to conduct a risk assessment of its computer information systems. A separate security breach occurred at the college on April 21, when office files were compromised at its Technology Transfer Department. The files included e-mails, patent and intellectual property files. Ohio University is at least the third college that has announced in recent months unauthorized access was gained to confidential information. In September, two computers were stolen from Kent State University offices. The computers contained the names and Social Security numbers of practically every student and instructor since 2002, and every graduate since 1988. And, in August, Web site security was breached at Stark State College of Technology. Students couldn't access their own personal information - such as their grades or student loans - instead the personal information of another student was shown, including Social Security numbers. College officials said the incident was not the result of a hacker, but a computer software glitch. Reach Repository writer Melissa Griffy Seeton at (330) 580-8318 or e-mail: melissa.griffy @ cantonrep.com -=- COULD I BE AFFECTED? Ohio University is sending e-mails and letters to people who may have been affected by the security breach. As a precaution, the university will not request personal information electronically as part of this notification. The university cautions people to not disclose personal information if they receive an e-mail - even if it appears to come from the university. The university has established a Web page at www.ohiou.edu/datatheft to provide detailed information, and a toll-free hotline at (800) 901-2303. Source: Ohio University -=- PROTECT YOURSELF FROM IDENTITY THEFT Ohio University recommends that alumni protect themselves from the security breech by: -- Obtaining a free credit report from Equifax (800) 525-6285, Experian (888) 397-3742 and TransUnion (800) 680-7289. -- Calling these three credit reporting agencies to place fraud alerts lasting 90 days on credit inquiries. -- Monitoring credit accounts for any unusual activity during the next several months. Source: Ohio University ?2006 The Repository From isn at c4i.org Tue May 2 04:44:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:28 -0500 (CDT) Subject: [ISN] InfoSec News List Information Message-ID: http://www.infosecnews.org InfoSec News is a privately run, medium traffic list that caters to the distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. To subscribe to InfoSec News, Click here [1]. The subject line will always contain the title of the article, so that you may quickly and efficiently filter past the articles of no interest. This list will contain: Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. Information on where to obtain articles in current magazines. Security Book reviews and information. Security conference/seminar information. New security product information. And anything else that comes to mind... Feedback is encouraged. The list maintainers would like to hear what you think of the list, What could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Anonymous feedback is always welcome. Please DO NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as 75+ returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). This is not a whim! Other moderators have begun to do the same. Special thanks to the following for continued contribution: William Knowles, Brian Martin, Jay Dyson, Emerson Tan, Nicholas Brawn, Felix von Leitner, Robert G. Ferrell, eric wolbrom, Matthew Patton, Marjorie Simmons, Richard Forno Darren Reed, Robert Slade, Attrition.org, Curiosity.org and several other contributors. InfoSec News Archives: http://www.landfield.com/isn http://lists.jammed.com/ISN/ http://lists.insecure.org/isn/ http://www.attrition.org/pipermail/isn http://online.securityfocus.com/archive/12 http://marc.theaimsgroup.com/?l=isn&r=1&w=2 InfoSec News is Moderated by William Knowles wk (at) c4i.org. ISN is a private list. Moderation of topics, member subscription, & everything else about the list is solely at his discretion. The InfoSec News membership list is NOT available for sale or disclosure. InfoSec News is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. [1] http://www.infosecnews.org From isn at c4i.org Wed May 3 02:37:52 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:37:52 -0500 (CDT) Subject: [ISN] Iron Mountain loses more backup tapes Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=5915 By Chris Mellor Techworld 02 May 2006 Accident-prone Iron Mountain has mislaid more backup tapes containing personal information. On April 6th, a driver reported that backup tapes belonging to the Long Island Rail Road (LIRR) and another customer had gone missing. The LIRR tapes contained personal information about 17,000 past and current employees - virtually everyone who has every worked for the concern. The second customer's tapes did not contain personal information. So far no evidence of theft has been found; the tapes have apparently just been mislaid. The LIRR is providing a paid-for one year account with a credit check and identity theft monitoring service - a costly exercise for 17,000 people. Iron Mountain has previously lost backup tapes belonging to Times Warner in March, 2005. These covered 600,000 current and past employees. From isn at c4i.org Wed May 3 02:27:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:27:30 -0500 (CDT) Subject: [ISN] Oracle keeps many users waiting on April patches Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,111098,00.html By Robert McMillan IDG NEWS SERVICE MAY 02, 2006 Testing problems are forcing some Oracle Corp. users to wait a little longer than usual for the company's latest round of security patches, the first of which were released last month. Though Oracle offered patches for a number of its most popular products as part of its April 18 Critical Patch Update, it had said that updates for many other versions of the products would not become available until May 1. Now, the database vendor is saying that many of those critical updates may not be available until as late as May 15. Oracle typically releases about 150 patches for a variety of different operating systems in its Critical Patch Updates, which ship every three months. The problem with the April update is that some of the patches have not yet passed the comprehensive suites of tests that Oracle uses to ensure that they will not disrupt customer's applications, said Darius Wiles, manager of Oracle Security Alerts. "There were some [updates] that failed out of the test suite, so we needed some more time to test them," Wiles said. Oracle is particularly eager to complete testing and release updates for some of the more widely used versions of its database, including version 8.1.7.4 and 10.1.0.4. But the company first needs to ensure that the new software will not disrupt customers, Wiles said. Oracle users can find more information on the estimated delivery date of Oracle's patches by checking the pre-installation notes Oracle has published for each of its products. These can be found on Oracle's MetaLink online support service by searching for document: 360464.1 Security researcher and Oracle critic David Litchfield believes that by waiting so long to update some versions of its products, Oracle is undermining the value of its regular patch release cycle, which is designed to provide customers with regular, predictable software updates. In an interview, Litchfield criticized both the lateness of the updates and their quality. "The whole point of a regular patch cycle is that people can plan ahead and install once," said Litchfield, managing director of Next Generation Security Software Ltd., in Sutton, England. "But if you are having to install it nine times, where's the benefit of that?" Litchfield estimates that two-thirds of Oracle's supported products are now unpatched, leaving many users vulnerable. But Wiles countered that the problem appears to be worse than it is. Because updates for some applications, such as Oracle's application server, are dependent on the database fixes, there has been a bottleneck effect with the updates. "Once we get the database stuff cleared, there are going to be a whole bunch of products that are going to be patched." Though some security researchers such as Litchfield are critical of Oracle's delays, most customers prefer that the software vendor deliver a tested and reliable product, said David Kennedy, a senior risk analyst with Cybertrust Inc., in Herndon, Virginia. "I'm sympathetic with Oracle," he said. "They get barbecued for not coming up with patches fast enough." "On the other hand," he said, "They could be just slow and lazy." From isn at c4i.org Wed May 3 02:39:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:39:10 -0500 (CDT) Subject: [ISN] Retaliation for Antispam Success? Message-ID: http://www.wired.com/news/technology/internet/0,70798-0.html By Joanna Glasner May, 02, 2006 An unusual spam war has erupted on the net, pitting an apparently irate spammer against an Israeli antispam firm that claims it's making junk e-mailers think twice about bugging its customers. Blue Security's controversial method uses reverse spam, if you will, returning massive quantities of opt-out messages to companies it identifies as spammers. Apparently the companies on the receiving end don't like it one bit. In an escalation of hostilities this week, Blue Security customers began receiving thousands of messages demanding that members either drop the company's service or continue to receive an avalanche of unwanted e-mails. In addition, U.S. internet users were unable to access Blue Security's website Tuesday. The company said it is still investigating the cause, which may have been a distributed denial of service attack. "We have devised a method to retrieve your address from their database," one message states. "So by signing up and remaining a Blue Security user not only are you opening yourself up for this, you are also potentially verifying your e-mail address through them to even more spammers." Blue Security's founder and CEO, Eran Reshef, called the spammer's allegations of a security hole a baseless scare tactic. Bulk e-mailers, he said, want to stifle the spread of Blue Frog, a tool that customers install on their computers that automatically floods spammers with opt-out messages. "The best way to combat this is to continue running the Blue Frog," Reshef said. The spammer's counteroffensive comes as Blue Security, a 2-year-old firm based in Israel, claims to be making dramatic progress in stopping spam. Three weeks ago, Blue Security said, the world's top junk mailer, responsible for about 9 percent of all spam, stopped sending messages to inboxes of its half-million registered users. On Monday, the company said, the second-largest spammer started contacting its affiliates and advising them not to contact Blue Frog users. Blue Security's controversial spam-fighting approach is modeled as a sort of e-mail version of the Federal Communications Commission's national Do Not Call registry. Through its "Do Not Intrude Registry," users send automated messages opting out of future mailings from spammers, a right spelled out in the Can-Spam Act. Not everyone is sold on the concept. Critics of Blue Security's methodology say that by maintaining a list of people who don't want spam, the company makes users vulnerable to the kind of attack that occurred this week. "The bad guys will be able to figure out who's on the list, and they'll be able to play games like this," said John Levine, a board member of the Coalition Against Unsolicited Commercial Email. "It's the obvious counterattack of an annoyed spammer." From isn at c4i.org Wed May 3 02:38:57 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:38:57 -0500 (CDT) Subject: [ISN] Aetna Loses Laptop Containing Customer Data Message-ID: http://www.consumeraffairs.com/news04/2006/05/aetna_laptop.html By Martin H. Bosworth ConsumerAffairs.Com May 1, 2006 An employee of health insurance giant Aetna lost a laptop containing data on 38,000 customers, the company said. The information included names, addresses, and Social Security numbers, but no financial information. The individuals were employees of companies who bought group health coverage from Aetna. The companies asked not to be identified. Aetna spokesperson Cynthia Michener declined to verify where the theft took place, or if any of the information had been used. In a subsequent statement, Aetna CEO Ronald Michener claimed the laptop had been secured with "strong password protection," and that the employee responsible "did not follow corporate policies." "We have offered to pay for credit monitoring services for our affected members to help prevent any potential misuse of the information, and we are contacting each affected individual directly with information on how to access this service," Michener said. The Aetna CEO also claimed that the company would be augmenting its data security structure to ensure all their employees followed proper procedure in the future. Michener also said that Aetna was contacting all affected individuals, and would be offering them free credit monitoring for an unspecified period of time, to ensure they were protected from possible fraud or identity theft. The theft or loss of laptops has been the latest trend in data breaches, with over 500,000 individuals potentially affected as a result of laptops being stolen or misplaced in the last six months. Companies affected have included Hewlett-Packard, Verizon, Ameriprise, and Ford. The common thread in virtually all of these incidents is an employee or employees downloading confidential data onto laptops, and either leaving them physically vulnerable or failing to encrypt them. Stealing laptops from vehicles in order to resell them has often led to customers' information being exposed. Companies typically offer free credit monitoring to employees or consumers affected by data breaches, but many affected individuals often fail to utilize the service. Some don't follow the procedures necessary to sign up for it, while others are suspicious of providing more personal information to companies that have already jeopardized their customers' financial privacy. Copyright ? 2003-2005 ConsumerAffairs.Com Inc From isn at c4i.org Thu May 4 04:15:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:20 -0500 (CDT) Subject: [ISN] Three rules for safer Wi-Fi away from home Message-ID: http://software.newsforge.com/software/06/04/20/2032257.shtml By Joe Barr May 02, 2006 Almost everyone has heard about wardriving, the geek sport in which you drive around and see what wireless access points (WAP) you can find and access. Because of the ink wardriving has received over the years, many home and business users have wised up and added security to their WAPs. But how about the busy traveler, the exec at Marriott, or the slacker at Starbucks? Do they take that same level of care with wireless security while they're on the road and seduced by the easy availability of Wi-Fi hotspots? Probably not, but they should. Here are three simple assumptions you should make before taking your wireless laptop on the road. Memorize these rules, understand what they mean, and learn what to do to protect yourself. When you can do that, you can begin to protect your private, confidential, and corporate data from inquisitive eyes. * Always assume someone is trying to see you enter a user ID or password. * Always assume that someone is reading every packet you send and receive by Wi-Fi. * Always assume that an "evil twin" is lurking near every Wi-Fi access point. In following the first rule, don't worry about appearing to be rude or paranoid by moving the laptop screen position to block the view of your fingers as you're typing a password or user ID. Do the same thing to prevent those sitting to your right, left, or behind you on the plane, in the airport, or anywhere else from getting an eyeful of corporate secrets. Act as if it is the most normal thing in the world to expect a little privacy, because it is, just as it is when you're entering your PIN at an ATM. Better than the above is not to do any of those things when you are close enough to others that they can see what you're trying to protect, even inadvertently. While we're talking about physical security at the keyboard, password protect your laptop and set the timeout on your screensaver to a low number. Leaving your laptop behind in the hotel room while you go out for dinner or a meeting? Fine. Disconnect it from the network, power it down, and lock it. The Wall of Shame So much for point one -- on to point two. At Defcon each year, a group of attendees sniffs every packet sent and received via the wireless access points, looking for user IDs and passwords. Each time they find one, they unceremoniously add it to The Wall of Shame in public view. Just about the only thing easier than using a Wi-Fi network these days is intercepting the packets on it. Avoid ending up on your own personal wall of shame by using only secure, encrypted connections to access your email, corporate accounts, financial data, and anything else of value. If your business or ISP provides Web mail, use it instead of unencrypted connections to POP or IMAP mail servers. A virtual private network between your laptop and headquarters or your home office is even more secure. The bad guys will still be able to intercept every packet, but if they are protected by encryption, you're way ahead of the game. Most script kiddies stand about as much chance of cracking a recent WEP or WPA encryption scheme as they do of winning the Lotto. But there are others who will only be slowed down. The evil twin Finally, what about that intriguingly named evil twin? That's what security pros are calling a phishing scheme where the bad guys spoof a legitimate WAP's service set identifier (SSID), the name that differentiates one access point from another. Evil twins disrupt traffic to the authentic WAP and those associated with it lose their connection, then automatically re-associate with the device with the spoofed SSID. You can avoid falling victim to this deception by not automatically attaching to a WAP and by not running your wireless connection in ad hoc mode. Know the SSID of the network you want to attach to, and learn what security options, if any, are available for it. Always use WEP or WPA instead of unprotected connectivity if you have that choice. If you can't, don't access sensitive data over the wireless connection, period. And finally, running a firewall -- the default behavior on most modern Linux distributions -- is a very good idea. Your common sense is your best protection against losing confidential or personal data. Always behave as if the bad guys are really there, and that they really want all of your data. Acting on these assumptions is not a guarantee of wireless security, but following them will make you a lot safer than you would be otherwise. From isn at c4i.org Thu May 4 04:15:36 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:36 -0500 (CDT) Subject: [ISN] Apple online store hacked Message-ID: http://networks.silicon.com/webwatch/0,39024667,39158606,00.htm By Dan Ilett 3 May 2006 Apple's Korean online store has been defaced by a hacker. The attack, carried out by someone working under the name 'Dinam', who claimed in his post to be Turkish, was brought to the attention of silicon.com last Thursday. The defacement was removed from Apple's website shortly after silicon.com alerted the company. Apple has subsequently refused to comment on the matter. Jason Hart, CEO of security company Whitehat UK, told silicon.com: "The defacer has managed to get administrator access to the web server." Although Hart suspected the hacker was after little more than "self-gratification" through vandalising the site, he said Apple should communicate what happened to its customers to end speculation. Hart said: "The worst thing Apple can do is not tell customers what has happened. It's like all the big companies though - they're constantly having to defend themselves as they're being probed all the time." The defacement - which took the form of a dozen lines of code posted to the apple.co.kr homepage - was documented on hackers' forum zone-h.org, which said Dinam attacked a Mac OSX server running Apache. Richard Starnes, president of the Information Systems Security Association UK, said: "Defacements are not that big a deal provided the customer data has not been disclosed or they have suffered an economic impact. "Defacements just tend to be embarrassing. But we know Apple is a good company and takes defacements seriously." From isn at c4i.org Thu May 4 04:15:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:03 -0500 (CDT) Subject: [ISN] Vietnam hacker to face the long arm of the law Message-ID: http://www.thanhniennews.com/education/?catid=4&newsid=15117 Translated by Thanh Tuan Vietnamnet May 4, 2006 The Ministry of Public Security decided Wednesday to go ahead with the prosecution of hacker Nguyen Thanh Cong for alleged links with a gang forging fake ATM cards. The initial investigation reported that Cong had misappropriated hundreds of millions dong (US$1 is equal to around VND15,950) from ATM machines, although his exact role in the ring has yet to be determined. Cong, aka with moniker "DantruongX" from "Be Yeu (Lovely babe)'s hacker group, was arrested last week for waging a month of Denial of Service (DoS) attacks on a commercial website, causing devastating loss to its owner, Viet Co Ltd. Viet Co normally has 40 technicians to keep the website up, and nearly went broke paying them during the idle month it was under the DoS attacks initiated by Cong, according to local media. A denial of service attack is an attack on a computer system or network that causes a loss of service to users, typically by overloading the victimized system, rendering website access impossible. Cong's arrest came as little surprise to those in the IT community given the devastating loses to Viet Co, and is currently out on bail. From isn at c4i.org Thu May 4 04:16:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:18 -0500 (CDT) Subject: [ISN] IE 7.0 and Attractive Alternatives Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Thawte http://list.windowsitpro.com/t?ctl=28F05:4FB69 Symantec http://list.windowsitpro.com/t?ctl=28EFF:4FB69 IronPort http://list.windowsitpro.com/t?ctl=28F01:4FB69 ==================== 1. In Focus: IE 7.0 and Attractive Alternatives 2. Security News and Features - Recent Security Vulnerabilities - Oracle Database Vault and Secure Backup Lock Down Access to Data - AttachmateWRQ To Acquire NetIQ - Name That Computer! 3. Security Toolkit - Security Matters Blog - FAQ - Instant Poll - Share Your Security Tips 4. New and Improved - Put Endpoints to the Security Test ==================== ==== Sponsor: Thawte ==== Learn all you need to know about code signing technology, including the goals and benefits of code signing, how code signing works and the underlying cryptographic and security concepts and building blocks. http://list.windowsitpro.com/t?ctl=28F05:4FB69 ==================== ==== 1. In Focus: IE 7.0 and Attractive Alternatives ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Microsoft recently released Internet Explorer (IE) 7.0 Beta 2 for public download (first URL below). Even with the security and other improvements in IE 7.0, some people still think IE is substandard or that using IE is the equivalent of painting a target on your forehead. Still others have more scathing comments about IE: Industry luminary John Dvorak recently called IE a "dead albatross" in a column published on PC Magazine's Web site (second URL below). http://list.windowsitpro.com/t?ctl=28F11:4FB69 http://list.windowsitpro.com/t?ctl=28F1D:4FB69 Dvorak thinks that trying to integrate the browser tightly with the OS was one of Microsoft's worst moves ever. That argument makes some sense given the number of security vulnerabilities that continue to be discovered in the browser. Dvorak thinks Microsoft should ditch IE and instead invest in Opera Software and make a large donation to Mozilla Foundation to help boost development of their respective browsers. Such a move by Microsoft isn't likely. In fact, Microsoft is driving forward with IE tool proliferation. If you have a copy of IE 7.0, head over to Microsoft's "Add-Ons for Internet Explorer Web site at the URL below, where you'll find at least 63 third-party security-related tools arranged in four categories: Online Protection tools help guard against spyware and malware; Pop-Up Blockers are probably self-explanatory; Privacy tools help protect against exposure of your private information and guard against spyware and malware; and Parental Controls control online activity and help protect your children against a range of risks. Although the site claims to be for IE add-ons, you'll find many standalone tools, such as Microsoft Windows Defender and Lavasoft's Ad- Aware. http://list.windowsitpro.com/t?ctl=28F18:4FB69 If IE 7.0 won't run on your particular platforms, then undoubtedly you know about Firefox ( http://list.windowsitpro.com/t?ctl=28F17:4FB69 ) and Opera ( http://list.windowsitpro.com/t?ctl=28F1C:4FB69 ), and might opt to use those browsers instead. But do you know about Maxthon Browser, Tablane, and Avant Browser? Maxthon Browser, by Maxthon International, is designed on top of the IE engine and introduces a ton of new functionality not available in Microsoft's versions of IE. For example, Maxthon offers tabbed browsing, enhanced pop-up blocking, a quick way to delete private information that might be stored by the browser, enhanced drag-and-drop features, support for extensions and plug-ins, support for skins, support for many languages, and a whole lot more. In short, Maxthon (at the URL below) is what IE should have been years ago. http://list.windowsitpro.com/t?ctl=28F1A:4FB69 Two other browsers, which are also based on the IE engine and which, you might look into further are Tablane by Tablane Technology (at the first URL below) and Avant Browser, by Avant Force (at the second URL below). Tablane has some nice features, such as "lanes," which are a way of displaying multiple Web pages in a single view. Other features include support for Really Simple Syndication (RSS) feeds and a unique function that lets you use multiple search engines at once. http://list.windowsitpro.com/t?ctl=28F1B:4FB69 http://list.windowsitpro.com/t?ctl=28F16:4FB69 Avant Browser claims to be "the fastest browser on Earth" and has many interesting features, some of which are similar to those found in Maxthon, such as enhanced pop-up blocking and privacy controls. However, Avant doesn't use the common tabbed interface--instead it displays many resizable windows inside the browser's single window interface. Look at the screen capture on the browser's home page to see what I mean. Avant Force also says that Avant has "no security holes," which is an extraordinary claim. I'm sure security researchers will eventually put that claim to many tests. So even if you can't use the new IE 7.0 for some reason, several alternatives can enhance the functionality and security of your current installation of IE. Do some research and testing to see if any of the alternatives might fit your needs. ==================== ==== Sponsor: Symantec ==== A multi-tier approach to email security prevents unauthorized access and can stop spam, viruses, and phishing attacks. Learn to implement one today, and protect your network security and business systems! http://list.windowsitpro.com/t?ctl=28EFF:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=28F04:4FB69 Oracle Database Vault and Secure Backup Lock Down Access to Data Oracle's new Database Vault provides more granular control over access privileges in Oracle Database. Oracle also announced the availability of its new Secure Backup, which encrypts data written to tape and works with Oracle Database and various file systems on various platforms. http://list.windowsitpro.com/t?ctl=28F0B:4FB69 AttachmateWRQ To Acquire NetIQ AttachmateWRQ announced that it will acquire security solutions provider NetIQ for approximately $495 million in cash, which equates to about $12.20 per share of stock. NetIQ, founded in 1995, will no longer be publicly traded. Instead the company will become a business unit of AttachmateWRQ. The transaction is expected to close within 90 days. http://list.windowsitpro.com/t?ctl=28F0E:4FB69 Name That Computer! Jeff Fellinge takes a look at how naming conventions and IP standards can help you quickly identify systems and compares the approaches that two everyday Windows tools take to resolve IP addresses to names. http://list.windowsitpro.com/t?ctl=28F0D:4FB69 ==================== ==== Resources and Events ==== Learn the essentials about how consolidation and selected technology updates build an infrastructure that can handle change effectively. http://list.windowsitpro.com/t?ctl=28F00:4FB69 Use virtual server technology to consolidate your production environment using only a fraction of the server hardware in the data center. Live Event: Thursday, May 18 http://list.windowsitpro.com/t?ctl=28EFE:4FB69 Design effective policies to protect your company's assets and data. Don't accidentally damage what you mean to protect! View this on-demand seminar today. http://list.windowsitpro.com/t?ctl=28F02:4FB69 Learn to differentiate alternative solutions to disaster recovery for your Windows-based applications to determine what works for you and ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. Live event: Thursday, May 11 http://list.windowsitpro.com/t?ctl=28F09:4FB69 Increase administration efficiency, build flexible yet inexpensive file-server environments, and maximize potential through consolidation of your SQL Server environment. Make the most of your resources today! http://list.windowsitpro.com/t?ctl=28F03:4FB69 ==================== ==== Featured White Paper ==== Learn how to address challenges such as making email truly available 24x7x365, securing against viruses, comprehensively backing up email data, and more. http://list.windowsitpro.com/t?ctl=28EFD:4FB69 ==================== ==== Hot Spot: IronPort ==== Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=28F01:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Use the Command Line, Luke by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=28F12:4FB69 If Luke Skywalker were a security administrator, his most powerful tools might be command-line tools. If you think you can figure out how to terminate a bunch of processes, some of which spawn new processes when they're terminated, you might want to take the hacking challenge "Star Hacks, Episode V: The Empire Hacks Back" described in this blog article. http://list.windowsitpro.com/t?ctl=28F0C:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=28F10:4FB69 Q: How can I verify whether a domain controller (DC) is in a certain site? Find the answer at http://list.windowsitpro.com/t?ctl=28F0F:4FB69 Instant Poll What are your vacation plans for this summer? - Taking 1 week - Taking 2 weeks - Taking 3 weeks - Not taking any time off - Taking my work to the beach Go to the Windows IT Pro home page and submit your vote http://list.windowsitpro.com/t?ctl=28F13:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Windows IT Pro Master CD--SAVE 50%! Subscribe today and get portable, high-speed access to the entire Windows IT Pro article database on CD: a searchable library that includes every Windows IT Pro issue ever published. The newest issue also includes BONUS Windows IT Tips. Order now and save: http://list.windowsitpro.com/t?ctl=28F06:4FB69 May Exclusive--Save $100 off the Exchange & Outlook Newsletter For a limited time, order the Exchange & Outlook Administrator newsletter and SAVE up to $100! You'll get 12 helpful issues loaded with solutions you won't find anywhere else and FREE access to the entire Exchange & Outlook online article database. Subscribe now: http://list.windowsitpro.com/t?ctl=28F08:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Put Endpoints to the Security Test Senforce Technologies launched Senforce intelligent Network Access Control. iNAC compares the security state of an endpoint device that's attempting to connect to a network to a policy that defines security conditions that must be met to allow network access. IT administrators can create access policies that define which applications and services are permitted and that specify actions to take when endpoints don't comply. Pricing starts at $65 per user and quantity discounts are available. For more information, visit http://list.windowsitpro.com/t?ctl=28F19:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=28F14:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=28F0A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu May 4 04:16:31 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:31 -0500 (CDT) Subject: [ISN] Trojan Snags World Of Warcraft Passwords To Cash Out Accounts Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=187002835 By Gregg Keizer TechWeb.com May 2, 2006 A new password-stealing Trojan targeting players of the popular online game "World of Warcraft" hopes to make money off secondary sales of gamer goods, a security company warned Tuesday. MicroWorld, an Indian-based anti-virus and security software maker with offices in the U.S., Germany, and Malaysia, said that the PWS.Win32.WOW.x Trojan horse was spreading fast, and attacking World of Warcraft players. If the attacker managed to hijack a password, he could transfer in-game goods -- personal items, including weapons -- that the player had accumulated to his own account, then later sell them for real-world cash on "gray market" Web sites. Unlike some rival multiplayer online games, Warcraft's publisher, Blizzard Entertainment, bans the practice of trading virtual items for real cash. "Win32.WOW is a clear indication that malware writers are targeting anything that involves money," said MicroWorld chief executive Govind Rammurthy in a statement. "Bucks may be smaller compared to a Trojan that steals bank accounts or credit card numbers...[but] cyber criminals are not complaining as long as the target is soft and numbers are high." The Trojan spreads via traditional vectors, such as e-mail and peer-to-peer file sharing, added Rammurthy, but it has also been watched while it installs in a drive-by download from gaming sites' pop-up ads. The surreptitious installation is accomplished by exploiting various vulnerabilities in Microsoft's Internet Explorer Web browser. Identity thieves have aimed at Warcraft previously. Just over a year ago, players were warned about a campaign that collected passwords from a bogus log-in site. From isn at c4i.org Thu May 4 04:16:44 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:44 -0500 (CDT) Subject: [ISN] Cyberattack knocks millions of blogs offline Message-ID: http://news.zdnet.com/2100-1009_22-6068344.html By Joris Evers CNET News.com Published on ZDNet News May 3, 2006 About 10 million LiveJournal and TypePad blogs were offline or barely reachable for several hours Tuesday as the result of a massive denial-of-service attack. The attack started around 4 p.m. PDT, targeting the popular blogging services and the corporate Web site of their provider Six Apart, company vice president Anil Dash said in an interview Wednesday. Service was back to normal at midnight, according to Six Apart's Web site. "Any large service tends to have a pretty constant level of attacks, but this was on a scale that I don't think anybody could have anticipated," Dash said. "I think it is of a scale that would have impacted any large site on the Web." In a distributed denial-of-service, or DDoS, attack the target is overloaded with requests for information. The requests come from a large number of hosts, typically compromised computers. As a result, legitimate users can no longer access the site. Six Apart intends report the attack to the authorities, such as the FBI, but hasn't done so yet, Dash said. "We have not yet had the time to think about the next steps yet," he said. The San Francisco company has some theories on the origin and motivation of the attack, but Dash declined to speculate. Unlike large online businesses, Six Apart isn't typically the object of large-scale onslaughts, Dash said. If it does face an attack, often the problem is related to the content posted on one of the blogs it hosts, he said. Six Apart's main hosting facility is in a large data center located at 365 Main in San Francisco. The attack morphed as the blog company tried to respond, making it more challenging to deal with. "They were changing pretty rapidly," Dash said. "We have learned enough that if it does happen again, we know what to do." Six Apart plans to make amends to its customers, but has not yet decided how. Late last year, when it had some performance issues, it let its users decide how they wanted to be compensated, Dash said. "We will definitely do whatever makes things right for them," he said. From isn at c4i.org Thu May 4 04:16:56 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:56 -0500 (CDT) Subject: [ISN] Info. assurance a matter of survival Message-ID: http://www.gcn.com/online/vol1_no1/40663-1.html By Patience Wait GCN Staff 05/03/06 SALT LAKE CITY - Information management, and information assurance in particular, may be more mundane than other software topics but it is part of the foundation of all systems, according to Kelly Miller, chief systems engineer of the National Security Agency. "I can't say [IA] has been ignored, but it has been under-emphasized," he said. Miller, speaking to software engineers at the 18th annual Joint Services Systems and Software Technology Conference, adapted a saying of Charles Darwin to make his point. Where Darwin once said the creature that survives is not the smartest or the strongest but the one most adaptable to change, Miller said, "In the Information Age we're faced with, the survivors will be those who have the most assured information." It takes the same skill set to defend networks as to exploit them, he said. But the emphasis is not equal - it only takes one vulnerability to exploit a system, but to protect a system all the vulnerabilities have to be guarded. The global network is a "national interest item," he said. The size of the problem is breathtaking, with 20 million e-mails a minute zipping around the globe and 40 million voicemails left each hour. And supervisory control and data acquisition networks, used throughout the chemical and utilities industries, were developed years before the Internet and never designed to include computer security. The biggest threat is spyware - "the new spam," Miller called it. A recent survey found that 87 percent of business PCs and 88 percent of consumers' computers are infected. With a dearth of skilled professionals to address the challenge, Miller said a national strategy for IA needs to be created and executed. "Our operations, organizations, laws and policies have not kept pace with this changing technology," Miller said. "The current defense is not effective... Not only are we not keeping pace, we're taking a step backwards." From isn at c4i.org Fri May 5 01:26:23 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:23 -0500 (CDT) Subject: [ISN] Blue Security offloads DoS attack onto blogs Message-ID: http://www.channelregister.co.uk/2006/05/04/blue_security_dos_flak/ By John Leyden 4 May 2006 A denial of service attack against Blue Security, distributors of a controversial anti-spam system, has taken the firm's site offline. Mistakes in the firm's response to the attack are been linked to a traffic flood that took numerous blogs offline too. Blue Security has established a 'Do Not Intrude Registry' (akin to the Do Not Call Registry for telemarketing) with around 450,000 members. Participants download a small tool, called Blue Frog, which systematically flood the websites of spammers with opt-out messages. Depending on your point of view, this initiative can either be viewed as community action or vigilantism. Earlier this week members of the Blue community received aggressive spam messages from an unknown group in an attempt to intimidate users into dropping out of Blue Security's network. Ordinary punters who had nothing to do with Blue Security also received the same messages proving, if proof were needed, that the belligerent junk mail campaign was a scatter-shot affair. This campaign of intimidation was followed by a denial of service attack against Blue Security's website on Wednesday. Posts in the North American Network Operators Group mailing list report that during the ongoing attack traffic heading for bluesecurity.com was offloaded to the firm's TypePad-hosted weblog, bluesecurity.blogs.com. This configuration change is blamed for taking the website of blogging outfit Six Apart, which runs TypePad and Live Journal, offline too leaving the information superhighway temporarily bereft of the outpourings of numerous bloggers. Six Apart, rather gallantly, has been careful not to blame Blue Security but others have criticised the latter firm for redirecting the flood it was receiving. Six Apart restored services to normal early on Thursday morning while Blue Security's website was still unavailable by tapas time on Thursday. A spokeswoman for Blue Security confirmed that its site was under attack. She added that the firm regretted making configuration changes, since amended, that hit Six Apart's services. ? From isn at c4i.org Fri May 5 01:26:38 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:38 -0500 (CDT) Subject: [ISN] Idaho utility hard drives -- and data -- turn up on eBay Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,111148,00.html By Sharon Fisher MAY 04, 2006 COMPUTERWORLD Anybody with five bucks and a little patience may be able to score sensitive corporate or customer data on eBay. If your organization has engaged in the common practice of disk drive recycling -- selling unneeded disk drives directly or through a service -- company data might wind up for sale on eBay Inc.'s auction site, even if the drives have been wiped first. Idaho Power Co. discovered that possibility last week as it scrambled to track down company disk drives that had been sold on eBay without having been scrubbed first. The Boise, Idaho-based utility serves approximately 460,000 customers in the southern part of Idaho and in eastern Oregon. Data on the drives, which had been used in servers, contained proprietary company information such as memos, correspondence with some customers and confidential employee information, the company said. Idaho Power had recycled approximately 230 SCSI drives -- a year's worth of updates -- through a single salvage vendor, Grant Korth, which then sold 84 of the drives to 12 parties through eBay. The company recovered 146 of the drives from the vendor. It also got assurances from 10 of the 12 parties that bought them on eBay that the drives would be returned or the data on them would not be saved or distributed. The other two drives are still being tracked down; an Idaho Power spokesman did not know what information was on them. Nampa, Idaho-based Grant Korth refused to comment. In the meantime, Idaho Power has launched an independent investigation through Blank Law & Technology PS in Seattle into why its policy on scrubbing drives was not followed. Typically, Idaho Power was to have either physically destroyed the drives or scrubbed them to U.S. Department of Defense standards -- which involves degaussing them or overwriting the data with a minimum of three specified patterns -- and the salvage vendor was to have done the same, the Idaho Power spokesman said. The company's probe could take several months, depending on what data was on the drives, he said. Similarly, Idaho Power will not know what regulatory penalties might apply until its investigation is completed. Idaho Power is not alone, said Frances O'Brien, a research vice president for asset management at Gartner Inc. "It happens all the time," she said. Typically, a user either doesn't know to clean the drives or doesn't do it correctly, she said. According to a Gartner survey, organizations use outside companies to dispose of PCs 29% of the time and to get rid of servers 31% of the time. Other methods included donating hardware, putting it in storage, selling it to employees, returning it to the vendor and selling it to third parties. Aside from the financial concerns with losing data, organizations that improperly recycle disk drives can run afoul of a number of regulations, depending on their industry: the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley for the banking industry, the Family Educational Rights and Privacy Act for educational institutions and the Fair and Accurate Credit Transactions Act. In addition, several states, including California and New York, have broad-based privacy regulations, said Robert Houghton, president of Redemtech Inc., a Columbus, Ohio-based outsourcer. The problem is widespread. Gartner estimates that through 2009, consumers and businesses will replace more than 800 million PCs worldwide and dispose of an estimated 512 million. What's more, a company can get a bad reputation for not taking proper care of personal data, O'Brien said. When companies hire an outsourcer -- which is a practice that Gartner recommends -- it needs to be careful of what the salvage company will do and how they will prove it. "If everyone else is charging $20, and someone says they'll do it for $2, you've got to wonder why," she said. Simson Garfinkel, a postdoctorate fellow at Harvard University's Center for Research on Computation and Society, researched the issue by buying more than 1,000 hard drives on eBay to see what sort of data could be gleaned from them. He found disk drives that held information from an automated teller machine, a drive from a medical center that held 31,000 credit card numbers, a supermarket credit card processor and a travel agency that had discarded data on travel plans, credit card numbers and ticket numbers. "One of the drives had consumer credit applications on it -- names, work histories, Social Security numbers -- all the information you need to apply for credit." Even though drives may have been wiped of data, someone with the know-how and patience could still retrieve information, Garfinkel said. Standard tools such as Format and Delete simply remove the reference to the files -- the data is still there. Garfinkel himself has written a number of tools to retrieve information such as e-mail addresses and credit card numbers on wiped disks. Despite his findings, Garfinkel said companies seem to be doing a better job protecting data, and he pointed to the Fair and Accurate Credit Transactions Act as a possible reason. "The percentage of drives out there that have usable data is going down, so companies are more aware of the issue," he said. Similarly, when Houghton's company has done an audit on clients' supposedly wiped disk drives, 25% to 30% of them still had readable data, he said. Idaho Power said that in the future, it will destroy drives rather than sell them for salvage -- a policy Garfinkel backs. "The resale value of a hard drive is really minuscule, and it's easy to verify it's been destroyed," he said. "These things are worth $5 to $20 each. I don't think anyone's buying them on the secondary market for extortion, but you never know." From isn at c4i.org Fri May 5 01:18:42 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:18:42 -0500 (CDT) Subject: [ISN] Q. What could a boarding pass tell an identity fraudster about you? A. Way too much Message-ID: http://www.guardian.co.uk/idcards/story/0,,1766266,00.html The Guardian May 3, 2006 This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing gum wrappers and baggage tags, cast off by some weary traveller, when I first laid eyes on it just over a month ago. The traveller's name was Mark Broer. I know this because the paper - actually a flimsy piece of card - was a discarded British Airways boarding-pass stub, the small section of the pass displaying your name and seat number. The stub you probably throw away as soon as you leave your flight. It said Broer had flown from Brussels to London on March 15 at 7.10am on BA flight 389 in seat 03C. It also told me he was a "Gold" standard passenger and gave me his frequent-flyer number. I picked up the stub, mindful of a conversation I had had with a computer security expert two months earlier, and put it in my pocket. If the expert was right, this stub would enable me to access Broer's personal information, including his passport number, date of birth and nationality. It would provide the building blocks for stealing his identity, ruining his future travel plans - and even allow me to fake his passport. It would also serve as the perfect tool for demonstrating the chaotic collection, storage and security of personal information gathered as a result of America's near-fanatical desire to collect data on travellers flying to the US - and raise serious questions about the sort of problems we can expect when ID cards are introduced in 2008. To understand why the piece of paper I found on the Heathrow Express is important, it is necessary to go back not, as you might expect, to 9/11, but to 1996 and the crash of TWA Flight 800 over Long Island Sound, 12 minutes out of New York, with the loss of 230 lives. Initially, crash investigators suspected a terrorist bomb might have brought down the aircraft. This was later ruled out, but already the Clinton administration had decided it was time to devise a security system that would weed out potential terrorists before they boarded a flight. This was called Capps, the Computer Assisted Passenger Pre-screening System. It was a prosaic, relatively unambitious idea at first. For example, in highly simplistic terms, if someone bought a one-way ticket, paid in cash and checked in no baggage, they would be flagged up as an individual who had no intention of arriving or of going home. A bomber, perhaps. After 9/11, the ambitions for such screening grew exponentially and the newly founded Department of Homeland Security began inviting computer companies to develop intelligent systems that could "mine" data on individuals, whizzing round state, private and public databases to establish what kind of person was buying the ticket. In 2003, one of the pioneers of the system, speaking anonymously, told me that the project, by now called Capps II, was being designed to designate travellers as green, amber or red risks. Green would be an individual with no criminal record - a US citizen, perhaps, who had a steady job and a settled home, was a frequent flyer and so on. Amber would be someone who had not provided enough information to confirm all of this and who might be stopped at US Immigration and asked to provide clearer proof of ID. Red would be someone who might be linked to an ever-growing list of suspected terrorists - or someone whose name matched such a suspect. "If you are an American who has volunteered lots of details proving that you are who you say you are, that you have a stable home, live in a community, aren't a criminal, [Capps II] will flag you up as green and you will be automatically allowed on to your flight," the pioneer told me. "The problem is that if the system doesn't have a lot of information on you, or you have ordered a halal meal, or have a name similar to a known terrorist, or even if you are a foreigner, you'll most likely be flagged amber and held back to be asked for further details. If you are European and the US government is short of information on you - or, as is likely, has incorrect information on you - you can reckon on delay after delay unless you agree to let them delve into your private details. "That is inconvenient enough but, as we tested the system, it became clear that information was going to be used to build a complete picture of you from lots of private databases - your credit record, your travel history, your criminal record, whether you had the remotest dubious links with anyone at your college who became a terrorist. I began to feel more and more uncomfortable about it." Eventually, he quit the programme. All of this was on my mind as I sat down with my computer expert, Adam Laurie, one of the founders of a company called the Bunker Secure Hosting, to examine Broer's boarding-pass stub. Laurie is known in cyber-circles as something of a white knight, a computer wizard who not only advises companies on how to make their systems secure, but also cares about civil rights and privacy. He and his brother Ben are renowned among web designers as the men who developed Apache SSL - the software that makes most of the world's web pages secure - and then gave it away for free. We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information. Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.) Laurie was anything but smug. "This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it." Just over $100m had been spent on Capps II before it was scrapped in July 2004. Campaigners in the US had objected to it on grounds of privacy, and airlines such as JetBlue and American faced boycotts when it emerged that they were involved in trials - handing over passenger information - with the Department of Homeland Security's Transportation Security Administration. Even worse, JetBlue admitted it had given the private records of 5 million passengers to a commercial company for analysis - and some of this was posted on the internet. But the problems did not end with the demise of Capps II. Earlier that month, after 18 months of acrimonious negotiation, the EU caved in to American demands that European airlines, too, should hand over passenger information to the United States Bureau of Customs and Border Protection, BCBP, before their aircraft would be allowed to land on US soil. The BCBP wanted up to 60 pieces of information routinely gathered by booking agencies and stored as a Passenger Name Record, PNR. This included not only your flight details, name, address and so on, but also your travel itinerary, where you were staying, with whom you travelled, whether you booked a hire car in the US, whether you booked a smoking room in your hotel, even if you ordered a halal or kosher meal. And the US authorities wanted to keep it all for 50 years. At first, the European Commission argued that surrendering such information would be in breach of European data protection law. Eventually, however, in the face of huge fines for airlines and cancelled landing slots, it agreed that 34 items from PNRs could be handed over and kept by the US for three and a half years. Capps II was superseded by a new system called Secure Flight in August 2004. Later, in October last year, the BCBP demanded that airlines travelling to, or through, the US should forward "advance passenger information", including passport number and date of birth, before passengers would be allowed to travel. It called this the advance passenger information system, or APIS. This is the information that Laurie and I had accessed through the BA website. "The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return," says Laurie. "Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors. "You can imagine the case where a businessman's trip gets delayed because his passport details were incorrectly entered and he was mistaken for a terrorist. Since BA didn't enter the data - frequent flyers are asked to do it themselves - they can't be held responsible and can't be sued for his lost business." By the time I found the ticket stub and went to Laurie, he had already reported his suspicions about a potential security lapse to BA (on January 20) by email. He received no response, so followed up with a telephone call asking for the airline's security officer. He was told there wasn't one, so he explained the lapse to an employee. Nothing was done and he still has not been contacted. Three months ago, after further objections in the US, but before our investigation, Secure Flight was suspended after costing the US taxpayer $144m. At the time, Kip Hawley, transportation security administrator, said: "While the Secure Flight regulation is being developed, this is the time to ensure that the Secure Flight security, operational and privacy foundation is solid." The TSA said it would continue its passenger pre-screening programme in yet another guise after it had been audited and added that it had plans to introduce more security, privacy and redress for errors - confirming critics' sus