From isn at c4i.org  Thu Jun  1 01:47:27 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:27 -0500 (CDT)
Subject: [ISN] ACSAC 22 (Miami Beach, FL) - June 10 - extended deadline
Message-ID: <Pine.LNX.4.44.0606010047170.19618-100000@idle.curiosity.org>

Forwareded from: ACSAC Distribution Manager <distribution at acsac.org>

Dear colleague.

We are extending the submission deadlines for the technical track,
panels, tutorials, workshop till June 10, 2006.

Apologies if you receive multiple copies of this announcement.

PDF versions at
                 http://www.acsac.org/2006/cfp_2006.pdf
               http://www.acsac.org/2006/cfp_2006-a4.pdf

                       ---------------------------
                         Call For Participation
                       ---------------------------

                     Submission deadline approaching!

          22nd Annual Computer Security Applications Conference
                          December 11-15, 2006
                          Miami Beach, Florida

                          http://www.acsac.org

                        Submission      Acceptance
                         Deadline      Notification
    Technical Track    June 10, 2006   Aug. 13, 2006
    Panels             June 10, 2006   Aug. 13, 2006
    Tutorials          June 10, 2006   Jul. 20, 2006
    Workshop           June 10, 2006   Jul. 20, 2006
    Case Studies       July 1,  2006   Aug. 15, 2006
    Works in Progress  Sep. 8,  2006   Oct.  1, 2006

See http://www.acsac.org/cfp for detailed submission information!
Please submit blinded papers, at most 10 pages in length at 10pt.

---------------------------------------------------------------------------

      ACSAC is presented by a group of professionals who are
      working to facilitate information sharing among
      colleagues. We're an all-volunteer not-for-profit
      organization.  Our postal address is 2906 Covington Road,
      Silver Spring, MD  20910-1206.
      You can help ACSAC reach people who might benefit from this
      information. Feel free to forward this message with a
      personal note to your friends and colleagues. They can sign
      up at http://www.acsac.org/list.
      We have moved to a new web host and are trying to remove
      duplicates from our mailing lists. If you receive duplicate
      messages, or simple want to be removed from our list, please
      reply with the word REMOVE in the subject.





From isn at c4i.org  Thu Jun  1 01:47:38 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:38 -0500 (CDT)
Subject: [ISN] Computer hacker to appeal sentence
Message-ID: <Pine.LNX.4.44.0606010047280.19618-100000@idle.curiosity.org>

http://tvnz.co.nz/view/page/411749/735744

Jun 1, 2006 

A computer hacker is to appeal against his prison sentence for
internet fraud, saying it is too severe.

Aucklander Mark Hayes, 19, was sentenced last Friday in the District
Court in Auckland to two years six months in prison after pleading
guilty to more than 100 computer-related offenses and around $38,000
worth of fraud.

In sentencing, the Judge called Hayes a "serious recidivist computer
criminal" for his offending in 2004 and reoffending while on bail in
2005.

Hayes' lawyer Peter Kaye says his client feels his sentence is too
high for a person of his age and circumstances. Hayes is not eligible
to apply for home detention.

The Crown Solicitor for Auckland last week described the sentence as
"substantial."

Crown Solicitor Simon Moore said such offending would normally draw a
jail term of three months at the most but the judge wanted to send a
clear message about the seriousness of hacking.

The court heard that in 2004, Hayes used a "keystroke logger" hacking
device to access the login password details of TradeMe account
holders.

He used their accounts to buy $18,500 worth of computer and clothing
goods, paying for them with other peoples' money whose bank account
details he had also hacked into.

Hayes pleaded guilty.

He then appeared before the court again for similar offending in 2005,
again using a "keystroke logger" to get bank account details. He took
around $20,000.

In sentencing, Judge David Harvey called Hayes a "serious recidivist
computer criminal", ordering a jail sentence of 30 months and the
repayment of around $18,000.




From isn at c4i.org  Thu Jun  1 01:47:15 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:15 -0500 (CDT)
Subject: [ISN] Security a bridge too far
Message-ID: <Pine.LNX.4.44.0606010047050.19618-100000@idle.curiosity.org>

http://www.thesun.co.uk/article/0,,2-2006250101,00.html

By ALEX PEAKE
May 31, 2006

THE Sun yesterday exposed security at Britain's biggest naval base as
a shambles after strolling unchallenged on to the bridge of a WARSHIP.

Our reporter walked through two checkpoints at Plymouth's HM Devonport
- brandishing a worker's lost photo ID - before spending an hour on
board the Navy's 21,578-ton flagship HMS Ocean.

Posing as a cleaner, he strolled around the deck of the giant vessel -
even pausing to flick through its log books and sip tea in the galley.

Furious Royal Navy chiefs launched TWO probes last night as it emerged
most of the ship's 500-strong company were on board.

The base is surrounded by a 9ft perimeter fence and guarded by
security staff and scores of military police officers with alsatians.

But yesterday, armed with just workmen's overalls and the lost pass -
handed to us by a concerned reader - our man gained entry after
flashing the ID card over 20 yards from guards.

They waved him through and even wished him "good morning". Yet had we
been terrorists, we could have caused carnage.

Within minutes our man found the quay where HMS Ocean, the Navy's
largest ship, is moored for maintenance.

As ship workers and sailors filed up the gangplank, we followed them
on to the warship, designed to hold 18 attack helicopters and an army
of highly-trained commandos.

Two machine gun-carrying marines were checking passes. But again our
man held his finger over the real workman's picture and marched in.

Once at the heart of the ship - which is on 24 hours' notice to sail
anywhere in the world if a crisis breaks - he was directed by one
unwitting worker to the bridge and nerve centre.

He toured the area with video gear for 15 minutes before moving to a
walkway, where photographer Marc Giddings snapped him from a road.

Our reporter also saw the engine room, living quarters and anchor
room. Only one sailor asked what he was doing, but he returned to
hoisting a flag when told our man was a cleaner.

We finally left the ship, praised for leading the Marines' 2003
invasion of southern Iraq, and left the base as easily as we walked
in.

A Navy spokesman said: "We take all breaches of security very
seriously. A full investigation by the ship and the naval base has
commenced."




From isn at c4i.org  Thu Jun  1 01:47:51 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:51 -0500 (CDT)
Subject: [ISN] Employees may be opening doors to criminals
Message-ID: <Pine.LNX.4.44.0606010047390.19618-100000@idle.curiosity.org>

http://news.ft.com/cms/s/458807fe-efec-11da-b80e-0000779e2340,dwp_uuid=863bb51c-1f76-11da-853a-00000e2511c8.html

By Kate Mackenzie 
May 30 2006 

Holding a security door open for someone laden with cups of coffee or
a big stack of documents may seem the polite thing to do. But you may
have fallen for a classic trick deployed by hackers.

The person might have been smartly dressed and looked legitimate, but
that is a key part of the deception of "social engineering", which
uses simple, everyday situations to deceive individuals into giving
out physicial or technical access to facilities that can be a mine of
valuable information.

Whether getting into a building, eliciting a password over the
telephone or persuading a phishing victim to e-mail their banking
details, "social engineering" is responsible for more than half of
security breaches, and some estimates claim the proportion is as high
as 90 per cent.

Deploying a powerful firewall or maintaining up-to-date software
patches on thousands of desktop machines is easy compared with raising
employees' awareness of their own risky behaviour.

Last year, for example, three call centre staff at Mphasis, an Indian
outsourcer, tricked several Citibank customers into revealing their
Pin numbers and then stole hundreds of thousands of dollars, in an
incident that rocked the outsourcing industry.

Bob Blakley, chief scientist for security and privacy at IBM's Tivoli
division, says it is partly because there is no "standard set of
social behaviours" for tasks such as resetting a password over the
phone, so many people are easily persuaded to go along with risky
procedures.

The problem is worsening, as hacking attempts and malware are
increasingly used by organised criminals, rather than fame-hungry or
curious geeks.

Despite a consensus that it is always people who are the weakest point
in any security system, workplace prevention tactics are often
neglected or relegated to a set of acceptable use policies that are
largely ignored by staff.

By contrast, meticulous and detailed documents on the dishonest use of
"social engineering" techniques are easily available on the internet.

One such document details a vast number of techniques, ranging from
"dumpster diving" to shoulder surfing - looking over someone's
shoulder as they key in a password or Pin - to "conformity": for
example, telling the target that everyone else has given out their
password over the phone.

Appealing to people's better nature by phoning up and pretending to be
an out-of-town colleague who urgently needs to access the network is
another.

In spite of all the experimentation and refinement of techniques to
persuade and confuse potential "social engineering" targets, the
security industry's response is almost exclusively focused on
technology rather than psychology.

What can be done about it? The first thing is to take a wider view of
security, says Jan Babiak, Head of Information Security at Ernst &
Young.

"For example in certain countries, you have a very good chance of
kidnapping senior executives. The physical security [team] take
enormous precautions, but the IT people might have left something like
a calender somewhere where it's easy to hack into."

Cisco, meanwhile, urges executives to create a "top-down" culture of
security awareness instead of palming off all security to a separate
team.

Dave Shackleford, the director of security solutions and assessment
services at Vigilar, a US security consultancy, says that executives
are often the softest target for "social engineering" experiments.  
They tend to think they are "above the law" and have access to high
level information. They are also used to associating with other
top-level people, says Shackleford, so their trust levels are higher.

Mr Shackleford frequently puts clients' security defences to the test
by, for example, photographing staff IDs with a telephoto lens to copy
them. No attempted physical test undertaken by Vigilar has failed, he
says.

Mr Shackleford says companies need policies in place: "If they don't
have explicit policies laid out for their employees, then they may not
know any better."

Vigilar's clients act on the information gleaned from the tests in
different ways, but punishing employees who fell for a "social
engineering" trick is not usually one of them.

"It's human nature to be helpful," says Mr Shackleford. Instead, they
tend to respond by improving training and awareness procedures.

Some of Mr Shackleford's techniques are frighteningly simple: "Just
phoning someone's extension can reveal if they are out of town, for
example, and for how long."

Robert Chapman, chief executive of The Training Camp, which runs
security awareness courses for non-IT staff, says: "All the talk and
all the money really is on technology. People in a sense brag about
how much they spent on their Cisco firewalls." But they overlook the
obvious weaknesses.

His company recently ran the well-publicised "CD test" in London in
which 100 CDs were handed out to workers in the City, promising a free
Valentine's Day gift if they installed it. Once installed the CD
reported back to Chapman; he says the majority of recipients did so.

Bruce Schneier, the cryptographer who also works as a security
consultant, is not so sure.

He believes technical security must take into account behaviours, but
does not believe "social engineering" can be adequately guarded
against by training: "Have you ever met a user?" he replies when asked
about efforts to improve staff awareness.

Technology, Mr Schneier says, must be more tailored to each user's
needs and risk levels. Does a typical office worker, for example, need
to have access to a USB port or even a CD drive?

"This is not just a 'get some guys on and solve it' problem," says
Schneier. "It's like murder, burglary - all of these things, they've
been around for ever."




From isn at c4i.org  Thu Jun  1 01:48:50 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:48:50 -0500 (CDT)
Subject: [ISN] Police close file sharing site
Message-ID: <Pine.LNX.4.44.0606010048391.19618-100000@idle.curiosity.org>

http://www.thelocal.se/article.php?ID=3955&date=20060531

By James Savage
31st May 2006 

Police have closed down The Pirate Bay, a Sweden-based file sharing
site and one of the most popular websites of its kind in the world.

Three people were taken in for questioning after police raids in
Sweden on Wednesday. The trio, ages 22, 24 and 28, are suspected of
violating property rights legislation, police spokesman Ulf G?ranzon
said.

Servers connected to the site have been impounded and the site was
down on Wednesday afternoon, although the operators of The Pirate Bay
have set up a temporary website to provide updates on the situation.

Some fifty policemen and women were involved in raids on ten homes and
offices in Sweden.

The three men taken in by police were still being questioned on
Wednesday afternoon. They all have links to The Pirate Bay.  
Prosecutors will decide whether to detain the men after they have been
questioned.

"The suspects are not people who download files, but are people who
have relations to the website," Ulf G?ranzon told The Local.

He would not reveal anything more about the roles that the men played.

Police have been monitoring the website and the men behind it for some
time. Computers were taken during raids on the men's homes and offices
to secure evidence.

"We are now going to look at how the operation is structured,"  
G?ranzon said.

"At the moment we are talking to lots of people about this case. We
are still at a very early stage in our investigations," he said.

He would not reveal whether police had their eyes on further suspects.

Henrik Pont?n, lawyer at Antipiratbyr?n (The Anti-Pirate Bureau) in
Stockholm, welcomed the move to close down the site.

"It is good that the Swedish police are now prioritising this kind of
crime. The copyright laws finance creativity within film, computer
gaming, music and other culture," said Pont?n.

"People who break copyright laws steal from the creators and
movie-watching public of the future. The closure of The Pirate Bay is
therefore good for all of us who enjoy new film and entertainment."

But Tobias Andersson at pressure group Piratbyr?n (The Pirate Bureau),
which founded The Pirate Bay, stressed that there was no
copyright-protected material on the servers.

"The Anti-Pirate Bureau has clearly misled the police in this case,"  
said Andersson.

"They appear to have persuaded police who are incompetent in IT that
the servers in question are full of copyright-protected material. This
is a gross misuse of taxpayers' money."

Andersson also condemned the fact that police had closed down a number
of other websites, including The Pirate Bureau, which he says is no
longer officially linked to the Pirate Bay.

"This is the greatest infringement. The Anti-Pirate Bureau has clearly
fooled the police into closing down its antagonists, The Pirate
Bureau."

"We are very upset that the film industry doesn't dare to have a
debate, and chooses instead to trick politicians and the police into
criminalizing their opponents and a large portion of the Swedish
population."

The Pirate Bay is a BitTorrent tracker, which enables people to
download large files such as movies from other users.




From isn at c4i.org  Fri Jun  2 01:16:58 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:58 -0500 (CDT)
Subject: [ISN] Ernst & Young laptop loss exposes 243,
	000 Hotels.com customers
Message-ID: <Pine.LNX.4.44.0606020016480.32439-100000@idle.curiosity.org>

http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/

By Ashlee Vance in Mountain View
1st June 2006

Exclusive - Ernst & Young's laptop loss unit continues to be one of
the company's more productive divisions. We learn this week that the
accounting firm lost a system containing data on 243,000 Hotels.com
customers. Hotels.com joins the likes of Sun Microsystems, IBM, Cisco,
BP and Nokia, which have all had their employees' data exposed by
Ernst & Young, as revealed here in a series of exclusive stories.

The Register can again exclusively confirm the loss of the Hotels.com
customer information after having received a copy of a letter mailed
out jointly by the web site and Ernst & Young. A Hotels.com spokesman
also confirmed the data breach, saying Ernst & Young notified the
company of the laptop loss on May 3. The laptop in question was stolen
from an Ernst & Young worker's car in Texas and did have some basic
data protection mechanisms such as, erm, the need for a password.

"Recently, Hotels.com was informed by its outside auditor, Ernst &
Young, that one of Ernst & Young's employees had his laptop computer
stolen," Hotels.com told its customers in the letter. "Unfortunately,
the computer contained certain information about customer transactions
with Hotels.com, and other sites through which we provide booking
services directly to customers, from 2002 through 2004.

"This information may have included your name, address and some credit
or debit card information you provided at that time."

Ernst & Young in February lost one laptop that held information on
what's believed to be tens of thousands of Sun, IBM, Cisco, BP and
Nokia employees. It's not clear if this was the same system in the
Hotels.com incident. Ernst & Young has not returned our calls seeking
comment and has been reluctant to provide information on these
incidents in the past.

Ernst & Young in February also lost four laptops in Miami when its
workers decided to leave their systems in a hotel conference room
while they went out for lunch.

Major media outlets have so far ignored the Ernst & Young laptop
incidents, although they were quick to follow on our confirmation of a
Fidelity data breach that saw 200,000 HP workers have their
information exposed.

Ernst & Young offers a variety of security services to customers, and
encourages clients to be transparent with their policies around
customer data issues. The company, however, has not exactly been
proactive with regard to its own issues. ?




From isn at c4i.org  Fri Jun  2 01:17:10 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:10 -0500 (CDT)
Subject: [ISN] Cern seeks to tighten security for data grid
Message-ID: <Pine.LNX.4.44.0606020017000.32439-100000@idle.curiosity.org>

http://www.vnunet.com/computing/news/2157258/cern-seeks-tighten-security

Lara Williams
Computing 
01 Jun 2006

Cern, the world's largest particle physics laboratory and birthplace
of the web, is starting a two-year project to improve security for its
worldwide data grid.

The European organisation for nuclear research identified that partner
sites on the grid are a security concern; many are open access public
institutions supporting the lab's projects.

Cern tests innovative technologies in partnership with industry, and
has asked security specialists Stonesoft and F-Secure to test security
for the launch of the large hadron collider (LHC) project next year.

The 27km underground particle accelerator will distribute large
amounts of information onto the worldwide LHC computing grid. More
than 1GB per second of data will be generated and either stored at
Cern or sent to 12 major computing sites and a further 100 institutes
around the world for analysis.

"The results of the security trials may provide solutions which could
eventually be commercially available to other organisations," said
Cern spokesman Francois Grey.

Although large data grids are only starting to be used in business,
Cern is seeing a lot of interest from industry. The lab is developing
grids that will reach across organisational boundaries, allowing
multiple institutions to share resources.

"Businesses are now becoming interested in this kind of grid," said
Grey. "Its use could enable suppliers and companies to share resources
and large corporations to share information between business units.  
Grid technology will only be adopted if the right type of security
solutions are available."

Particle collisions in the LHC will create 15 petabytes per year of
data, and it is due to run for a decade. The grid will have a storage
and analysis infrastructure accessed by more than 7,000 scientists
worldwide.

The aim of the LHC is to simulate the events taking place one
millionth of a millionth of a second after the universe was created -
information that could revolutionise our understanding of how the
natural world works.




From isn at c4i.org  Fri Jun  2 01:16:29 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:29 -0500 (CDT)
Subject: [ISN] VA Data in Format Not Widely Used
Message-ID: <Pine.LNX.4.44.0606020016180.32439-100000@idle.curiosity.org>

http://www.washingtonpost.com/wp-dyn/content/article/2006/05/31/AR2006053102000.html

By Christopher Lee
Washington Post Staff Writer
June 1, 2006

The sensitive personal information of 26.5 million veterans that was
stolen from a Department of Veterans Affairs data analyst last month
was stored in a format that could make it difficult for thieves to
use, according to an internal VA memo.

In the May 5 memo, VA privacy officer Mark Whitney wrote that the
critical data "may not be easily accessible" because most of it --
including names, birth dates and Social Security numbers -- was stored
in a specialized, standard format used for data manipulation and
statistical analysis.

The format "requires specialized application software and training" to
write computer code "to access and manipulate the data for use,"  
Whitney wrote in the memo, obtained yesterday by The Washington Post.

Ari Schwartz, deputy director of the nonprofit Center for Democracy
and Technology, a privacy group, said Whitney is generally right that
the information would be hard to extract.

It would be easier, however, if the laptop stolen along with an
external hard drive and several data disks has the software needed to
view the data, he said. "This is not nearly the type of protection
they would have had if they had followed basic security procedures and
encrypted this," Schwartz said.

The Whitney memo, dated two days after the burglary at the analyst's
Aspen Hill home and distributed to several high-ranking VA officials,
provides the first public indication that some addresses and telephone
numbers were among the stolen data; it refers to such information
being part of electronic files of a national survey of about 20,000
veterans in 2001.

Also stolen was an electronic spreadsheet with 6,744 records about
"mustard gas veterans" -- generally, veterans who took part in
chemical warfare tests during World War II. Another stolen file
contains as many as 10 diagnostic codes from the treatment file of one
veteran who visited the VA health-care system on 57 dates.

"These type of data contain more than limited financial information,
the codes contain information about veterans' medical conditions,"  
Rep. Bob Filner (D-Calif.) said in a statement. "It is not appropriate
for this information to ever enter the public domain."

Matthew Burns, a VA spokesman, said the department has been "focused
on getting notification to veterans that some of the most sensitive
data was out there."

Also yesterday, VA Secretary Jim Nicholson announced that he had named
Richard M. Romley, a former prosecutor from Maricopa County, Ariz., as
his new special adviser for information security. Romley, a Marine
Corps veteran, will evaluate the department's computer security
procedures and recommend improvements.

The move follows the resignation last week of Michael H. McLendon, a
VA deputy assistant secretary who learned of the May 3 burglary within
hours of the crime but did not immediately tell top-ranked officials.

Nicholson announced Tuesday that the employee will be fired and that
Dennis M. Duffy, who has been acting assistant secretary for policy
and planning, had been placed on administrative leave. The employee
worked in McLendon's office, and Duffy was in charge of the division
in which both worked.

Nicholson learned of the information breach on May 16 and told the
public on May 22, nearly three weeks after the crime.

? 2006 The Washington Post Company




From isn at c4i.org  Fri Jun  2 01:16:46 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:46 -0500 (CDT)
Subject: [ISN] The new breed of cyber-terrorist
Message-ID: <Pine.LNX.4.44.0606020016320.32439-100000@idle.curiosity.org>

http://news.independent.co.uk/world/science_technology/article622421.ece

By Jimmy Lee Shreeve 
31 May 2006

According to cyber-security experts, the terror attacks of 11
September and 7 July could be seen as mere staging posts compared to
the havoc and devastation that might be unleashed if terrorists turn
their focus from the physical to the digital world.

Scott Borg, the director and chief economist of the US Cyber
Consequences Unit (CCU), a Department of Homeland Security advisory
group, believes that attacks on computer networks are poised to
escalate to full-scale disasters that could bring down companies and
kill people. He warns that intelligence "chatter" increasingly points
to possible criminal or terrorist plans to destroy physical
infrastructure, such as power grids. Al-Qa'ida, he stresses, is
becoming capable of carrying out such attacks.

Most companies and organisations seem oblivious to the threat.  
Usually, they worry about e-mail viruses and low-grade hacker attacks.  
But Borg sees these as the least of their worries. "Up to now,
executives and network professionals have worried about what
adolescents and petty criminals have been doing," he says. "In most
cases, these kinds of cyber attacks aren't very destructive. The
reason is that businesses generally have enough inventory and extra
capacity to make up for any short-term interruptions."

What companies and organisations should worry about, Borg insists, is
"what grown-ups could do" - terrorists or hardcore criminals. One key
target would probably be the vital Supervisory Control and Data
Acquisition (Scada) systems in power plants and similar industries.  
"Chatter on Scada attacks is increasing," says Borg, referring to
patterns of behaviour that suggest that criminal gangs and militant
groups are now fully capable of unleashing such attacks.

"Control systems are a particular worry, because these are the
computer systems that manage physical processes. They open and shut
the valves, adjust the temperatures, throw the switches, regulate the
pressures," he says. "Think of the control systems for chemical
plants, railway lines, or manufacturing facilities. Shutting these
systems down is a nuisance. Causing them to do the wrong thing at the
wrong time is much worse."

Until now, hackers have usually targeted credit cards or personal
information on the web. More sophisticated hackers, however, are
beginning to focus on databases. The type of data most likely to be
hit, Borg says, might include a pharmaceutical company's drug
development databases, or programs that manipulate data, such as
formulas for generating financial statements.

"Many attacks of this kind would have two components. One would alter
the process control system to produce a defective product. The other
would alter the quality control system so that the defect wouldn't
easily be detected," Borg says. "Imagine, say, a life-saving drug
being produced and distributed with the wrong level of active
ingredients. This could gradually result in large numbers of deaths or
disabilities. Yet it might take months before someone figured out what
was going on." The result, he says, would be panic, people afraid to
visit hospitals and health services facing huge lawsuits.

Deadly scenarios could occur in industry, too. Online outlaws might
change key specifications at a car factory, Borg says, causing a car
to "burst into flames after it had been driven for a certain number of
weeks". Apart from people being injured or killed, the car maker would
collapse. "People would stop buying cars." A few such attacks, run
simultaneously, would send economies crashing. Populations would be in
turmoil. At the click of a mouse, the terrorists would have won.

Is Borg justified in his fears? All this sounds like a plot from a
thriller; it's hard to take it seriously. But intelligence reports in
the last year or so make for worrying reading. An assessment by the
British security service MI5 stated that "Britain is four meals away
from anarchy". And officials admit their greatest fears about
electronic attacks focus on the more exposed networks that make up the
"critical national infrastructure" - the systems Borg is concerned
about.

US agencies are concerned that terrorists could combine electronic and
physical attacks to devastating effect, such as disrupting emergency
services at the same time as mounting a bomb attack.

Risk management analysts, equally edgy, are focusing on the financial
impact on businesses and economies. They believe that an online attack
would undermine public confidence in vital industries, especially
utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A
cyber attack on, say, the power industry would cause communications
operations to close down for a period of time, expose customers to
loss of service, increase liability exposure and ultimately damage
reputation for service delivery."

It isn't just Western nations that fear a digital meltdown. This
month, the Malaysian government announced plans to establish a centre
to fight cyber-terrorism, which will provide an emergency response to
hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi
said the facility - to be located at the technology hub of Cyberjaya
outside Kuala Lumpur - would be called the International Multilateral
Partnership against Cyber-Terrorism, or Impact, and would be funded by
a combination of government revenue and the private sector.

Badawi said the threat of cyber-terrorism was too serious for
governments to ignore. "The potential to wreak havoc and cause
disruption to people, governments and global systems has increased as
the world becomes more globalised," he said. "The economic loss caused
by a cyber attack can be truly severe; for example, a nationwide
blackout, collapse of trading systems or the crippling of a central
bank's cheque clearing system."

While the case for cyber attack appears persuasive, some believe that
much of it is hype. "It's difficult to avoid comparisons with the
Millennium bug and the predictions of widespread computer chaos
arising from the change of date to the year 2000," says Tom Standage,
technology editor at The Economist magazine. "Then, as now, the alarm
was sounded by technology vendors and consultants, who stood to gain
from scaremongering."

Almost ?400m was spent by the Government alone on preparations for the
Millennium bug. Computer consultants issued dire warnings of the
danger of an information technology breakdown that could paralyse
nations on New Year's Day 2000. When the clock struck midnight,
however, few problems were reported. There is scepticism that the bug
was ever a threat. As far as Standage is concerned, those in the
cyber-security industry - be they vendors boosting sales, academics
chasing grants or politicians looking for bigger budgets - always have
a "built-in incentive to overstate the risks".

But what of the Scada systems; surely they are highly vulnerable? "It
is true that utility companies and other operators of critical
infrastructure are increasingly connected to the internet," Standage
concedes. "But just because customers pay their bills online, it
doesn't follow that critical control systems are vulnerable to attack.  
Control systems are usually kept entirely separate from other systems,
for good reason. They tend to be obscure, old-fashioned systems that
are incompatible with internet technology anyhow. Even authorised
users require specialist knowledge."

A simulation in 2002 by the US Naval War College concluded that an
"electronic Pearl Harbor" attack on America's infrastructure would
certainly cause serious disruption. But to pull it off would require
five years of preparation and a $200m budget. As US computer security
guru Bruce Schneier says: "If they want to attack, they will do it
with bombs like they always have."

But Richard Clarke, a former cyber-security expert in the Bush
administration, says this is complacent. "People claim no one will
ever die in a cyber-attack, but they're wrong. This is a serious
threat."

Clarke says that each time the US government has tested the security
of the electric power industry, he and his colleagues have been able
to hack their way in, "sometimes through an obscure route like the
billing system". He reveals that computer security officers at a
number of chemical plants have told him privately that they are very
concerned about the openness of their networks.

Scott Borg of the Cyber Consequences Unit goes along with this. He
believes the $93m budget for 2007 allocated to the Department of
Homeland Security to defend against cyber attack is justified. "Even
systems isolated from the internet are often accessible to thousands
of employees. How secure can any system be if thousands of people and
thousands of data ports can provide inside access to that system?"


The threat from software

IT security consulting firm Cyber Defense Agency (CDA) has warned the
US military, government and "critical infrastructure agencies" against
using outsourced commercial software which could be tampered with by
terrorists. CDA said that gas, electricity, telecommunications,
banking and water companies are among the services that could fall
foul of cyber terrorists exploiting "life-cycle" weaknesses buried
deep in the software code. Life-cycle attacks occur when one line of
code is programmed to open vulnerabilities within the software,
exposing the software and the company to external threats. "Outsourced
commercial software poses a silent but significant security risk to
the defence and welfare of the US," says Sami Saydjari, president of
CDA. "The chances of strategic damage from a cyber-terrorist attack on
the US increases the longer it takes to remedy the risks posed by
outsourced software."




From isn at c4i.org  Fri Jun  2 01:17:21 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:21 -0500 (CDT)
Subject: [ISN] Extortion virus code gets cracked
Message-ID: <Pine.LNX.4.44.0606020017120.32439-100000@idle.curiosity.org>

http://news.bbc.co.uk/1/hi/technology/5038330.stm

1 June 2006

Do not panic if your data is hidden by virus writers demanding a
ransom.

Poor programming has allowed anti-virus companies to discover the
password to retrieve the hijacked data inside a virus that has claimed
at least one UK victim.

The Archiveus virus caught out British nurse Helen Barrow and swapped
her data with a password-protected file.

The virus is the latest example of so-called "ransomware" that tries
to extort cash from victims.


Code breaker

Analysis of Archiveus has revealed that the password to unlock the
file containing all the hijacked files is contained within the code of
the virus itself.

This virus swaps files found in the "My Documents" folder on Windows
with a single file protected by a 30-digit password. Victims are only
told the password if they buy drugs from one of three online
pharmacies.

The 30-digit password locking the files is
"mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". Using the password should
restore all the hijacked files.

"Now the password has been uncovered, there should be no reason for
anyone hit by this ransomware attack to have to make any payments to
the criminals behind it," said Graham Cluley, senior technology
consultant for security firm Sophos.

Archiveus was discovered on 6 May but it took the rest of the month
for the first victim, Rochdale nurse Helen Barrow, to emerge.

Ms Barrow is thought to have fallen victim when she responded to an
on-screen message warning her that her computer had contracted another
unnamed virus. The virus asks those it infects to buy drugs on one of
three websites to get their files back.

"When I realised what had happened, I just felt sick to the core,"  
said Ms Barrow about the incident.

The Archiveus virus is only the latest in a series of malicious
programs used by extortionists to extract cash from victims. Archiveus
seems to use some parts of another ransoming virus called Cryzip that
was circulating in March 2006.




From isn at c4i.org  Fri Jun  2 01:17:32 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:32 -0500 (CDT)
Subject: [ISN] Miami U. reports 2nd security breach
Message-ID: <Pine.LNX.4.44.0606020017230.32439-100000@idle.curiosity.org>

http://www.cleveland.com/news/plaindealer/index.ssf?/base/news/1149150686240780.xml&coll=2

June 01, 2006
Associated Press 

An employee at a Miami University branch campus lost a hand-held
personal computer containing private information on 851 students, but
school officials said they don't believe that the data has been used
unlawfully.

The recent case involves a potential breach of privacy that the school
takes very seriously, said Kelly Cowan, interim dean at the Middletown
campus.

Students affected were enrolled between July 2001 and May 2006,
representing about 8 percent of the students on campus during that
five-year period.

It's the second security breach at Miami since last September, when
officials said a report containing some private information on
students was accidentally placed in a file accessible through the
Internet.

It included names, Social Security numbers and information on the
21,762 students enrolled on all Miami campuses in the fall of 2002.

Cowan said the school is tightening its security and increasing
employee training.




From isn at c4i.org  Fri Jun  2 01:17:45 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:45 -0500 (CDT)
Subject: [ISN] Toronto firm at centre of security breach
Message-ID: <Pine.LNX.4.44.0606020017350.32439-100000@idle.curiosity.org>

http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&pubid=968163964505&cid=1149113029270&col=968705899037&call_page=TS_News&call_pageid=968332188492

By TYLER HAMILTON
BUSINESS REPORTER
Jun. 1, 2006

Toronto software provider Hummingbird Ltd. has found itself at the
centre of an embarrassing privacy accident involving the social
security numbers of 1.3 million American students.

Hummingbird disclosed yesterday evening that one of its employees lost
a piece of computer equipment that contained the names and social
security numbers of customers who borrowed funds from Round Rock,
Tex.-based Texas Guaranteed, a non-profit company that administers a
U.S. family education loan program.

"The privacy of customer data is of utmost importance to us and we
take our responsibility to safeguard it very seriously. We deeply
regret that this incident has occurred," Barry Litwin, Hummingbird?s
president and chief executive, said in a statement.

"We continue to investigate the facts surrounding this loss of
information and are taking all necessary action in order to ensure
that such occurrences do not happen in the future."

Hummingbird, which announced on May 26 that it is being acquired by
Palo Alto, Calif.-based holding company Symphony Technology Group for
$465 million (U.S.), said it has no reason to believe the equipment
was stolen to obtain confidential data.

The company said the equipment was password-protected and that it was
"extremely unlikely" the data would be misused. Hummingbird was given
the data as part of a contract to develop a custom document management
system for Texas Guaranteed.

According to information on Texas Guaranteed?s Web site, the equipment
was lost on May 24 but Hummingbird didn?t notify the company until
mid-afternoon on May 26, the day Hummingbird disclosed its deal with
Symphony.

The U.S. loan provider said that customers whose information was lost
will be notified over the coming weeks and given advice on how to
guard against identity theft.

"Even though this information is not easily accessed and used, and
even though the loss appears to be inadvertent, we are issuing this
release out of an abundance of caution, because the piece of equipment
has not been located," said Sue McMillin, president and CEO of Texas
Guaranteed, in a statement.

The use of social security numbers as a form of identification in the
United States has been a topic of considerable controversy in recent
weeks. In early May, computer disks containing the social security
numbers of 26.5 million U.S. veterans were stolen from the U.S.  
Department of Veteran Affairs, putting millions of Americans at risk
of identity fraud.




From isn at c4i.org  Fri Jun  2 01:18:07 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:18:07 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-22
Message-ID: <Pine.LNX.4.44.0606020017470.32439-100000@idle.curiosity.org>

========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-05-25 - 2006-06-01                        

                       This week: 102 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

eEye Digital Security has reported a vulnerability in Symantec Client
Security and Symantec AntiVirus Corporate Edition, which can be
exploited by malicious people to compromise a user's system.

Users of Symantec products are advised to view the referenced Secunia
advisory for additional details and information about patches.

Reference:
http://secunia.com/SA20318

 --

VIRUS ALERTS:

Secunia has not issued any virus alerts during the week.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA20153] Microsoft Word Malformed Object Code Execution
              Vulnerability
2.  [SA19762] Internet Explorer "object" Tag Memory Corruption
              Vulnerability
3.  [SA20107] RealVNC Password Authentication Bypass Vulnerability
4.  [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
              Sensitive Information
5.  [SA20261] Cisco VPN Client Privilege Escalation Vulnerability
6.  [SA19521] Internet Explorer Window Loading Race Condition Address
              Bar Spoofing
7.  [SA18680] Microsoft Internet Explorer "createTextRange()" Code
              Execution
8.  [SA20288] Novell Netware abend.log User Credentials Disclosure
9.  [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
10. [SA20300] Basic Analysis and Security Engine "BASE_path" File
              Inclusion

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA20361] wodSFTP ActiveX Component Arbitrary File Access
Vulnerability
[SA20318] Symantec Client Security / AntiVirus Unspecified Code
Execution
[SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability
[SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities
[SA20355] AspSitem SQL Injection and Private Message Disclosure
[SA20348] Nukedit "groupid" Parameter Administrator Register
Vulnerability
[SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability
[SA20335] My Web Server Long URL Denial of Service
[SA20317] Mini-NUKE SQL Injection Vulnerabilities
[SA20309] qjForum member.asp SQL Injection Vulnerability
[SA20294] NewsCMSLite Admin Logon Bypass Vulnerability
[SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability
[SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting
[SA20342] Jiwa Financials Information Disclosure Vulnerability

UNIX/Linux:
[SA20313] Ubuntu update for nagios
[SA20281] Mandriva update for mpg123
[SA20398] SUSE update for kernel
[SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability
[SA20345] Gentoo update for libtiff
[SA20344] Gentoo update for cherrypy
[SA20339] Mandriva update for dia
[SA20338] Debian update for kernel-source-2.4.17
[SA20326] Debian update for libextractor
[SA20323] Open-Xchange Default Account Password
[SA20314] Ubuntu update for postgresql
[SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities
[SA20381] UnixWare update for MySQL
[SA20283] Debian update for awstats
[SA20396] SUSE update for rug
[SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue
[SA20333] Debian update for mysql-dfsg
[SA20302] OpenOBEX ircp File Overwrite Vulnerability
[SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability
[SA20388] SUSE update for vixie-cron
[SA20380] Vixie Cron "do_command.c" setuid Security Issue
[SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions
[SA20368] Debian update for motor
[SA20332] Avaya PDS Software Distributor Privilege Escalation
[SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability
[SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability
[SA20312] SUSE update for foomatic-filters
[SA20369] xine-lib HTTP Response Heap Corruption Weakness
[SA20330] Debian update for tiff
[SA20315] Debian update for dovecot
[SA20308] Dovecot "LIST" Command Directory Traversal Weakness
[SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service
[SA20337] PHP "curl_init()" Safe Mode Bypass Weakness

Other:
[SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities
[SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting
[SA20288] Novell Netware abend.log User Credentials Disclosure
[SA20377] Secure Elements Class 5 AVR Message Encryption Security
Issue

Cross Platform:
[SA20404] METAjour "system_path" Parameter File Inclusion
Vulnerabilities
[SA20399] Ottoman "default_path" File Inclusion Vulnerabilities
[SA20373] phpMyDesktop|arcade Local File Inclusion and Script
Insertion
[SA20364] IBM DCE Two Kerberos Vulnerabilities
[SA20358] F at cile Interactive Web Multiple Vulnerabilities
[SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities
[SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File
Inclusion
[SA20353] UBB.threads Cross-Site Scripting and File Inclusion
[SA20350] phpBB Blend Portal System Module "phpbb_root_path" File
Inclusion
[SA20346] Fastpublish CMS "config[fsBase]" File Inclusion
Vulnerabilities
[SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion
[SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion
[SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability
[SA20300] Basic Analysis and Security Engine "BASE_path" File
Inclusion
[SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion
[SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities
[SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability
[SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive
Information
[SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File
Loading
[SA20366] WikiNi Script Insertion Vulnerabilities
[SA20359] phpBB Nivisec Hacks List Module Local File Inclusion
[SA20352] Eggblog posts.php SQL Injection Vulnerability
[SA20351] aMule Information Disclosure Vulnerability
[SA20316] Geeklog Multiple Vulnerabilities and Weaknesses
[SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability
[SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities
[SA20303] MailManager PostgreSQL Encoding-Based SQL Injection
[SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability
[SA20295] Pre Shopping Mall SQL Injection Vulnerabilities
[SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities
[SA20287] iFdate Cross-Site Scripting and Script Insertion
Vulnerabilities
[SA20286] Realty Pro One Cross-Site Scripting and SQL Injection
[SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting
Vulnerabilities
[SA20341] Open Searchable Image Catalogue SQL Injection
Vulnerabilities
[SA20340] DGNews "upprocess.php" File Upload Vulnerability
[SA20336] Photoalbum B&W "index.php" Cross-Site Scripting
Vulnerabilities
[SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities
[SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability
[SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting
[SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20311] php-residence Multiple Script Insertion Vulnerabilities
[SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability
[SA20305] PHP-AGTC membership system "useremail" Script Insertion
[SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability
[SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities
[SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability
[SA20289] Elite-Board "search" Parameter Cross-Site Scripting
Vulnerability
[SA20285] Assetman Unspecified Script Insertion Vulnerabilities
[SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA20361] wodSFTP ActiveX Component Arbitrary File Access
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, System access
Released:    2006-05-31

Will Dormann has reported a vulnerability in WeOnlyDo wodSFTP, which
can be exploited by malicious people to disclose sensitive information
and potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20361/

 --

[SA20318] Symantec Client Security / AntiVirus Unspecified Code
Execution

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

eEye Digital Security has reported a vulnerability in Symantec Client
Security and Symantec AntiVirus Corporate Edition, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20318/

 --

[SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-01

A vulnerability has been reported in F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Internet Gatekeeper, which potentially can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20407/

 --

[SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

Mustafa Can Bjorn has reported some vulnerabilities in Enigma Haber,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/20357/

 --

[SA20355] AspSitem SQL Injection and Private Message Disclosure

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Exposure of sensitive information
Released:    2006-05-29

Mustafa Can Bjorn has reported two vulnerabilities in AspSitem, which
can be exploited by malicious users to disclose sensitive information
or malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20355/

 --

[SA20348] Nukedit "groupid" Parameter Administrator Register
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-05-30

FarhadKey has discovered a vulnerability in Nukedit, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20348/

 --

[SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-31

A vulnerability has been reported in Hitachi HITSENSER3, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20347/

 --

[SA20335] My Web Server Long URL Denial of Service

Critical:    Moderately critical
Where:       From remote
Impact:      DoS
Released:    2006-05-29

s3rv3r_hack3r has discovered a vulnerability in My Web Server, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20335/

 --

[SA20317] Mini-NUKE SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

Mustafa Can Bjorn has reported some vulnerabilities in Mini-NUKE, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20317/

 --

[SA20309] qjForum member.asp SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

ajann has reported a vulnerability in qjForum, which can be exploited
by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20309/

 --

[SA20294] NewsCMSLite Admin Logon Bypass Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-05-26

FarhadKey has discovered a vulnerability in NewsCMSLite, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20294/

 --

[SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Mustafa Can Bjorn has reported a vulnerability in ASPBB, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20360/

 --

[SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-31

MC.Iglo has reported a vulnerability in Omegasoft Insel, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20319/

 --

[SA20342] Jiwa Financials Information Disclosure Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-05-30

Robert Passlow has reported a vulnerability in Jiwa Financials, which
can be exploited by malicious users to disclose potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/20342/


UNIX/Linux:--

[SA20313] Ubuntu update for nagios

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-05-30

Ubuntu has issued an update for nagios. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20313/

 --

[SA20281] Mandriva update for mpg123

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

Mandriva has issued an update for mpg123. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20281/

 --

[SA20398] SUSE update for kernel

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS
Released:    2006-06-01

SUSE has issued an update for the kernel. This fixes some
vulnerabilities and weaknesses, which can be exploited by malicious,
local users to bypass certain security restrictions, gain knowledge of
potentially sensitive information and to cause a DoS (Denial of
Service), and by malicious people to disclose certain system
information, potentially to bypass certain security restrictions and to
cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20398/

 --

[SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-31

CrAzY CrAcKeR has reported a vulnerability in 4nForum, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20374/

 --

[SA20345] Gentoo update for libtiff

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-05-31

Gentoo has issued an update for libtiff. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20345/

 --

[SA20344] Gentoo update for cherrypy

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-31

Gentoo has issued an update for cherrypy. This fixes a vulnerability,
which can be exploited by malicious people to disclose potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/20344/

 --

[SA20339] Mandriva update for dia

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-05-31

Mandriva has issued an update for dia. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20339/

 --

[SA20338] Debian update for kernel-source-2.4.17

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, Privilege escalation, DoS, System access
Released:    2006-05-31

Debian has issued an update for kernel-source-2.4.17. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain knowledge of sensitive information, cause a DoS (Denial of
Service), gain escalated privileges, and by malicious people to cause a
DoS, and disclose potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/20338/

 --

[SA20326] Debian update for libextractor

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-05-29

Debian has issued an update for libextractor. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise an application that
uses the library.

Full Advisory:
http://secunia.com/advisories/20326/

 --

[SA20323] Open-Xchange Default Account Password

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-05-29

Cemil Degirmenci has reported a security issue in Open-Xchange, which
potentially can be exploited by malicious people to bypass certain
security restrictions.

Full Advisory:
http://secunia.com/advisories/20323/

 --

[SA20314] Ubuntu update for postgresql

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-30

Ubuntu has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20314/

 --

[SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-26

luny has reported some vulnerabilities in Pre News Manager, which can
be exploited by malicious people to conduct cross-site scripting
attacks and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20284/

 --

[SA20381] UnixWare update for MySQL

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2006-06-01

SCO has issued an update for MySQL. This fixes a vulnerability, which
can be exploited by malicious users to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20381/

 --

[SA20283] Debian update for awstats

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, System access
Released:    2006-05-26

Debian has issued an update for awstats. This fixes a security issue,
which can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20283/

 --

[SA20396] SUSE update for rug

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-06-01

SUSE has issued an update for rug. This fixes a security issue and a
weakness, which can be exploited by malicious, local users to disclose
certain sensitive information and potentially by malicious people to
bypass security restrictions.

Full Advisory:
http://secunia.com/advisories/20396/

 --

[SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass
Released:    2006-06-01

A security issue has been reported in FreeBSD, which can be exploited
by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20389/

 --

[SA20333] Debian update for mysql-dfsg

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of sensitive information, System
access
Released:    2006-05-29

Debian has issued an update for mysql-dfsg. This fixes some
vulnerabilities, which can be exploited by malicious users to bypass
certain security restrictions, disclose potentially sensitive
information, and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20333/

 --

[SA20302] OpenOBEX ircp File Overwrite Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      Manipulation of data
Released:    2006-05-26

Jeroen van Wolffelaar has reported a vulnerability in Open OBEX, which
can be exploited by malicious people to manipulate certain data on a
user's system.

Full Advisory:
http://secunia.com/advisories/20302/

 --

[SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-06-01

A vulnerability has been reported in FreeBSD, which can be exploited by
malicious, local users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20390/

 --

[SA20388] SUSE update for vixie-cron

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-01

SUSE has issued an update for vixie-cron. This fixes a security issue,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20388/

 --

[SA20380] Vixie Cron "do_command.c" setuid Security Issue

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-01

Roman Veretelnikov has reported a security issue in Vixie Cron, which
potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20380/

 --

[SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-31

A security issue has been reported in Shadow, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20370/

 --

[SA20368] Debian update for motor

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-31

Debian has issued an update for motor. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20368/

 --

[SA20332] Avaya PDS Software Distributor Privilege Escalation

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-29

Avaya has acknowledged a vulnerability in Avaya Predictive Dialing
System (PDS), which can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20332/

 --

[SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-31

A vulnerability has been reported in Motor, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20329/

 --

[SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-29

A vulnerability has been reported in AIX, which can be exploited by
malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/20325/

 --

[SA20312] SUSE update for foomatic-filters

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-05-30

SUSE has issued an update for foomatic-filters. This fixes a
vulnerability, which can be exploited by malicious, local users to gain
escalated privileges.

Full Advisory:
http://secunia.com/advisories/20312/

 --

[SA20369] xine-lib HTTP Response Heap Corruption Weakness

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2006-05-31

Federico L. Bossi Bonin has discovered a weakness in xine-lib, which
can be exploited by malicious people to crash certain applications on a
user's system.

Full Advisory:
http://secunia.com/advisories/20369/

 --

[SA20330] Debian update for tiff

Critical:    Not critical
Where:       From remote
Impact:      DoS
Released:    2006-05-29

Debian has issued an update for tiff. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20330/

 --

[SA20315] Debian update for dovecot

Critical:    Not critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-29

Debian has issued an update for dovecot. This fixes a weakness, which
can be exploited by malicious users to gain knowledge of potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/20315/

 --

[SA20308] Dovecot "LIST" Command Directory Traversal Weakness

Critical:    Not critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-29

A weakness has been reported in Dovecot, which can be exploited by
malicious users to gain knowledge of potentially sensitive
information.

Full Advisory:
http://secunia.com/advisories/20308/

 --

[SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-05-31

Tony Griffiths has reported a vulnerability in the Linux Kernel, which
can be exploited malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/20349/

 --

[SA20337] PHP "curl_init()" Safe Mode Bypass Weakness

Critical:    Not critical
Where:       Local system
Impact:      Security Bypass
Released:    2006-05-30

Maksymilian Arciemowicz has discovered a weakness in PHP, which can be
exploited by malicious, local users to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20337/


Other:--

[SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      Security Bypass, Spoofing, Exposure of system information,
Exposure of sensitive information, DoS, System access
Released:    2006-05-31

Multiple vulnerabilities and security issues have been reported in
Secure Elements Class 5 AVR, which can be exploited by malicious people
to disclose potentially sensitive information, bypass certain security
restrictions, spoof the contents of messages, cause a DoS (Denial of
Service) and potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20378/

 --

[SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

jaime.blasco has reported a vulnerability in D-Link Airspot DSA-3100
Gateway, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20343/

 --

[SA20288] Novell Netware abend.log User Credentials Disclosure

Critical:    Less critical
Where:       Local system
Impact:      Exposure of sensitive information
Released:    2006-05-26

A security issue has been reported in Novell Netware, which can be
exploited by malicious, local users to gain knowledge of sensitive
information.

Full Advisory:
http://secunia.com/advisories/20288/

 --

[SA20377] Secure Elements Class 5 AVR Message Encryption Security
Issue

Critical:    Not critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-05-31

A security issue has been reported in Secure Elements Class 5 AVR,
which potentially can be exploited by malicious people to disclose
certain sensitive information.

Full Advisory:
http://secunia.com/advisories/20377/


Cross Platform:--

[SA20404] METAjour "system_path" Parameter File Inclusion
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-01

Kacper has discovered some vulnerabilities in METAjour, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20404/

 --

[SA20399] Ottoman "default_path" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-01

Kacper has discovered some vulnerabilities in Ottoman, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20399/

 --

[SA20373] phpMyDesktop|arcade Local File Inclusion and Script
Insertion

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of sensitive information, System access, Cross
Site Scripting
Released:    2006-05-31

darkgod has discovered two vulnerabilities in phpMyDesktop|arcade,
which can be exploited by malicious people to conduct script insertion
attacks, disclose sensitive information, and compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20373/

 --

[SA20364] IBM DCE Two Kerberos Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-01

IBM has acknowledged two vulnerabilities in IBM DCE, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20364/

 --

[SA20358] F at cile Interactive Web Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-05-29

Mustafa Can Bjorn has reported some vulnerabilities in F at cile
Interactive Web, which can be exploited by malicious people to conduct
cross-site scripting attacks, disclose sensitive information, and
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20358/

 --

[SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2006-05-29

Mustafa Can Bjorn has discovered some vulnerabilities in tinyBB, which
can be exploited by malicious people to conduct SQL injection attacks
and to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20356/

 --

[SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

Mustafa Can Bjorn has reported a vulnerability in the Activity Mod Plus
module for phpBB, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20354/

 --

[SA20353] UBB.threads Cross-Site Scripting and File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      Cross Site Scripting, System access
Released:    2006-05-30

Mustafa Can Bjorn has discovered some vulnerabilities in UBB.threads,
which can be exploited by malicious people to conduct cross-site
scripting attacks and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20353/

 --

[SA20350] phpBB Blend Portal System Module "phpbb_root_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

Mustafa Can Bjorn has reported a vulnerability in the Blend Portal
System module for phpBB, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20350/

 --

[SA20346] Fastpublish CMS "config[fsBase]" File Inclusion
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

Kacper has reported some vulnerabilities in Fastpublish CMS, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20346/

 --

[SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

Kacper has discovered a vulnerability in Hot Open Tickets, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20331/

 --

[SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-29

beford has discovered a vulnerability in Plume CMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20310/

 --

[SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

Kacper has discovered a vulnerability in the open-medium.CMS, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20301/

 --

[SA20300] Basic Analysis and Security Engine "BASE_path" File
Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

str0ke has discovered some vulnerabilities in Basic Analysis and
Security Engine, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20300/

 --

[SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

Kacper has discovered some vulnerabilities in ActionApps, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20299/

 --

[SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

beford has discovered some vulnerabilities in DoceboLMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20298/

 --

[SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

Kacper has discovered a vulnerability in Back-End CMS, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20292/

 --

[SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive
Information

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-01

rgod has discovered a vulnerability in pppBLOG, which can be exploited
by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20375/

 --

[SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File
Loading

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-05-31

socsam has discovered a vulnerability in WebCalendar, which can be
exploited by malicious people to bypass certain security restrictions
and disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20367/

 --

[SA20366] WikiNi Script Insertion Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-30

Raphael Huck has discovered some vulnerabilities in WikiNi, which can
be exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20366/

 --

[SA20359] phpBB Nivisec Hacks List Module Local File Inclusion

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-05-29

Mustafa Can Bjorn has discovered a vulnerability in the Nivisec Hacks
List module for phpBB, which can be exploited by malicious people to
disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20359/

 --

[SA20352] Eggblog posts.php SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-29

Mustafa Can Bjorn has discovered a vulnerability in Eggblog, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20352/

 --

[SA20351] aMule Information Disclosure Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information
Released:    2006-05-29

A vulnerability has been reported in aMule, which can be exploited by
malicious people and by malicious users to disclose potentially
sensitive information.

Full Advisory:
http://secunia.com/advisories/20351/

 --

[SA20316] Geeklog Multiple Vulnerabilities and Weaknesses

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data, Exposure of
system information
Released:    2006-05-30

trueend5 has reported some vulnerabilities and weaknesses in Geeklog,
which can be exploited by malicious people to disclose system
information, and conduct cross-site scripting and SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/20316/

 --

[SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Yunus Emre Yilmaz has discovered a vulnerability in Seditio, which can
be exploited by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20307/

 --

[SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-29

Nomenumbra has discovered two vulnerabilities in ByteHoard, which can
be exploited by malicious people to manipulate sensitive information
and conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20304/

 --

[SA20303] MailManager PostgreSQL Encoding-Based SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-26

A vulnerability has been reported in MailManager, which potentially can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20303/

 --

[SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-05-26

beford has discovered a vulnerability in V-webmail, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20297/

 --

[SA20295] Pre Shopping Mall SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-26

luny has reported some vulnerabilities in Pre Shopping Mall, which can
be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20295/

 --

[SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-26

luny has reported two vulnerabilities in ChatPat, which can be
exploited by malicious people to conduct script insertion and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20290/

 --

[SA20287] iFdate Cross-Site Scripting and Script Insertion
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported some vulnerabilities in iFdate, which can be
exploited by malicious people to conduct cross-site scripting and
script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20287/

 --

[SA20286] Realty Pro One Cross-Site Scripting and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-26

luny has reported some vulnerabilities in Realty Pro One, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20286/

 --

[SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-31

Yannick Daffaud has reported two vulnerabilities in the XiTi Tracking
Script, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20363/

 --

[SA20341] Open Searchable Image Catalogue SQL Injection
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-05-31

Nenad Jovanovic has discovered some vulnerabilities in Open Searchable
Image Catalogue, which can be exploited by malicious users to conduct
SQL injection attacks and by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20341/

 --

[SA20340] DGNews "upprocess.php" File Upload Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-05-30

r0t has discovered a vulnerability in DGNews, which can be exploited by
malicious users to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20340/

 --

[SA20336] Photoalbum B&W "index.php" Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-30

black-code and sweet-devil have discovered some vulnerabilities in
Photoalbum B&W, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20336/

 --

[SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Blwood has discovered some vulnerabilities in TikiWiki, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20334/

 --

[SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-05-30

Christian Nancy has reported a vulnerability in Achievo, which can be
exploited by malicious users to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20327/

 --

[SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Vacation Rental Script, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20324/

 --

[SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Pretty Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20322/

 --

[SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Smile Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20321/

 --

[SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in Morris Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20320/

 --

[SA20311] php-residence Multiple Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Nomenumbra has reported some vulnerabilities in php-residence, which
can be exploited by malicious users to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20311/

 --

[SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

luny has discovered a vulnerability in PHPSimpleChoose, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20306/

 --

[SA20305] PHP-AGTC membership system "useremail" Script Insertion

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Nomenumbra has discovered a vulnerability in PHP-AGTC membership
system, which can be exploited by malicious users to conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/20305/

 --

[SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported a vulnerability in CMS Mundo, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20296/

 --

[SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Some vulnerabilities have been reported in phpESP, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20293/

 --

[SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported a vulnerability in AZ Photo Album Script Pro, which
can be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20291/

 --

[SA20289] Elite-Board "search" Parameter Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported a vulnerability in Elite-Board, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20289/

 --

[SA20285] Assetman Unspecified Script Insertion Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-29

Nomenumbra has reported some vulnerabilities in Assetman, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20285/

 --

[SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-05-26

luny has reported some vulnerabilities in iFlance, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20282/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45




From isn at c4i.org  Mon Jun  5 04:26:44 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:44 -0500 (CDT)
Subject: [ISN] HP printer drivers hit with Funlove virus
Message-ID: <Pine.LNX.4.44.0606050326340.6233-100000@idle.curiosity.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000907

By Robert McMillan 
IDG News Service
June 02, 2006

Hewlett-Packard Co. on Thursday pulled a printer driver from its Web
site after security vendor BitDefender reported that the software was
infected with the same computer virus that infected HP's drivers more
than five years ago.

A BitDefender partner notified the security vendor of the infected
driver software on Wednesday, and the company's security researchers
soon determined that it had the same Funlove virus that had plagued HP
in December 2000.

BitDefender notified HP of the problem on Wednesday, and the infected
printer driver was removed from HP's Web site early Thursday, said
BitDefender spokesman Vitor Souza.

Until then, the virus was being distributed with the Korean version of
the Windows 95/98 driver for HP's Officejet g85 All-in-One printer. HP
no longer sells the all-in-one printer, and the current antivirus
products are able to block it. So while the oversight is an
embarrassment for HP, it's unlikely that many users were affected by
Funlove.

Previously, HP had inadvertently distributed the Funlove virus in
Japanese printer drivers that were made available on the company's Web
site. Souza believes that HP most likely neglected to remove this
particular infected driver back in 2000. "Its just like nobody had run
a test against antivirus [software]," he said.

Even for users who fall prey to the virus, the consequences are not
severe.

When it gets installed, the Funlove pops up a text message that reads
"Fun Loving Criminal," and then attempts to reboot the PC. On Windows
NT machines, it attempts to change system settings so that files that
can normally be seen only by administrators are visible to all.

HP executives were not immediately available to comment for this
story.

BitDefender is owned by Softwin SRL, based in Bucharest, Romania.




From isn at c4i.org  Mon Jun  5 04:26:21 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:21 -0500 (CDT)
Subject: [ISN] PaineWebber Systems Admin Faces Trial For Computer Sabotage
Message-ID: <Pine.LNX.4.44.0606050326050.6233-100000@idle.curiosity.org>

http://www.informationweek.com/security/showArticle.jhtml?articleID=188700855

By Sharon Gaudin 
InformationWeek 
Jun 1, 2006 

A former systems administrator for financial giant UBS PaineWebber
goes on trial Tuesday for allegedly sabotaging two-thirds of the
company's computer network in what prosecutors say was a vengeful
attempt to profit from a crashing stock price.

Roger Duronio, 63, of Bogota, N.J., is facing federal charges in front
of a U.S. District Court in Newark, in connection to the creation and
planting of malicious code on more than 1,000 computers in the
company's central office, as well as in approximately 370 branch
offices. When the malicious code, or "logic bomb," was triggered on
March 4, 2002, it began deleting files and data, taking down many
PaineWebber computers across the United States and hindering trading
for days in some branch offices and for several weeks in others,
according to Assistant U.S. Attorney Mauro Wolfe, lead prosecutor on
the case.

The attack, according to the indictment, cost UBS PaineWebber, which
was renamed UBS Wealth Management USA in 2003, $3 million just to
assess and repair the damage. The company didn't submit a list of
losses to the government based on business downtime or lost trading
opportunities.

Chris Adams, Duronio's defense attorney and a partner at Walder Hayden
& Brogan in Roseland, N.J., says the government has the wrong man.  
Duronio has pleaded not guilty to all charges. He has been free on
bail awaiting trial for the past four years. Adams says he's not
working in an IT position at this time.

According to Wolfe, Duronio is facing four counts--one count of
computer intrusion, one count of mail fraud, and two counts of
securities fraud. The government contends that Duronio tried to profit
from the attack by manipulating the stock price of the global
investment banking and securities firm with the attack on its network.

The government contends that in the months leading up to the planting
of the logic bomb and the subsequent attack, Duronio, using the U.S.  
postal system, bought more than $21,000 worth of 'put option'
contracts for PaineWebber's parent company, UBS, A.G.'s stock. A put
option is a type of stock that actually increases in value when the
stock price drops. According to Wolfe, Duronio was betting the attack
would cripple the company's network, and its stock would fall in the
aftermath, allowing him to cash in.

Because of this part of his alleged plan, Duronio is being charged
with mail and securities fraud.

''Computers across the country pretty much all went down at once,''
says Wolfe. ''System administrators started to receive phone calls
that morning that certain computers weren't working. Within minutes,
it escalated from one phone call to 10, 60, 70... over 100 phone
calls.  At or about 10 o'clock they realized it wasn't an isolated
issue but all the computers across the network. It was just too much
of a coincidence for that to happen... This [network] was designed so
everything would not crash at once. The same network designed to not
suffer that problem was suffering that exact problem.''

And Wolfe says the man who was responsible for keeping that exact
system up and running for three years was the one who ultimately took
it down.

''The defendant was motivated by the fact that he was a disgruntled
employee who was not happy with his salary,'' says Wolfe. ''He wanted
an annual salary of $175,000 guaranteed. And I think for the year 2001
he was paid about $13,000 less than that.''


Insider Attacks

Attacks by corporate insiders, even by IT professionals, is not an
uncommon problem, according to last year's CSI/FBI Computer Crime
Survey. With only slight variation from year to year, inside jobs
occur as frequently as the highly publicized outside hacker attacks.  
Insider abuse, according to the survey, cost U.S. companies $6,856,450
last year.

''Insider attacks are definitely more dangerous,'' says Eric Maiwald,
a senior analyst for Burton Group, a research and consulting firm
based in Midvale, Utah. ''The average outside person generally doesn't
have access to your systems. Their first job in attacking you is to
get access, whereas the insider starts out with access. They're
starting one step ahead of the game. You have some general expectation
that they're not trying to cause you harm.''

John O'Leary, director of education at the San Francisco-based
Computer Security Institute, says companies have more to fear from
insiders in general because they know where the weak points in the
network are, and where the critical information is stored. But he adds
that executives have far more to fear from IT workers, because they
not only know how to get to the information but have the tools and the
access rights to do it easily.

''It's easy [to do] because we give our techs a lot of trust, but it's
difficult because we generally put compensating controls in place,''
says O'Leary. ''Other [people] need to edit what these guys are doing.  
Someone needs to see what changes he made. If he could make changes
without somebody noticing, then something is wrong.''

Maiwald, though, says it's exceedingly difficult for companies to put
in enough processes and controls to completely shut down someone with
system administrator-level authority and access.

''It's only the trusted individuals who can betray you at that level,"  
says Maiwald. ''If someone is digging ditches for you, they don't have
a lot of power. But your system administrator has a lot of power
because it's part of the job. If you put too many controls on them,
they can't do their jobs... There are controls that can be put in
place to do such things but they require a company to be very
watchful, along with additional staff, [and] specific procedures. And
it's just not very easy to do that.''


The Duronio Case

In this case, the government alleges that Duronio was a trusted
employee - one with great access and authority -- who used that
against PaineWebber. The charge of computer intrusion is based on the
government's allegations that Duronio built the code for the logic
bomb, installed it on Unix machines in PaineWebber's central office in
Weehawkin, N.J., and then pushed it out to about 1,000 computers
across the company's national network. Wolfe says the malicious code
was planted ''from coast to coast."

The logic bomb, which was made up of only 50 to 70 lines of code, was
built to delete every file on the system, according to the
prosecution. Duronio, who quit his job at PaineWebber a few weeks
before the bomb went off, also allegedly planted the code on the
system's backup servers so that when IT workers tried to restore
operations using backup tapes, those files were deleted as well. The
bomb was designed to go off every Monday at 9:30 a.m. - just as the
stock market opened - in March, April and May of 2002.

Trading, the lifeblood of the company, was interrupted because of the
crippled network. PaineWebber reported to the government that trading
was hindered for a few days in larger locations, and for as long as a
few weeks in some branch offices. According to the prosecution, 350
IBM support personnel were brought in to aid with the nationwide
recovery effort.

''Could they trade? Yes. Could they trade the way they normally
traded? No,'' says Wolfe. ''Normally... the broker would sit at his
desk and go online and trade for you... If the client didn't know what
the balance of their account was, they couldn't trade for them.''

The government also contends that Duronio planted the code piecemeal
during the previous November and December from a remote location.  
Wolfe says records show that Duronio's password and user account
information were used to gain remote access to the areas where the
malicious code was built inside the PaineWebber network. The U.S.  
Secret Service, which is frequently called in to conduct criminal
investigations and specifically cyber crime, executed a warrant on
March 21, 2002, and allegedly found hard copy of the logic bomb's
source code on the defendant's bedroom dresser. They also allegedly
found the source code on two of his four home computers.

''The defendant used the information of the impending logic bomb
attack,'' says Wolfe. ''He purchased securities. He bet against the
company that the company stock would drop... He engaged in an artifice
or scheme to fraud investors.''

Computer sabotage is a federal offense if it affects a computer used
in interstate commerce and causes more than $5,000 worth of damage to
the company over a 12-month span. Duronio faces a maximim sentence of
30 years, fines of up to $1 million and restitution for the $3.2
million PaineWebber spent on recovery.




From isn at c4i.org  Mon Jun  5 04:26:32 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:32 -0500 (CDT)
Subject: [ISN] Swedish police probe site crash
Message-ID: <Pine.LNX.4.44.0606050326230.6233-100000@idle.curiosity.org>

http://news.com.com/Swedish+police+probe+site+crash/2100-7349_3-6079740.html

By Reuters 
June 4, 2006

Sweden's domestic intelligence agency said it would probe why the
government's Web site crashed on Sunday amid reports hackers had
sought revenge for a crackdown on alleged online piracy.

The government Web site went off line in the early hours of Sunday.  
The Internet home page of the national police crashed in similar
fashion on Thursday.

The police Web site problem came a day after the Pirate Bay Internet
page, which the recording industry calls a major source for
downloading pirated music and films, was shut by police.

"They (the government) contacted us and wanted to make a police
complaint that something has happened with their home page and it is
now a question for us investigate if it is a crime or something else,"  
said Anders Thornberg, a spokesman for the Security Police
intelligence agency.

Local media said hackers attacked both sites, now functioning again,
after the clampdown on Pirate Bay. Pirate Bay is also up and running
again.

Sweden's Emergency Management Agency earlier warned all 31 bodies
involved in emergency management, such as the police and rescue
services, and all 21 local authorities to ensure they were safe from
attacks on their Web sites.

Newspaper Aftonbladet quoted a group called World Wide Hackers as
saying they had arranged an attack on the government's Web site.

Sweden last year banned the downloading of copyright protected music
and movies from the Internet after being singled out for criticism by
Hollywood. The raid on Pirate Bay was the latest of several actions
against suspected online piracy.

Critics say the police are heavy handed and that people should have
access to free information via the Internet, including file sharing.

Several hundred people demonstrated in Stockholm on Saturday in
support of Pirate Bay.

Story Copyright ? 2006 Reuters Limited. All rights reserved.




From isn at c4i.org  Mon Jun  5 04:26:55 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:55 -0500 (CDT)
Subject: [ISN] DISA seeks input on insider threat tools
Message-ID: <Pine.LNX.4.44.0606050326450.6233-100000@idle.curiosity.org>

http://www.fcw.com/article94741-06-02-06-Web

By Bob Brewin
June 2, 2006 

The Defense Information Systems Agency wants industry input on tools 
that could counter insider threats to Defense Department information 
systems.

DISA said traditional efforts to secure networks focus on outside 
threats, but insiders pose an equally damaging threat. And they can 
access DOD networks without detection by the security systems.

DISA, in a request for information released June 1 [1], said it is
looking for an insider threat focused observation tool that could be
deployed on selected host DOD machines to aggressively gather and
analyze data on inside threats.

DISA said the insider threat tools would enhance the network security 
of DOD information systems. 

The agency would install the host machines on network end points and 
could be servers, desktop PCs or laptop PCs equipped with agent-based 
tools that can monitor insider network activity. The tool would 
collect data such as user IDs, computer type and the processes - 
e-mail clients, Web browsers, office management tools, database access 
- that monitored computers run.

DISA said it wants tools that can then conduct user analysis on the 
collected data and warn of anomalies based on user profiles and 
behavior patterns.

DISA envisions that the host machines would connect to a central 
manager that can handle as many as 250 hosts at a time, with hosts 
located within an enclave, such as local-area or base network. 

The insider threat tools should also include a console, which is the 
central display and action point for collected user data and will 
provide the operator with real-time insight into user activity, the 
RFI states. 

DISA said it wants a tool capable of working with a wide range of 
operating systems including Microsoft Windows 2000, Windows XP, 
Windows NT4, Sun Microsystems Solaris, Unix and Linux.

The due date for RFI responses is July 5.

[1] http://www.fbo.gov/spg/DISA/D4AD/DITCO/RFI418/listing.html




From isn at c4i.org  Mon Jun  5 04:27:12 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:27:12 -0500 (CDT)
Subject: [ISN] BACK TO THE BUNKER
Message-ID: <Pine.LNX.4.44.0606050326560.6233-100000@idle.curiosity.org>

http://www.washingtonpost.com/wp-dyn/content/article/2006/06/02/AR2006060201410.html

By William M. Arkin
The Washington Post 
June 4, 2006

On Monday, June 19, about 4,000 government workers representing more
than 50 federal agencies from the State Department to the Commodity
Futures Trading Commission will say goodbye to their families and set
off for dozens of classified emergency facilities stretching from the
Maryland and Virginia suburbs to the foothills of the Alleghenies.  
They will take to the bunkers in an "evacuation" that my sources
describe as the largest "continuity of government" exercise ever
conducted, a drill intended to prepare the U.S. government for an
event even more catastrophic than the Sept. 11, 2001, attacks.

The exercise is the latest manifestation of an obsession with
government survival that has been a hallmark of the Bush
administration since 9/11, a focus of enormous and often absurd time,
money and effort that has come to echo the worst follies of the Cold
War. The vast secret operation has updated the duck-and-cover
scenarios of the 1950s with state-of-the-art technology -- alerts and
updates delivered by pager and PDA, wireless priority service, video
teleconferencing, remote backups -- to ensure that "essential"  
government functions continue undisrupted should a terrorist's nuclear
bomb go off in downtown Washington.

But for all the BlackBerry culture, the outcome is still old-fashioned
black and white: We've spent hundreds of millions of dollars on
alternate facilities, data warehouses and communications, yet no one
can really foretell what would happen to the leadership and
functioning of the federal government in a catastrophe.

After 9/11, The Washington Post reported that President Bush had set
up a shadow government of about 100 senior civilian managers to live
and work outside Washington on a rotating basis to ensure the
continuity of national security. Since then, a program once focused on
presidential succession and civilian control of U.S. nuclear weapons
has been expanded to encompass the entire government. From the
Department of Education to the Small Business Administration to the
National Archives, every department and agency is now required to plan
for continuity outside Washington.

Yet according to scores of documents I've obtained and interviews with
half a dozen sources, there's no greater confidence today that
essential services would be maintained in a disaster. And no one
really knows how an evacuation would even be physically possible.

Moreover, since 9/11 and Hurricane Katrina, the definition of what
constitutes an "essential" government function has been expanded so
ridiculously beyond core national security functions -- do we really
need patent and trademark processing in the middle of a nuclear
holocaust? -- that the term has become meaningless. The intent of the
government effort may be laudable, even necessary, but a
hyper-centralized approach based on the Cold War model of evacuations
and bunkering makes it practically worthless.

That the continuity program is so poorly conceived, and poorly run,
should come as no surprise. That's because the same Federal Emergency
Management Agency that failed New Orleans after Katrina, an agency
that a Senate investigating committee has pronounced "in shambles and
beyond repair," is in charge of this enormous effort to plan for the
U.S. government's survival.

Continuity programs began in the early 1950s, when the threat of
nuclear war moved the administration of President Harry S. Truman to
begin planning for emergency government functions and civil defense.  
Evacuation bunkers were built, and an incredibly complex and secretive
shadow government program was created.

At its height, the grand era of continuity boasted the fully
operational Mount Weather, a civilian bunker built along the crest of
Virginia's Blue Ridge, to which most agency heads would evacuate; the
Greenbrier hotel complex and bunker in West Virginia, where Congress
would shelter; and Raven Rock, or Site R, a national security bunker
bored into granite along the Pennsylvania-Maryland border near Camp
David, where the Joint Chiefs of Staff would command a protracted
nuclear war. Special communications networks were built, and
evacuation and succession procedures were practiced continually.

When the Soviet Union crumbled, the program became a Cold War
curiosity: Then-Defense Secretary Dick Cheney ordered Raven Rock into
caretaker status in 1991. The Greenbrier bunker was shuttered and a
30-year-old special access program was declassified three years later.

Then came the terrorist attacks of the mid-1990s and the looming Y2K
rollover, and suddenly continuity wasn't only for nuclear war anymore.  
On Oct. 21, 1998, President Bill Clinton signed Presidential Decision
Directive 67, "Enduring Constitutional Government and Continuity of
Government Operations." No longer would only the very few elite
leaders responsible for national security be covered. Instead, every
single government department and agency was directed to see to it that
they could resume critical functions within 12 hours of a warning, and
keep their operations running at emergency facilities for up to 30
days. FEMA was put in charge of this broad new program.

On 9/11, the program was put to the test -- and failed. Not on the
national security side: Vice President Cheney and others in the
national security leadership were smoothly whisked away from the
capital following procedures overseen by the Pentagon and the White
House Military Office. But like the mass of Washingtonians, officials
from other agencies found themselves virtually on their own, unsure of
where to go or what to do, or whom to contact for the answers.

In the aftermath, the federal government was told to reinvigorate its
continuity efforts. Bush approved lines of succession for civil
agencies. Cabinet departments and agencies were assigned specific
emergency responsibilities. FEMA issued new preparedness guidelines
and oversaw training. A National Capital Region continuity working
group established in 1999, comprising six White House groups, 15
departments and 61 agencies, met to coordinate.

But all the frenetic activity did not produce a government prepared
for the worst. A year after 9/11, and almost three years after the
deadline set in Clinton's 1998 directive, the Government Accounting
Office evaluated 38 agencies and found that not one had addressed all
the issues it had been ordered to. A 2004 GAO audit of 34 government
continuity-of-operations plans found total confusion on the question
of essential functions. One unnamed organization listed 399 such
functions. A department included providing "speeches and articles for
the Secretary and Deputy Secretary" among its essential duties, while
neglecting many of its central programs.

The confusion and absurdity have continued, according to documents
I've collected over the past few years. In June 2004, FEMA told
federal agencies that essential services in a catastrophe would
include not only such obvious ones as electric power generation and
disaster relief but also patent and trademark processing, student aid
and passport processing. A month earlier, FEMA had told states and
local communities that library services should be counted as essential
along with fire protection and law enforcement.

None of this can be heartening to Americans who want to believe that
in a crisis, their government can distinguish between what is truly
essential and what isn't -- and provide it.

Just two years ago, an exercise called Forward Challenge '04 pointed
up the danger of making everyone and everything essential: Barely an
hour after agencies were due to arrive at their relocation sites, the
Office of Management and Budget asked the reconstituted government to
identify emergency funding requirements.

As one after-action report for the exercise later put it in a classic
case of understatement: "It was not clear . . . whether this would be
a realistic request at that stage of an emergency."

This year's exercise, Forward Challenge '06, will be the third major
interagency continuity exercise since 9/11. Larger than Forward
Challenge '04 and the Pinnacle exercise held last year, it requires 31
departments and agencies (including FEMA) to relocate. Fifty to 60 are
expected to take part.

According to government sources, the exercise will test the newly
created continuity of government alert conditions -- called COGCONs --
that emulate the DEFCONs of the national security community. Forward
Challenge will begin with a series of alerts via BlackBerry and pager
to key officials. It will test COGCON 1, the highest level of
preparedness, in which each department and agency is required to have
at least one person in its chain of command and sufficient staffing at
alternate operating facilities to perform essential functions.

Though key White House officials and military leadership would be
relocated via the Pentagon's Joint Emergency Evacuation Program
(JEEP), the civilians are on their own to make it to their designated
evacuation points.

But fear not: Each organization's COOP, or continuity of operations
plan, details the best routes to the emergency locations. The plans
even spell out what evacuees should take with them (recommended items:  
a combination lock, a flashlight, two towels and a small box of
washing powder).

Can such an exercise, announced well in advance, hope to re-create any
of the tensions and fears of a real crisis? How do you simulate the
experience of driving through blazing, radiated, panic-stricken
streets to emergency bunker sites miles away?

As the Energy Department stated in its review of Forward Challenge
'04, "a method needs to be devised to realistically test the ability
of . . . federal offices to relocate to their COOP sites using a
scenario that simulates . . . the monumental challenges that would be
involved in evacuating the city."

With its new plans and procedures, Washington may think it has thought
of everything to save itself. Forward Challenge will no doubt be
deemed a success, and officials will pronounce the
continuity-of-government project sound. There will be lessons to be
learned that will justify more millions of dollars and more work in
the infinite effort to guarantee order out of chaos.

But the main defect -- a bunker mentality that considers too many
people and too many jobs "essential" -- will remain unchallenged.

-=-

William M. Arkin writes the Early Warning blog for washingtonpost.com
and is the author of "Code Names: Deciphering U.S. Military Plans,
Programs and Operations in the 9/11 World" (Steerforth Press).

? 2006 The Washington Post Company




From isn at c4i.org  Tue Jun  6 06:03:36 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:36 -0500 (CDT)
Subject: [ISN] Spammer settles suit for $1 million
Message-ID: <Pine.LNX.4.44.0606060503270.3853-100000@idle.curiosity.org>

http://news.com.com/2100-7348_3-6079868.html

By Will Sturgeon 
Special to CNET News.com
June 5, 2006

A major spammer who was accused of sending up to 25 million e-mails
per day has settled a lawsuit with Microsoft and the state of Texas.

The settlement has cost Ryan Pitylak $1 million, as well as the
seizure of many of the assets he accumulated during a short-lived
career as one of the world's worst spammers.

At the peak of his spamming activity, the 24-year-old Texas resident
was listed as the world's fourth most-prolific spammer by antispam
group Spamhaus.

Now Pitylak is claiming something of an epiphany, saying he has seen
the error of his ways and will dedicate his efforts to trying to rid
the world of nuisance e-mail. He has even taken to referring to
himself as an "antispam activist" in an apparent change of heart of
epic proportions.
 
On Saturday, Pitylak wrote in his blog: "Over time I have come to see
how I was wrong to think of spam as just a game of cat and mouse with
corporate e-mail administrators. I now understand why so much effort
is put into stopping it. The settlements with Microsoft and the
Attorney General's Office have been a serious reality check: harsh but
good, and in the public's best interest."

He added: "I am pleased to announce that I am now a part of the
anti-spam community, having started an Internet security company that
offers my clients advice on systems to protect against spam. I'm now
working earnestly to help other entrepreneurs avoid the traps that
deceived me and led me to make questionable business choices."

Will Sturgeon of Silicon.com reported from London.




From isn at c4i.org  Tue Jun  6 06:03:03 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:03 -0500 (CDT)
Subject: [ISN] Wal-Mart's data center remains mystery
Message-ID: <Pine.LNX.4.44.0606060502090.3853-100000@idle.curiosity.org>

http://www.joplinglobe.com/local/local_story_148015054/

By Max McCoy
The Joplin Globe 
Globe Investigative Writer
May 28, 2006 

JANE, Mo. - Call it Area 71.

Behind a fence topped with razor wire just off U.S. Highway 71 is a
bunker of a building that Wal-Mart considers so secret that it won't
even let the county assessor inside without a nondisclosure agreement.

The 125,000-square-foot building, tucked behind a new Wal-Mart
Supercenter, is only a stone's throw from the Arkansas line and about
15 miles from corporate headquarters in Bentonville, Ark.

There is nothing about the building to give even a hint that Wal-Mart
owns it.

Despite the glimpses through the fence of manicured grass and
carefully placed trees, the overall impression is that this is a
secure site that could withstand just about anything. Earth is packed
against the sides. The green roof - meant, perhaps, to blend into the
surrounding Ozarks hills - bristles with dish antennas. On one of the
heavy steel gates at the guardhouse is a notice that visitors must use
the intercom for assistance.

What the building houses is a mystery.

Speculation

Wal-Mart's ability to crunch numbers is a favorite of conspiracy
theorists, and its data centers are the corporate counterpart to Area
51 at Groom Lake in the state of Nevada. According to one consumer
activist, Katherine Albrecht, even the wildest conspiracy buff might
be surprised at just how much Wal-Mart knows about its customers - and
how much more it would like to know.

"We were contacted about two years ago by somebody who runs a security
company that had been asked in a request for proposals for ways they
could link video footage with customers paying for their purchases,"  
Albrecht said. "Wal-Mart would actually be able to view photos and
video of customers paying, say, for a pack of gum. At the time, it
struck me as unbelievably outlandish because of the amount of data
storage required."

But Wal-Mart, according to a 2004 New York Times article, had enough
storage capacity to contain twice the amount of all the information
available on the Internet. For the technically minded, the exact
amount was for 460 terabytes of data. The prefix tera comes from the
Greek word for monster, and a terabyte is a trillion bytes, the basic
unit of computer storage.

Albrecht, founder of Consumers Against Supermarket Privacy Invasion
and Numbering, said she never could confirm the contractor's story.  
That is not surprising, since Wal-Mart seldom comments on its data
capabilities and operations.

A Globe request for information about the Jane data center was
referred at Wal-Mart headquarters to Carrie Thum, a senior information
officer and former lobbyist for the retailer.

"This is not something that we discuss publicly," Thum said. "We have
no comment. And that's off the record."

Skeleton crew
 
The Jane data center is an enigmatic icon to the power of data, which
has helped Wal-Mart become the largest retailer in the world, and to
the corporation's growing secrecy since founder Sam Walton's death in
1992. When Wal-Mart constructed its primary data center at corporate
headquarters in 1989, it wasn't much of a secret: It was the largest
poured concrete structure in Arkansas at the time, and Walton himself
ordered a third story.

"Not only had we completely designed it, we were under construction,"  
said Bill Ferguson, a founder of Askew Nixon Ferguson Architects in
Memphis, Tenn. "They were pouring foundations, and Sam walked across
the parking lot one Friday at the end of the day and said, 'You know,
let's add a third floor and put some people up there.'"

Ferguson said the Bentonville data center is built on bedrock and is
designed to withstand most natural and man-made disasters, but is not
impregnable. The biggest danger, he said, is the area's frequently
violent thunderstorms.

"We studied making it tornado-proof, which is difficult," he said. "We
calculated the probability of a category 5 tornado hitting it, which
was less likely than an airplane crashing into it head-on. At the
time, they decided not to."

Since then, Ferguson said, changes have been made to increase the
integrity of the structure. The data center was designed with backup
generators, fuel on site, and room and board for a skeleton crew in
the event an emergency required an extended stay.

Ferguson said his firm learned to design data centers by working with
FedEx, which also is based in Memphis, and that the 1989 Wal-Mart data
center was built so that it could communicate via any means available
- including copper wire, fiber optics and satellites.

The firm no longer works with Wal-Mart, and Ferguson said he had no
knowledge of the design or purpose of the data center in Jane. But he
suggested that Jim Liles, a Memphis engineer, might know.

Liles said he was a consultant on the Jane project, and that Crossland
Construction was the contractor, but he was reluctant to say much
else. "As far as what its purpose is, all that has to come from
Wal-Mart," Liles said.

Crossland Construction, based in Columbus, Kan., said Tim Oelke of the
company's Rogers, Ark., office had been in charge. Oelke did not
return a phone call seeking comment.

'Never saw a plan'

The data center was completed in 2004 and was part of a project that
included the Supercenter, which opened early last year, and a
warehouse. The resulting economic impact on McDonald County, known for
its rolling hills and lazy rivers, is difficult to underestimate, said
Rusty Enlow.

"Just a few years ago, one new store would have been a big deal,"  
Enlow said. "And I'm not talking about a Supercenter. Just a gas
station would have generated excitement."

Now, Enlow said, the county's tax base has doubled, and land is going
for about $2,100 an acre, about twice what it was before the project
was announced in 2001.

Enlow is chairman of the county planning commission, a body created by
popular vote in 1964 but which had not met until this month. Enlow
said he doesn't know why the commission never met, but he believes it
was because whatever problem prompted its creation was solved before
the board was appointed. He also said he's not sure the planning
commission has any real authority, or would want any (there is no
zoning in the county), but that he and the other 18 members are eager
to bring even more business into the county.

"It seems with the opening of that store there has just been a lot of
activity," he said. "McDonald County has always been a poor county,
but we are in an excellent position now. We're a friendly place, and
we're open to things."
 
Wal-Mart, Enlow said, had created a business synergy that was helping
the county of 22,000 shed its hillbilly stereotype.

Enlow was director of the McDonald County Economic Development Council
when Wal-Mart quietly began scouting for land. Only after the land had
been bought south of the then-unincorporated community of Jane was it
announced that the project was Wal-Mart's, and even then, plans for
the data center were closely held.

"I never even saw a plan on it," Enlow said.

But Enlow said he watched during the construction of the data center,
and that it appeared to be a single-story building that was built
"like a bunker," with mounds of earth piled against the sides. He
later was told that it would employ 15 to 20 people, and that the
building was for data storage.

To facilitate the project, the Missouri Department of Transportation
agreed to widen Highway 71 to four lanes from Jane to the Arkansas
line; a grant was used to expand the public water district; and the
Army Corps of Engineers approved a request to fill in a small portion
of wetland along Bear Hollow Road.

Meanwhile, the village of Jane incorporated.

In April 2005, Wal-Mart used the 160,000-square-foot Supercenter to
demonstrate its micro-merchandising capabilities as part of a media
conference. Employees demonstrated hand-held Telxon (pronounced
Tel-zon) computers, which resemble hand scanners but hold a year's
worth of a particular store's sales history on every item. The devices
help store managers decide what to stock.

Bananas are Wal-Mart's best-selling produce product nationwide, but at
Jane, the top seller was lettuce, Supermarket News reported after the
event.

'Secretive'

Bill Wilson, McDonald County presiding commissioner, said he has never
been inside the green-roofed data center, and that to his knowledge,
only one county official has: Assessor Laura Pope.

"I had to sign a document saying that I wouldn't talk about what's in
there," Pope said. "I've never been in a situation to tour anything
like that before. I don't want to be secretive about it. Basically, it
houses computer equipment."

Pope said she had never been asked to sign a nondisclosure agreement
before in her job as assessor, and that she didn't keep a copy. She
said she didn't appraise the building and equipment, but rather came
to an agreement with Wal-Mart on what it was worth.

They agreed that the data center would be worth $10.7 million at fair
market value, she said. The equipment inside the center was judged to
be worth nearly three times as much: $31.7 million.

The taxes that Wal-Mart paid last year on the data center totaled just
more than $500,000: $128,091 for the real estate and $373,091 for the
equipment.

Pope said she did not place a value on the data stored at the
building. At an estimated worth of $42.4 million, is the Wal-Mart data
center at Jane important enough to the infrastructure of the state -
or the country - to be on Missouri's list of critical assets?
 
Paul Fennewald, Missouri Homeland Security coordinator, said the list
is confidential, and that he could neither confirm nor deny that the
Jane building is on it. He did say that the list includes 4,000 to
4,500 sites across the state.

'Retail surveillance'

Albrecht, the consumer activist, said that when the contractor came to
her with the story about Wal-Mart wanting to biometrically identify
customers through video, one of the reasons given was to help law
enforcement.

"You could search for all sales of a particular kind of rope and get a
photo of who bought it," she said. "On the other end, you could
research all of the purchases of a particular individual, even if they
paid in cash."

Albrecht is the co-author of "Spychips," about the use of RFID, or
radio frequency identification devices, by the government and
corporations to track individuals. She lives in Nashua, N.H., and is
getting ready to receive a doctorate of education in consumer
education.

"To the best of our knowledge, the only consumer-level item that is
(RFID) tagged at Wal-Mart are Hewlett-Packard products and some Sanyo
television sets," she said. "Now, the privacy implications of that are
fairly trivial, because you're not going to be walking down the street
carrying your printer box in your back pocket."

But in 2003, she said, Wal-Mart did two experiments using RFID on
smaller items: razor blades and lipstick.

At Brockton, Mass., Albrecht said, the company used a surveillance
camera on a shelf that was linked to chips in packages of razor
blades. When someone picked up a package, she said, the shelf camera
would be activated. Another camera would take a mug shot of the
customer at the checkout stand.

At Broken Arrow, Okla., she said, the company linked devices in
packages of lipstick that triggered a camera that allowed the lipstick
manufacturer to watch consumers on live video.

The experiments apparently were aimed at decreasing theft or for use
in merchandise research, she said. "Since 1999, I've been working on a
phenomenon called retail surveillance, which is a whole panoply of
technologies that are being secretly deployed," she said. "I think
most people, when they learn about these technologies, are quite
disturbed. There's a sense that when you enter a retail space, you
should retain some degree of privacy."

But, Albrecht said, there's a push among retailers to collect as much
information about their customers as possible - and to keep the
lower-profit individuals, known as "barnacles" and "bottom-feeders,"  
away.

"There's a lot of hand-wringing about how we can find out even more
about our customers," she said. "And to the extent that Wal-Mart may
be creating the ability to monitor consumers by RFID and identify them
by video, I'm extremely concerned. ... If that's the case, they would
need that kind of data storage."

Wal-Mart's stand on RFID

"Electronic product codes (EPCs) can best be described as the next
generation of bar codes. Unlike current bar codes, which only share
that a carton contains product XYZ, EPCs can identify one box of
product XYZ from another box of product XYZ.
 
"This is possible because EPCs are powered by radio frequency
identification or RFID. EPCs do not track customers. ... EPCs assist
retailers in more closely monitoring where products are as they move
from manufacturers to warehouses to a store's backroom.

"This helps us do a better job of having the right products on the
shelves when you come to buy them."

Source: www.walmart.com




From isn at c4i.org  Tue Jun  6 06:03:25 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:25 -0500 (CDT)
Subject: [ISN] Cybercrime spurs college courses in digital forensics
Message-ID: <Pine.LNX.4.44.0606060503150.3853-100000@idle.curiosity.org>

http://www.usatoday.com/tech/news/techinnovations/2006-06-05-digital-forensics_x.htm

By Jon Swartz
USA TODAY
6/5/2006 

SAN FRANCISCO - One of the hottest new courses on U.S. college
campuses is a direct result of cybercrime.

Classes in digital forensics - the collection, examination and
presentation of digitally stored evidence in criminal and civil
investigations - are cropping up as fast as the hackers and viruses
that spawn them.

About 100 colleges and universities offer undergraduate and graduate
courses in digital forensics, with a few offering majors. There are
programs at Purdue University, Johns Hopkins University, the
University of Tulsa, Carnegie Mellon University and the University of
Central Florida. Five years ago, there were only a handful.

"I teach students to be like (TV supersleuth) MacGyver," says Sujeet
Shenoi, a computer science professor at the University of Tulsa.

Traditional students, police officers, government employees and
aspiring security consultants are taking the courses as more crooks
stash ill-gotten data and goods on PCs, PDAs, cellphones, network
servers, iPods and even Xboxes.

Students learn where to find digital evidence and handle it without
contaminating it. Once preserved, students are shown how to examine
evidence and present it clearly during court testimony. "If you revert
to geek speak, you can lose a judge, jury and prosecutor," says Mark
Pollitt, a digital forensics professor at Johns Hopkins University who
retired in 2003 after 20 years as an FBI agent.

Digital forensics is considered a crucial weapon in law enforcement's
escalating war against computer-related crimes. The science is used in
criminal investigations; civil cases such as employment lawsuits where
personnel records and e-mail correspondence are sought; and by
companies faced with cyberattacks. Plus, there are evolving state and
federal laws that define how evidence is handled in civil cases.

The evidence is particularly important in the seizure of data for
child pornography cases, which comprise a majority of criminal
investigations in the USA, says Marcus Rogers, an associate professor
who heads the computer forensics program at Purdue University's
College of Technology.

The FBI handled more than 9,500 computer forensics cases in fiscal
year 2005, which ended in September, compared with about 3,600 in
fiscal 2000, according to an FBI briefing.

The crush of cases has domestic intelligence agencies such as the
National Security Agency and the CIA, local law-enforcement officials
and companies clamoring for experts in finding and preserving digital
evidence, security experts says. "There is a thirst in government
agencies for (cyberinvestigators)," Pollitt says. There appear to be
no shortage of suitors. Since he enrolled in Purdue's master's program
last fall, Blair Gillam says he has been approached by recruiters
representing government agencies and the private sector.




From isn at c4i.org  Tue Jun  6 06:04:01 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:04:01 -0500 (CDT)
Subject: [ISN] REVIEW: "Perfect Passwords", Mark Burnett
Message-ID: <Pine.LNX.4.44.0606060503400.3853-100000@idle.curiosity.org>

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>

BKPRFPWD.RVW   20060420

"Perfect Passwords", Mark Burnett, 2006, 1-59749-041-5,
U$24.95/C$34.95
%A   Mark Burnett
%C   800 Hingham Street, Rockland, MA   02370
%D   2006
%G   1-59749-041-5
%I   Syngress Media, Inc.
%O   U$24.95/C$34.95 781-681-5151 fax: 781-681-3585 amy at syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597490415/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1597490415/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597490415/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   181 p.
%T   "Perfect Passwords: Selection, Protection, Authentication"

Those of us in the security field know that users are generally bad at
creating passwords, and that passwords that are easily guessed or
found account for huge numbers of security incidents.  Therefore, I am
in full sympathy with a book that attempts to lay out some guidance on
password choice.  However, Burnett's work calls to mind the old joke
that lists all kinds of restrictions on password selection, and
finally admits that only one possible password actually fits the
criteria, and will all users please contact tech support to be issued
with that password.

Chapter one tells us that people choose weak passwords, and gives a
number of lists of such poor choices, without an awful lot of
explanation.  (Burnett also states that the choice of strong passwords
provides non-repudiation, which is a rather strange position.  One
could make a case that the deliberate choice of a vulnerable password
would allow the user to later claim that their account had been
hacked, and therefore assist with repudiation, but the reverse doesn't
necessarily hold.)  Various types of password cracking techniques are
given in chapter two.  This begins to show the inconsistencies and
contradictions that plague the text: at one point we are told that any
password less than fifteen characters is "immediately" available to
attackers, but elsewhere it is suggested that a ten character password
is a wise choice.  (Although brute force cracking is discussed
extensively, there is, oddly, no mention of the implications of
Moore's Law.)  There is a good discussion of the vital issue of
randomness in chapter three, although there are numerous gaps, and,
again, erratic suggestions.  Chapter four covers character sets and
address space.  Unfortunately, it is rather impractical (as are other
areas of the manual) due to a lack of recognition of character
restrictions.  Password length is addressed in chapter five, covering
many of the same concepts as in four.  It is also the most useful of
the material to this point in the book, suggesting ways to lengthen
and harden passwords already chosen and preferred.  (Some of the
advice is suspect: bracketing is easy to add to automated password
cracking programs, and even Burnett admits that "colorization" is a
weak idea due to the limitations on selection.)  Chapter six takes an
extremely terse and abbreviated look at password aging, but all that
is really said is that it is inconvenient.  Miscellaneous advice about
using, remembering, storing, and managing passwords is given in
chapter seven.  Chapter eight provides password creations tips, but
these are, after some of the previous material in the book, rather
weak, and typically boil down to the use of passphrases and long
passwords.  Five hundred weak passwords are listed in chapter nine,
but the purpose of the list is not clear.  As with chapter one, the
passwords are not analysed for strength in any way, and, even if you
want to check your favourite against the list, it isn't in
alphabetical order.  Additional password creation tips are in chapter
ten, these slightly more useful.  We are told, in chapter eleven, to
make complex passwords, uncommon passwords, and not to tell anyone our
passwords.  Chapter twelve suggests having a regular "password day"
set aside to concentrate on changing passwords and creating strong
ones.  Other forms of authentication are discussed in chapter
thirteen.

While the advice and information given in the book is not bad, it
seems to posit a fairly ideal world.  A number of practical items can
assist users with password choice, but a number of realistic
considerations are ignored.  Readers may also be confused by the lack
of constancy in the recommendations.  Certainly the structure of the
text could use work: concepts are repeated in different chapters, and
the advice seems to be aggregated and presented at random.

There is good advice in this manual, but it lacks focus.  The average
computer user would probably receive a lot of benefit, but is unlikely
to purchase or read anything this size on this topic.  (A pocket sized
volume, along the lines of the O'Reilly "Desktop Reference" series
would be ideal.)  System administrators would be able to understand
and use the material in the book, although much of the content is
either known or available.  On balance, I would recommend that this
primer is important, but definitely needs work.

copyright Robert M. Slade, 2006   BKPRFPWD.RVW   20060420


======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
"Dictionary of Information Security" Syngress (forthcoming) 1597491152
Any fool can criticize, condemn and complain - and most do.
                                         - Dale Carnegie (1888-1955)
http://victoria.tc.ca/techrev/rms.htm




From isn at c4i.org  Tue Jun  6 06:05:23 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:05:23 -0500 (CDT)
Subject: [ISN] Oracle mends fences with security researchers
Message-ID: <Pine.LNX.4.44.0606060505010.3853-100000@idle.curiosity.org>

http://computerworld.co.nz/news.nsf/0/FB208DAE086D24ABCC2571810014C73E?OpenDocument

By Robert McMillan
San Francisco
6 June, 2006

Oracle once marketed its database as "unbreakable," but security
researcher David Litchfield has a less inflated opinion of the
software.

"God forbid that any of our critical national infrastructure runs on
this product," he said recently on the widely read Bugtraq security
mailing list. "Oops it does."

Security researchers like Litchfield, managing director of Next
Generation Security Software, based in Sutton, UK, make their living
finding flaws in other people's software. And, while this can put them
at odds with software makers, the relationship between Oracle and
people like Litchfield has been particularly bad.

In Litchfield's case, the problems go back to 2004, when he published
details of an unpatched Oracle vulnerability in a presentation written
for the Black Hat security conference. By Litchfield's account, Oracle
had given him the go-ahead to discuss the vulnerability, but changed
its mind at the last minute. Litchfield changed the topic of his
presentation, but he was unable to remove his slides from the
conference hand-out.

The next day, the Wall Street Journal wrote about the flaws and, ever
since, the relationship between Oracle and the tight network of
security researchers who hack its products has been tense.

This antagonism has prevented Oracle from receiving the independent
testing and security advice that would have improved its products,
says Cesar Cerrudo, chief executive officer of security research firm
Argeniss, based in Parana, Argentina. "Oracle has ignored researchers
and also attacked them, saying that researchers are the problem," he
says. "The problem is Oracle's flawed software and Oracle's amateur
handling of security related issues."

 From Oracle's perspective, researchers like Litchfield profit from 
the publicity they get for exposing Oracle's security flaws, but that
exposure comes at a price: more risk for Oracle's customers.

There is often little upside to cooperating with companies that do not
understand Oracle and who profit from publishing security
vulnerabilities, according to Oracle's chief security officer, Mary
Ann Davidson.

"What I really want is a world where there can be fair and accurate
criticism," she says. "I'm all for dialogue, but you have to establish
trust."

In the past few months, however, there have been a few signs that
things may be changing at the Redwood Shores, California, company.

Oracle is becoming better at communicating with the research
community, says Darius Wiles, manager of Oracle Security Alerts.  
Wiles' team is now working out a new system which will let bug
reporters outside the company know they are not being ignored. "Once a
month, going forward, we'll provide them with a list of everything
that has not yet been fixed and indicate whether it's still under
investigation or whether it's been fixed."

Taking a cue from Microsoft, Oracle has even launched its own security
blog and Oracle no longer talks about its products as being
unbreakable. Davidson says that the first time she heard the marketing
slogan, she thought, "What idiot dreamed this up?" This outreach is
starting to pay off. Earlier this month, Litchfield wrote an
uncharacteristically positive Bugtraq posting about the company.

He says that he believes Oracle's products are becoming more secure
and even had some praise for his long-time nemesis, Davidson. "Another
thing that struck me was the amount of effort and time that it must
have taken to get a lumbering stegosaurus of a beast like Oracle to
turn around," he wrote. "Dare I say it, well done, Mary."

Though Oracle executives may not like having their company compared to
a Jurassic era dinosaur, this is far and away the most complimentary
Litchfield has been since the Black Hat presentation.

Still, the database giant is unwilling to go as far as its competitor
Microsoft in embracing the so-called "white hat" hackers. Microsoft
has invited researchers, including Litchfield and Cerrudo, to its
Redmond, Washington, campus for twice-yearly hacker conferences,
called Blue Hat.

Microsoft says that Blue Hat helps them make their products more
secure, but don't expect Oracle to invite hackers over to Redwood
Shores, California, anytime soon. Such an event is really not
necessary, Davidson says. "Microsoft had to go with the hacker love
fest model because they're a big target," she says.

Davidson believes that Oracle and Microsoft have very different
pedigrees when it comes to security. She says that security has been
built into the development of Oracle's products for years now, a
by-product of its long history of government use. The US Central
Intelligence Agency was one of Oracle's first customers, she claims.

Oracle's security team doesn't simply fix bugs. When a new flaw is
discovered, researchers make sure that what they've learned also
translates into secure coding practices for the development team. "For
at least 12 years we have built security into the formal development
process," Davidson says.

While Oracle has improved the security of some products, like the
recent Oracle 10g Release 2 database, the company still has a lot of
work to do, says Cerrudo.

"They said recently that they will change the way they communicate
with researchers, giving more feedback information, but nothing has
happened yet," he says. "Right now the only feedback you get is the
day before a patch is released they [tell] you your bug is going to be
patched and nothing else."

For all of the Oracle bugs that have been found, there has never been
a widespread Oracle attack like the Slammer worm which disabled
Microsoft SQL Server machines worldwide in 2003.

But some observers say that Oracle's reputation for security has more
to do with the fact that the database is typically buried in the
bowels of datacentres, and hidden behind corporate firewalls, far from
the prying eyes of hackers.

And, while users who have not exposed their databases to queries from
outside partners or customers may not be staying up late at night
worrying about Oracle's security, they do have concerns about the
future.

"We're in a nervous state, but we think it's manageable risk," says
Hal Kuff, a technology services manager with Tessco Technologies, in
Hunt Valley, Maryland.

Users must first be inside Tessco's local area network in order to
query the database, Kuff says. "If we were to pursue an Oracle
environment, where we invited direct connectivity from outside
partners, we would reconsider our security posture."

As these outside connections become more common, thanks to grid
computing and internet applications, outside experts like Litchfield
could become important to Oracle, Kuff says.

"As Oracle becomes more pervasive, they should absolutely explore a
relationship with the so called "white hat" hackers," he says.

"The people that are willing to sit down with them at the table are
one of their only defences against the people who will not sit down
with them at the table."

The pervasiveness Kuff talks about may be closer than many people
realise. Late last year, Litchfield conducted a survey of nearly half
a million computer systems on the internet and found nearly as many
Oracle databases exposed as he did Microsoft SQL server systems.

Extrapolating from his data, Litchfield estimated there were about
140,000 Oracle servers not firewalled on the internet. There are about
210,000 Microsoft SQL Servers similarly unprotected, he says.

"This is just a myth, that Oracle is in the back-end of nowhere
protected by all these firewalls," he says.

Still, like Microsoft, Oracle has reached a turning point and is
clearly making much more secure products, Litchfield says. Finding
bugs has become harder with the latest releases of its database and,
while Litchfield will undoubtedly remain a thorn in Oracle's side, he
realised earlier this month that the time had finally come to soften
his rhetoric.

"I just got weary to be honest," he says. "You see, they will get to
the point of having a secure product at some time - but all without
acknowledging that they were dragged to that point kicking and
screaming."

Copyright ? 2005, IDG Communications New Zealand Limited




From isn at c4i.org  Wed Jun  7 01:07:30 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:07:30 -0500 (CDT)
Subject: [ISN] Despite breaches, companies seen as lax on protecting data
Message-ID: <Pine.LNX.4.44.0606070007170.4185-100000@idle.curiosity.org>

http://www.mercurynews.com/mld/mercurynews/business/technology/14754071.htm

By Aman Batheja
Fort Worth Star Telegram
Jun. 06, 2006

FORT WORTH, Texas - Another week, another huge breach of personal
data.

Dallas-based Hotels.com announced last week that credit-card numbers
and other personal information on about 243,000 of its customers were
on a laptop computer stolen from a car in February.

Last month, the Veterans Affairs Department announced that personal
information of 26.5 million veterans was compromised after a laptop
and disks were stolen from the home of a data analyst. Information on
1.3 million more people who borrowed money through the Texas
Guaranteed Student Loan Corp. was lost in May while in possession of a
contractor.

Despite the growing list of blunders, most companies still aren't
doing enough to protect their customers' data, according to security
experts. The reasons are largely the prohibitive costs of securing
mobile devices and a lack of public concern.

``Until businesses are held accountable ... legally, financially and
by customer demand for protecting that information, they're not in any
strong hurry to make it happen,'' said Rick Fleming, chief technology
officer with Digital Defense, a San Antonio-based network security
firm.

The Hotels.com data breach stems from an audit of the company's
transactions performed by Ernst & Young. The laptop was stolen from
the car of an analyst with the accounting firm. Hotels.com spokesman
Paul Kranhold said the incident occurred in Texas but would not say
where. He would not confirm nor deny news reports that indicated that
the theft occurred in the Dallas area.

The laptop required a password to use it. A file on the computer has
information mostly on customer transactions from 2004, although some
are from 2003 and 2002. The information on the file may have included
customers' names, addresses and some credit- or debit-card
information, according to a statement released by Ernst & Young.

Hotels.com is sending letters to every customer whose data may have
been on the laptop. Ernst & Young has set up a call center to address
questions or concerns involving the incident. The accounting firm has
also arranged for those affected to sign up for a credit-monitoring
service for a full year for free.

The information on the laptop was not encrypted, a practice of
protecting information by transforming it into an unreadable code.  
Ernst & Young spokesman Charlie Perkins said the company had begun
installing encryption systems on all of the company's laptops earlier
this year, but the one with the Hotels.com data did not have the
system yet.

Ernst & Young has promised Hotels.com that it will take extra steps to
protect the company's data in the future, including encrypting
sensitive information. It has set up a toll-free phone number to help
those who may be in danger of identity theft: 866-387-2242.

Encryption is one of the most effective and efficient ways of securing
information on a laptop, said Mike Stute, chief technology officer for
Global DataGuard, a security risk-management company in Dallas.

Companies, especially larger ones, are hesitant to spend up to several
hundred dollars per laptop to encrypt data, Stute said.

``The truth is, the $1,000 laptop is trivial compared to the data on
the machine,'' Fleming said. ``I don't understand why every company
doesn't do it.''

Even a good encryption program is only as safe as the person operating
it. A hacker can easily overcome an encryption system that's protected
by a password if the user picked an easy one to guess, Fleming said.

A more secure system includes an encryption token, a small object that
must be plugged into the laptop's USB port to decrypt the information.  
That type of system can be extremely effective -- as long as the
laptop and the token are kept apart.

Fleming recalled seeing a man in an airport with an encryption token
taped to his laptop, thereby defeating the purpose of having the token
at all.

A slew of large data breaches have surfaced in the past year mainly
because laws passed in several states now require companies to report
these embarrassing mistakes.

California started the trend of data-breach laws in 2003. The Texas
Breach of Computer Security Statute went into effect in September.  
``There's no question that the states are taking the lead on identity
theft,'' said Ed Mierzwinski, consumer program director for the Texas
Public Interest Research Group.

A handful of bills working their way through Congress would make
data-breach notification a national law. Depending on which bill
passes, companies may be required to report any data breaches where
there's a chance for identity theft or fraud, or only when there's a
good chance of misuse of the data.

No matter what laws are passed, Stute doubts that companies will get
more serious about protecting sensitive data until the technology
becomes cheaper and easier to use. He noted that they have little
motivation, considering that most of the major data breaches over the
last year have not appeared to impose any lasting damage to the image
of the company at fault.

``It never seems to stop consumers anyway,'' Stute said. ``It's bad
press, but it doesn't seem to hit home with anybody.''




From isn at c4i.org  Wed Jun  7 01:07:44 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:07:44 -0500 (CDT)
Subject: [ISN] Fraidy Cat Marketing
Message-ID: <Pine.LNX.4.44.0606070007330.4185-100000@idle.curiosity.org>

http://www.forbes.com/home/free_forbes/2006/0605/100.html

By Matthew Rand and David Whelan 
06.05.06

To sell antivirus software, first you must sell the fear.

Verisign, the intrepid Web security giant, issued an ominous warning
in December. It predicted an imminent invasion by a worm called Sober,
which would infect networks worldwide and clog up the Internet. It
would be timed to coincide with the 87th anniversary of the founding
of the Nazi party. Other firms joined in a chorus of worry, offering
an abundance of soundbites for news outlets. Then in January dozens
more reports, similarly circulated by security firms, warned that an
e-mailed virus called Kama Sutra would ruin PCs from Seattle to Sri
Lanka.

Neither outbreak ever occurred. Two small security software outfits
claimed credit for blocking Kama Sutra, but Microsoft (nasdaq: MSFT -
news - people ) said later the threat was overblown. Vincent Weafer,
who runs the security response division at Symantec (nasdaq: SYMC -
news - people ), the world's largest seller of antivirus software,
concedes both threats were duds and that his rivals overhyped them.  
"To get attention, you pick something new and say the sky's falling
down," he says.

Fear-mongering sparks big business in the thriving computer security
industry. Spending will grow 18% this year to $38 billion. In 1995
venture capitalists backed all of 3 new security firms; last year they
funded 96 newcomers. To stir up business, they ply fearful forecasts
and ominous ads. RSA Security's (nasdaq: RSAS - news - people ) annual
conference in San Jose, Calif. drew 14,000 this year, up from 10,000
in 2004. Some 4,000 attendees paid the full $1,100 to $1,900 to get
spooked in person.

The fetish for fretfulness has gotten old. U.S. losses last year from
corporate security breaches "declined dramatically," say the Computer
Security Institute and the Federal Bureau of Investigation, to $130
million based on a survey of 639 companies. (Other incidents go
undetected because companies are too ashamed to report them.)  
Three-quarters of companies said they had some virus problems last
year, but 94% said so in 2001.

The improving stats have done little to lift the security industry's
mood. Symantec recently warned that instant messaging would be the
next source of threats, while flogging a new product that scans
instant messages for viruses. In 2003 it called cell phones "the
Achilles heel," while promoting new wireless products. "Chief
executives are like consumers. They are heavily influenced by what
they see on CNN or in the newspapers," says Symantec's Weafer.

The antivirus warriors lately have conducted surveys to highlight a
glaring security weakness: the gullibility of a company's own
employees. Never mind that even their toughest products can't protect
much against same. Offered the chance to win chocolate Easter eggs,
81% of London commuters polled gave out their birthdays, pet names and
other personal data, possible clues for cracking into their e-mail
accounts. The pollsters were hired by the organizers of the
Infosecurity Europe conference.

Before the same conference two years ago RSA Security performed a
similar stunt and found that 79% of people gave out this kind of
personal information--free. That prompted a press release: "Internet
identity theft threatens to be the next crime wave to hit Britain."

In the U.S., RSA, which sells electronic tokens that generate
randomized passwords, hired a perky team in "I Love NY" T shirts to
scour Central Park and sweet-talk tourists into giving out their
mothers' maiden names; 70% did. Newscasts in San Francisco, Miami and
Boston ran the story. Christopher Young, an RSA vice president,
bristles at any suggestion that the surveys were aimed at stoking
sales. "It's hardly that direct." The surveys, he says, are used only
to "raise awareness."

Some 70% of security breaches are caused by human error, says a March
2006 survey by the Computing Technology Industry Association. Brian
Boetig, a supervisory special agent with the FBI's computer crime unit
in San Jose, Calif., describes the typical breach: "When you fire an
employee and don't change their password, they can get into the system
and get information to a competitor." No technical solution there.  
Says Boetig: "There are people creating problems so they can fix them.  
But that's marketing for you."

? Forbes.com Inc. - All Rights Reserved




From isn at c4i.org  Wed Jun  7 01:08:04 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:08:04 -0500 (CDT)
Subject: [ISN] Commerce sets up IT security education program
Message-ID: <Pine.LNX.4.44.0606070007510.4185-100000@idle.curiosity.org>

http://www.gcn.com/print/25_14/40927-1.html

By Patience Wait
GCN Staff
06/05/06 issue

The first step toward better information security in the government is
to provide more training for the people responsible for keeping
systems safe.

That's the approach being taken by Nancy DeFrancesco, chief
information security officer for the Commerce Department. With
DeFrancesco as the champion, the department is implementing an
education and training program for its information security
professionals that she hopes will develop into a center of excellence
within the Security Line of Business initiative established by the
Office of Management and Budget.

DeFrancesco convinced the department last month to hire (ISC)2 Inc. of
Palm Harbor, Fla., to provide courses for employees to earn
designations as Certified Information Systems Security Professionals
(CISSP), System Security Certified Professionals (SSCP) and
Certification and Accreditation Professionals (CAP).

"Education is a large part [of our IT budget] because I make it that
way," DeFrancesco said. "I have a commitment from the Secretary of
Commerce [Carlos M. Gutierrez] that it's important."

For the past two years, IT security professionals in the department
had been using the Office of Personnel Management's online learning
center. But DeFrancesco wanted a broader course offering, and she
wanted to give employees different ways to access materials.

Funding issues

"Our component [agencies] were interested in instructor-led training,
and, of course, people learn in different ways," she said.

Getting the funding to set up the educational program was a challenge,
DeFrancesco said. Her office has a small budget; most information
security funds are allocated to the department's major program areas.  
To gain the funding, she persuaded component agencies, such as the
Census Bureau, to contribute money to get it off the ground.

"We had great participation - I was very surprised and pleased," she
said. "A solid education program is critical to reaching personnel in
the department with significant information security responsibility."

John Mongeon, head of the government services division at (ISC)2, said
that DeFrancesco's push to set up training and education opportunities
shows that "Commerce is dedicated to building the next generation of
information security managers."

"Commerce is a pretty robust agency, with personnel all over the
place," Mongeon said.

To accommodate the dispersed workforce, his company will be providing
courses through several channels - classes on-site at Commerce
headquarters in Washington, vouchers for employees scattered around
the country to take classes off-site at (ISC)2 public education
venues, and online classes.

The first, one-day class, on the system certification and
accreditation process, was held May 31 at Commerce headquarters. All
the session's 25 slots were filled and DeFrancesco already has a
waiting list for the next offering. The department will hold a week of
information security training the first week of August, and is
planning to schedule other certification and accreditation classes in
June and July.

DeFrancesco said that she is hoping the information security education
program will prove so successful that it can be established as a
center of excellence in OMB's Security LOB.

A COE does not have to provide soup-to-nuts solutions for a particular
line of business; instead, it can carve out a particular specialty.  
The Justice Department, for instance, last fall submitted a business
case to OMB that its Cyber Security Assessment and Management system
should become the standard tool for all agencies looking to track
FISMA compliance.

Sources said the Treasury Department and the Environmental Protection
Agency also submitted business cases related to aspects of the
Security LOB for fiscal 2007, but no decisions have been made about
granting any of the applications.

It might seem ironic for a department to aspire to host a center of
excellence in security despite its poor Federal Infor- mation Security
Management Act grades - under FISMA agencies are graded on their
security measures and compliance, and Commerce has veered from F to C-
to D+ over the past three years. But DeFrancesco said it's
appropriate, because everything starts with educating and training the
people who bear the responsibility for implementing security.

"I did participate on the task force for the information security LOB,
[and I'm] very familiar with that particular initiative," she said.

DeFrancesco said it is too early to put together the business case
application to submit to OMB. The education program first has to get
up and running, and demonstrate its value to information security
professionals.




From isn at c4i.org  Wed Jun  7 01:08:29 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:08:29 -0500 (CDT)
Subject: [ISN] Ahold USA pension data lost when laptop disappears
Message-ID: <Pine.LNX.4.44.0606070008180.4185-100000@idle.curiosity.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000953

By Todd Weiss
Computerworld
June 05, 2006

A laptop computer containing the names and personal information of an
undisclosed number of retirees of grocery store chain Ahold USA
disappeared last month after it was placed in checked baggage on a
commercial U.S. flight and the bag was lost by the airline.

Barry Scher, a spokesman for Ahold USA in Quincy, Mass., said the
company has notified the retirees about the incident by mail but added
that information about the number of affected former employees and the
kind of data kept on the laptop is not being made public. "We're not
giving out any numbers to protect our people," he said.

Scher said the laptop was lost by an employee of Electronic Data
Systems Corp., which provides data processing services for the Ahold
USA Pension Plan. The laptop was password-protected and contained a
file with the personal information of retired participants in the
pension plan and of some other former employees of Ahold USA
subsidiaries, including Stop & Shop Supermarket Cos., also in Quincy,
Mass., according to a company statement.

Kimberly Walton, a spokeswoman for EDS, today acknowledged that the
computer was lost amid baggage on a flight after an airline employee
asked the EDS worker to check the bag rather than carry it onto the
aircraft. "By doing so, that employee violated our company policy,"  
Walton said.

The employee has been disciplined, but Walton would not comment
further on whether the person still works for EDS. After the laptop
was determined to be lost, the EDS employee did notify the airline and
local police about the incident, she said. EDS then told Ahold about
what had happened, Walton said.

Scher and Walton would not specify when or where the incident occurred
or what airline was involved. Walton said the company has received no
reports that any of the data has been used illegally.

EDS and Ahold notified the three major credit bureaus were notified of
the data loss, and personal notification letters are being sent out to
the affected retirees. A toll-free telephone line has also been set up
to allow retirees to get information on obtaining free credit reports
and free credit monitoring for one year, Walton said.

Ahold USA is a subsidiary of Amsterdam-based Royal Ahold, an
international grocery store operator. In addition to Stop & Shop,
Ahold USA operates Carlisle, Pa.-based Giant Food Stores, Buffalo,
N.Y.-based Tops Market stores and Landover, Md.-based Giant Food
stores.




From isn at c4i.org  Wed Jun  7 01:08:49 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:08:49 -0500 (CDT)
Subject: [ISN] Data Theft Hit 80% Of Active Military
Message-ID: <Pine.LNX.4.44.0606070008310.4185-100000@idle.curiosity.org>

http://www.washingtonpost.com/wp-dyn/content/article/2006/06/06/AR2006060601332.html

By Ann Scott Tyson and Christopher Lee
Washington Post Staff Writers
June 7, 2006

Social Security numbers and other personal information for as many as
2.2 million U.S. military personnel -- including nearly 80 percent of
the active-duty force -- were among the data stolen from the home of a
Department of Veterans Affairs analyst last month, federal officials
said yesterday, raising concerns about national security as well as
identity theft.

The department announced that personal data for as many as 1.1 million
active-duty military personnel, 430,000 National Guard members and
645,000 reserve members may have been included on an electronic file
stolen May 3 from a department employee's house in Aspen Hill. The
stolen data include names, birth dates and Social Security numbers, VA
spokesman Matt Burns said.

Defense officials said the loss is unprecedented and raises concerns
about the safety of U.S. military forces. But they cautioned that law
enforcement agencies investigating the incident have not found
evidence that the stolen information has been used to commit identity
theft.

"Anytime there is a theft of personal information, it is concerning
and requires us and our members to be vigilant," Pentagon spokesman
Bryan Whitman said. He said the loss is "the largest that I am aware
of."

Army spokesman Paul Boyce said: "Obviously there are issues associated
with identity theft and force protection."

For example, security experts said, the information could be used to
find out where military personnel live. "This essentially can create a
Zip code for where each of the service members and [their] families
live, and if it fell into the wrong hands could potentially put them
at jeopardy of being targeted," said David Heyman, director of the
homeland security program at the Center for Strategic and
International Studies (CSIS).

Another worry is that the information could reach foreign governments
and their intelligence services or other hostile forces, allowing them
to target service members and their families, the experts said.

"There is a global black market in this sort of information . . . and
you suddenly have a treasure trove of information on the U.S. military
that is available," said James Lewis, director of technology and
public policy at CSIS.

One defense official, speaking on the condition of anonymity because
of the sensitivity of the matter, called the potential damage
"monumental."

The new revelations significantly increase the potential harm from
what was already one of the largest data breaches in U.S. history. On
May 22, VA disclosed that an external computer hard drive was stolen
May 3 from the home of a VA employee and that it contained unencrypted
names and birth dates for as many as 26.5 million veterans who were
discharged after 1975 or submitted benefit claims. It also included
Social Security numbers for 19.6 million of those veterans, VA
officials said.

Initially VA thought that all of the 26.5 million people affected were
veterans, but a database comparison revealed that they also included
the bulk of active-duty military services, as well as more than 1
million members of the National Guard and reserves.

Montgomery County police released a description yesterday of the
stolen laptop and its external hard drive because they said it may
have been purchased by someone who does not realize the value of its
content. "It could have shown up at a yard sale or a secondhand
store," police spokeswoman Lucille Baur said. "This is a time of the
year when parents may be buying computers for kids going to college in
the fall."

Montgomery County police are offering a $50,000 reward for information
that allows authorities to recover the laptop. The computer is a
Hewlett-Packard model zv5360us and the external hard drive is an HP
External Personal Media Drive.

The Washington Post is not publishing the name of the career data
analyst whose laptop was stolen in response to a request from law
enforcement authorities who are investigating its disappearance.

The breach outraged veterans -- even more so because senior VA
officials knew about the theft within hours of the crime but did not
tell VA Secretary Jim Nicholson until 13 days later. The 60-year-old
analyst, who had been taking home sensitive data for at least three
years without authorization, has been fired, officials have said. His
boss resigned last week and another senior VA official is on
administrative leave pending investigations by the FBI, the VA
inspector general and Montgomery County police.

A coalition of veterans groups filed a class-action lawsuit against
the federal government yesterday, contending that privacy rights were
violated and seeking $1,000 in damages for each affected veteran.

The lawsuit, filed in U.S. District Court in the District of Columbia,
demands that VA fully disclose who was affected by the theft, and asks
a court to prohibit VA workers from using sensitive data until
safeguards are in place. Burns said the department does not comment on
pending litigation. He said VA has received no reports of stolen data
being used for identity theft or other criminal activity.

VA receives records for every new recruit because active-duty
personnel, National Guard members and reservists are eligible for
certain VA benefits, such as GI Bill educational assistance and the
home-loan program.

"The department will continue to make every effort to inform and help
protect those potentially affected, and is working with the Department
of Defense to notify all affected personnel," Nicholson said.

Rep. Lane Evans (D-Ill.), ranking member of the House Veterans'
Affairs Committee, said yesterday that he was "appalled" at the data
breach and called for a Government Accountability Office investigation
into VA information security practices.

Research shows that it is not unusual for government employees to take
home sensitive data on laptops, Lewis said. "The rules we have are
either chaotic or nonexistent. . . . We still have a paper rules
government when we are a digital nation."

Staff writer Ernesto Londo?o contributed to this report.

? 2006 The Washington Post Company




From isn at c4i.org  Wed Jun  7 01:09:17 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:09:17 -0500 (CDT)
Subject: [ISN] DHS doesn't take cyberattack threats seriously, former IG says
Message-ID: <Pine.LNX.4.44.0606070008590.4185-100000@idle.curiosity.org>

Forwarded from: William Knowles <wk at c4i.org>

http://www.fcw.com/article94792-06-06-06-Web

By Christopher J. Dorobek
June 6, 2006 

HILTON HEAD, S.C. -- The United States and the Homeland Security
Department are "manifestly and woefully unprepared" for a cyberattack,
the former DHS inspector general said.

Al Qaeda is training people and focusing on launching cyberattacks,
but DHS has "failed to make this a priority," said Clark Ervin, the
director of the Aspen Institute's Homeland Security Initiative and
former DHS IG, speaking at the American Council for Technology's
Management of Change conference here.

DHS is on its fifth cybersecurity leader. That is an indication of the
department's lack of focus on this issue, he said, and it is an
illustration of how unprepared the agency is to serve as a model for
how cybersecurity should be handled.

Ervin, who has written a book, "Open Target: Where America Is
Vulnerable to Attack [1]," said terrorists are keenly aware of where
the country's weaknesses are and will work to take advantage of those
weaknesses.

He referred to one IG report that stated DHS wireless networks were
largely unsecured. If the agency isn't addressing issues as seemingly
simple as securing wireless, what else is not getting done? he asked.

Ervin offered a somewhat damning view of the efforts to secure the
country. He said the United States is safer today than it was before
the 2001 terrorist attacks, but the real question that needs to be
asked is whether the country is as secure as it should be and as it
needs to be.

[1] http://www.amazon.com/exec/obidos/ASIN/1403972885/c4iorg



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*




From isn at c4i.org  Wed Jun  7 01:09:40 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:09:40 -0500 (CDT)
Subject: [ISN] Warning on air traffic hacking
Message-ID: <Pine.LNX.4.44.0606070009300.4185-100000@idle.curiosity.org>

http://www.theaustralian.news.com.au/story/0,20867,19378061-23349,00.html

Steve Creedy
Aviation writer 
June 06, 2006

HACKERS armed with little more than a laptop computer could conjure up
phantom planes on the screens of Australia's air traffic controllers
using new radar technology, Dick Smith haswarned.

The prominent businessman and aviator claims to have found another
security flaw in the new software being introduced in the air traffic
control system.

He has challenged Transport Minister Warren Truss to allow him to set
up a demonstration of the problem at a test of the technology in
Queensland to show how hackers could exploit the automatic dependent
surveillance broadcasting (ASD-B) system to create false readings on
an air traffic controller's screen.

The air space activist says he had been told of the flaw by staff at
the US Federal Aviation Administration.

"FAA officials have become aware that an electronics boffin, using a
second-hand or 'borrowed' transponder from a small (general aviation)  
aircraft connected to a $5 data lead, a $5 aerial and a laptop
computer, can create 10, 20 or even 50 false aircraft on an air
traffic controller's screen," Mr Smith says in a letter to Mr Truss.

"This will create total chaos in the air traffic control system."

Australia is at the forefront of ASD-B, which uses the global
positioning system and aircraft avionics to automatically broadcast
information about a plane's position, speed and direction.

Authorities are poised to introduce the system for high-level
airspace, but are yet to make a decision on whether to use it at lower
altitudes.

The US is also rolling out ASD-B. The technology has been
enthusiastically endorsed by senior executives of the aviation
administration and the airline industry.

But Mr Smith, who is campaigning against the scheme and has raised
safety and security concerns about the design, said the system had no
way of verifying whether a plane was where it claimed to be or if it
existed at all.

He said the FAA was looking at ways of encrypting signals or setting
up multiple ground stations at each location to allow the traffic
controllers to determine whether a signal came from a moving aircraft.

This would significantly increase the cost of ADS-B.

"As we all know, criminals create viruses for computer networks which
have cost the world hundreds of millions of dollars," Mr Smith said.

"Exactly the same people are likely to create spoofing for the air
traffic control system."

A spokeswoman for Mr Truss said yesterday the minister had received a
lot of correspondence from Mr Smith on ADS-B.

"This recent letter is being considered and we will be writing back
formally to him," she said. "Mr Smith did meet the minister in the
past few weeks and we would point out that no decision about ADS-B has
been made, nor is a decision imminent."




From isn at c4i.org  Wed Jun  7 01:07:11 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:07:11 -0500 (CDT)
Subject: [ISN] Linux Security Week - June 5th 2006
Message-ID: <Pine.LNX.4.44.0606070006210.4185-100000@idle.curiosity.org>

+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  June 5th, 2006                             Volume 7, Number 23n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Post-
Encryption Security," "Setup a transparent proxy with Squid in three
easy steps," and "Small Security Risk Still Big Selling Point for
Linux."

---

Security on your mind?

Protect your home and business networks with the free, community
version of EnGarde Secure Linux.  Don't rely only on a firewall to
protect your network, because firewalls can be bypassed.  EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.

The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages.  Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more.  The result for you is high security, easy
administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely
free and open source.  Updates are also freely available when
you register with the Guardian Digital Secure Network.

http://www.engardelinux.org/modules/index/register.cgi


---

EnGarde Secure Linux v3.0.6 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.6 (Version 3.0, Release 6). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, several updated packages, and a couple
of new packages available for installation.

http://www.linuxsecurity.com/content/view/122648/65/

---

pgp Key Signing Observations: Overlooked Social and
Technical Considerations

By: Atom Smasher

While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking.

http://www.linuxsecurity.com/content/view/121645/49/

---

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------+
| Security News:      | <<-----[ Articles This Week ]----------
+---------------------+

* Password Hashing
  29th, May, 2006

In this article I'm going to cover password hashing, a subject which
is often poorly understood by newer developers. Recently I've been
asked to look at several web applications which all had the same
security issue - user profiles stored in a database with plain text
passwords

http://www.linuxsecurity.com/content/view/122924


* Post-Encryption Security
  3rd, June, 2006

Last month I reviewed Voltage Security's secure email product, a
worthy exercise since email is the most common method of transmitting
documents from one department to another.

http://www.linuxsecurity.com/content/view/122982


* How To Automate Spamcop Submissions
  29th, May, 2006

Spamcop is a service which provides RBLs for mailservers in order to
reject incoming mail from spammers. Their philosophy is to process
possible spam complaints from users. When they receive a certain
amount of complaints during a time-period then they will blacklist
the offender. This system is dependant on spam reporting from users.
However, their submission process is not very user-friendly.

http://www.linuxsecurity.com/content/view/122923


* Disaster Practice
  4th, June, 2006

When the British government wanted to test the resiliency of its
financial institutions, it commissioned "an afternoon from hell". The
buildup started on a Monday morning last November. First, there was a
failure in the clearing systems used to transfer money between banks
after routine systems maintenance. Then, terrorists staged a series
of bomb attacks around Britain, causing hundreds of casualties in
London and considerable damage to major financial centres. Around the
same time, malicious hackers tried their best to break into the
banks' systems.  All in all, 'twas was a bad day. The disaster
recovery simulation was organized by the Tripartite Authorities, a
group comprising the Financial Services Authority, the UK Treasury
Department and the Bank of England.

http://www.linuxsecurity.com/content/view/122979


* MicroWorld to Launch Futuristic Network Firewall
  27th, May, 2006

MicroWorld Technologies launched its futuristic, enterprise class
firewall eConceal. eConceal is a comprehensive network firewall
developed to prevent unauthorized access to a computer or network
connected to the Internet. It enforces a boundary between two or more
networks by implementing default or user-defined Access Control
Policies or Rules. These rules function as filters by analyzing data
packets to see if they fulfill the filter criteria and then allow or
block the traffic accordingly.

http://www.linuxsecurity.com/content/view/122910


* Can single sign-on be simple sign-on?
  29th, May, 2006

Fundamentally, Single Sign On (SSO) is a straightforward idea. You
use a proxy device to authenticate a user, and the proxy then manages
all the login idiosyncrasies of the applications they want to
access.

Easy to describe, and straightforward to transcribe onto slideware.
The devil is, of course, in the detail. For example, how do you know
how all of your enterprise applications manage their login? Does the
proxy do this for you or do you have to write a login script for each
one individually? If you deploy the solution and the application
decides it wants a password refresh, is your helpdesk buried by calls
from angry users who can't get into the application and do their
work?

http://www.linuxsecurity.com/content/view/122917


* Taking Steps To Protect Customer Data
  29th, May, 2006

With so much attention paid to malicious attacks by hackers, worms
and viruses, it's a common misconception that outside forces pose the
greatest danger to a company's data. The reality, however, is that
internal elements are far more dangerous when it comes to data
security than anything on the outside, including natural disasters.

http://www.linuxsecurity.com/content/view/122922


* Biometrics - The Wave of the Future?
  1st, June, 2006

Will biometrics be a factor in our future? Of course it will, at
least to the extent that it has been in our past history. We as
citizens must decide upon the best methods to use and the best way to
utilize this technology. Biometrics can be defined in several ways
such as the study of measurable biological characteristics. In
reference to Information Security it specifically applies to the
automated use of physiological or behavioral characteristics to
determine or verify identity.

http://www.linuxsecurity.com/content/view/122958


* Security Management From One Platform
  28th, May, 2006

Managing network security gets harder every day as the number and
types of threats multiply. Security is also a double-edged sword, and
an incorrectly implemented or mismanaged security policy can prevent
network commerce and stand in the way of the mission of the
enterprise.

http://www.linuxsecurity.com/content/view/122911


* Linux: Setup a transparent proxy with Squid in three easy steps
  29th, May, 2006

Yesterday I got chance to play with Squid and iptables. The job was
to setup Squid proxy as a transparent server. Main benefit of setting
transparent proxy is you do not have to setup up individual browsers
to work with proxies.

http://www.linuxsecurity.com/content/view/122925


* Follow the Appiant way to a more secure network.
  29th, May, 2006

Hardly a day goes by that we don't hear new information about some
company getting themselves hacked. Sure they all have firewalls, but
HOW are the hackers getting in? I was hired to perform an application
security audit for a local university. They wanted to make sure that
they didn't become part of the growing statistics.

http://www.linuxsecurity.com/content/view/122926


* Network auditing on a shoestring
  30th, May, 2006

What do you do when the auditors are breathing down your neck,
wanting to see an exhaustive report on the Windows network security
of a 2,000-user network across eight sites? That's easy. Break out a
text editor and start writing some Perl.  That's what my colleague
Matt Prigge and I did when we were tasked with locating every share
available on a network and documenting who had access to their files.
At first blush, it was a Herculean effort. When we started coding and
the pieces began to fall into place, however, it became much
simpler.

http://www.linuxsecurity.com/content/view/122930


* Execs Express Top Security Concerns
  30th, May, 2006

When it comes to protecting corporate assets there seems to be little
security managers don't worry about.

That the impression of security executives attending this week's
Converge '06 conference - also known as security vendor Courion's
annual customer meeting.

http://www.linuxsecurity.com/content/view/122935


* Security expert recommends 'Net diversity
  31st, May, 2006

What do you see as the top three information security threats that
are most likely to hit U.S.-based multinationals?

One of the biggest threats we have right now is deployment of
resources intended either to save on cost or enhance features without
thinking through the consequences. VoIP and wireless fall in this
category. They have failure modes that are very different than what
they are replacing and are not well understood. Perceived cost
advantages are driving these technologies, but that is overcoming the
caution that should be in place. That's a threat not in the sense of
a particular attack, but it is a systemic problem that leads to
weakness in security posture and therefore may lead to attacks.

http://www.linuxsecurity.com/content/view/122942


* Most sites ready for SSL progress
  2nd, June, 2006

Despite the enormous success of SSL for securing web traffic, there
has been little technical change in the way that SSL is used for
secure HTTP in the ten years since SSL version 3 was introduced.
Although it has been around since 1996, most browsers have continued
to make connections compatible with the older SSL version 2 protocol.
But now the major browser developers are aiming to drop SSL v2
completely; export-grade encryption ciphers are also to be dropped.

SSL version 2 was supported by Netscape 1.0, back in 1994, and it was
made obsolete by SSL version 3, published in 1996. But while SSL
version 3 was soon widely supported . and over 97% of HTTPS sites
also support its successor, TLS . most browsers have continued to
make SSL-v2-compatible connections, in order to stay compatible.

http://www.linuxsecurity.com/content/view/122972


* The Games Hackers Play
  2nd, June, 2006

This clash has nothing to do with the simulated battles on Gindis,
Eternal Duel, Mobstar or any of the more hip gaming sites. No, this
one's for real.

The villains in this combat are criminal hackers and phishing
scammers, and their targets: unsuspecting on-line gamers.

http://www.linuxsecurity.com/content/view/122975


* Log Analysis for Intrusion Detection
  29th, May, 2006

Log analysis is one of the most overlooked aspects of intrusion
detection. Nowadays we see every desktop with an antivirus, companies
with multiple firewalls and even simple endusers buying the latest
security related tools.

However, who is watching or monitoring all the information these
tools generate? Or even worse, who is watching your web server, mail
server or authentication logs? I'm not talking about pretty usage
statistics of your web logs (like what webalizer does). I'm talking
about the crucial security information that only few of these events
have and nobody notices. A lot of attacks would not have happened (or
would have been stopped much earlier) if administrators cared to
monitor their logs.

We are not saying that log analysis is easy or that you should be
manually looking at all your logs on a daily basis. Because of their
complexity and generally high volume, automatic log analysis is
essential.

http://www.linuxsecurity.com/content/view/122919


* Cybersecurity Contests go National
  1st, June, 2006

It has all the makings of a B-movie plot: A corporate network
targeted by hackers and a half dozen high-school students as the
company's only defense.
Click here for Core!!

Yet, teams of students from ten different Iowa high schools faced
exactly that scenario during a single night in late May in the High
School Cyber Defense Competition. The contest tasked the teenagers
with building a network in the three weeks leading up to the
competition with only their teachers, and mentoring volunteers from
local technology firms, as their guides.


http://www.linuxsecurity.com/content/view/122961


* Small Security Risk Still Big Selling Point for Linux
  27th, May, 2006

When the Indiana Department of Education rolled out PCs running Linux
to schools last year, it installed open source Latest News about open
source antivirus software on the servers connected to the desktop
systems to scan incoming e-mail. However, it didn't bother to put
antivirus tools on the PCs themselves.

"I hate to admit this, but I wasn't worried," said Forrest Gaston, a
consultant who is managing the project for the Indianapolis-based
agency. And despite heavy Internet usage by students, Gaston's
optimism has been borne out thus far. Desktop security "hasn't been
an issue," he said.

http://www.linuxsecurity.com/content/view/122908


* 13 Ways To Get Your Developers On Board With Software Security
  2nd, June, 2006

It's easy to understand that software security starts with writing
secure code. Keep the flaws out from the beginning and you've bought
yourself several pounds of prevention.

Baking security in up front is logical and makes good technical and
business sense; however, getting your developers on board with
security training is not necessarily going to be an easy task. At
first glance, it might seem that selling software security to
developers would require the same approach as getting buy-in from
executive management and the average user. It's not quite that
simple.

http://www.linuxsecurity.com/content/view/122976


* Macro virus aims at OpenOffice, StarOffice
  30th, May, 2006

An unknown virus writer has created the first macro virus that
targets computers running the alternative word processors OpenOffice
and StarOffice, antivirus firm Kaspersky Labs said on Tuesday.

http://www.linuxsecurity.com/content/view/122937


* Linux comes to Sun SPARC servers
  31st, May, 2006

Sun is officially giving customers a wider choice on its SPARC
servers with the announcement that it will support Linux on its new
multicore UltraSPARC T1 systems.

http://www.linuxsecurity.com/content/view/122951


* Firefox 2.0 Bakes in Anti-Phish Antidote
  31st, May, 2006

Mozilla has reached the latest development milestone for its
next-generation Firefox 2.0 "Bon Echo" browser with a little
anti-phishing help from Google.

http://www.linuxsecurity.com/content/view/122953


* Red Hat releases testing and integration tools to Linux developers
  1st, June, 2006

Red Hat has released development tools to the open source community,
which are designed to make it easier for enterprises and developers
to quickly test and integrate new applications with Red Hat Linux and
other Linux distributions.

http://www.linuxsecurity.com/content/view/122965


* The Intelligence Cycle for a Vulnerability Intelligence program
on-the-cheap
  30th, May, 2006

A Vulnerability Intelligence program should be a key component of any
sound network security strategy.  It should dovetail with a
Vulnerability Assessment process and a patching/remediation process.
While a Vulnerability Assessment process will tell you what needs to
be patched, Vulnerability Intelligence should tell you what needs to
be patched first and what new patches need to be evaluated.

http://www.linuxsecurity.com/content/view/122929


* The Finnish security vendor said the services are for small to
midsize ISPs and their private custom
  30th, May, 2006

The Finnish security vendor said the services are for small to
midsize ISPs and their private customers. The services are PC
Protection, which includes virus and spyware detection and a
firewall, and PC Protection Plus, which adds a parental and spam
control features.

http://www.linuxsecurity.com/content/view/122938


* John the Ripper Pro
  30th, May, 2006

This is to announce three things at once: 1) I have started making
and maintaining commercial releases of John the Ripper password
cracker, known as John the Ripper Pro. 2) A new version of the tiny
POP3 server, popa3d 1.0.2, has been released adding a couple of minor
optimizations specific to x86-64 to the included MD5 routines. 3) A
new version of the password hashing package (for use in C/C++
applications and libraries), crypt_blowfish 1.0.2, has been released
adding a minor optimization specific to x86-64.

http://www.linuxsecurity.com/content/view/122939


* Everybody's a Server
  28th, May, 2006

The IT world has a reputation of being extremely fast-paced. And it
is: an accounting program in the .80s would have been written in
COBOL. In the .90s it would have been written with a RAD (Rapid
Application Developer) environment such as Delphi or Visual Basic. In
the... .00s (noughties?), today, the same application would
probably be written as a web system, possibly using all of the .Web
2.0. technologies to make it responsive and highly usable.

http://www.linuxsecurity.com/content/view/122909


* Application Security Hacking Videos
  29th, May, 2006

With college campuses being hacked into on a seemingly daily basis,
and student information being stolen and used for Identity Theft; I
thought you might like to see how the hacks are being done, and how
astoundingly easy they are. I have produced a video of a security
audit I performed on a local college website that shows how easy
these exploits are. There is also a brief training on the homepage
that introduces non-experts to SQL injection concepts in a fashion
that makes it easy to understand.

http://www.linuxsecurity.com/content/view/122920


* Oracle exec hits out at 'patch' mentality
  29th, May, 2006

Oracle's security chief says the software industry is so riddled with
buggy product makers that "you wouldn't get on a plane built by
software developers."

Chief Security Officer Mary Ann Davidson has hit out at an industry
in which "most software people are not trained to think in terms of
safety, security and reliability." Instead, they are wedded to a
culture of "patch, patch, patch," at a cost to businesses of $59
billion, she said.

http://www.linuxsecurity.com/content/view/122921


* Malware Challenges in a Cross-Platform World
  30th, May, 2006

With the advent of the inexpensive and powerful personal computer,
networks have evolved and are now implemented exclusively using small
computers connected among themselves and to the Internet. Don't get
me wrong, though -- the mainframe isn't dead yet. In fact, Gartner
estimates that more than 80% of business applications are written in
Cobol, one of the earliest high-level programming languages. But the
truth is that, although still alive and kicking, the mainframe has
nevertheless lost ground in our current environment, which is focused
on PCs and distributed server architectures.

http://www.linuxsecurity.com/content/view/122934


* Users Versus Hackers: Which Are Worse?
  31st, May, 2006

It.s 5 p.m. on a Friday, and you're the lead security engineer
for the headquarters site of a major corporation. Just as you.re
getting ready to ease out the door for the weekend, the phone rings
and there's a frantic voice on the other end of the line. It's
one of the managers from your financial department, and it seems that
someone has accessed the payroll records of a number of
higher-ranking executives within the company and attempted changes to
their salaries and monthly paychecks.

http://www.linuxsecurity.com/content/view/122946


* Perspective:	Hyperlink insecurity
  31st, May, 2006

Imagine a world where no Web site or hyperlink can be trusted, and a
simple click on a hyperlink could slam your computer with a malicious
driveby download. Sound far-fetched? It's not. Today, trusted Web
sites can no longer be trusted. Those of us who collectively click on
the billions of hyperlinks generated each day by search engines,
blogs and e-mail are playing Russian roulette with our computers.

http://www.linuxsecurity.com/content/view/122952


* Chief Hacks Around With Google
  1st, June, 2006

A reader asked me months ago to talk about the threat of 'Google
Hacking' to an organization, and asked if I used 'Google Hacking' in
any of my risk assessments.

In short: hell yes. If you're not attempting to do any type of
reconnaissance with Google on your organization or clients, you're
setting yourself up for a very unwelcome surprise down the road.

http://www.linuxsecurity.com/content/view/122957


*
Security Spending Shifts
  3rd, June, 2006

Lingering concern about the overall state of the economy has many
CIOs forecasting a slowdown in IT spending in 2007, according to a
new survey from analyst firm Merrill Lynch.  But compliance concerns
and the looming threat of organized crime online mean that security
spending remains healthy.  The survey of 75 U.S. and 25 European CIOs
reveals that users expect 5.2 percent spending growth in 2006 and 4.8
percent in 2007. American execs predict only 4.4 percent spending
growth over the coming 12 months, compared to their more bullish
international counterparts who expect 6.1 percent growth.

http://www.linuxsecurity.com/content/view/122978


* Hackers Found to Target University Systems
  31st, May, 2006

Increasing numbers of university systems are becoming targets for
hackers. The recent incident involves the Fairfield,
Connecticut-based Sacred Heart University. The university's system
containing information on 135,000 individuals was hacked recently and
data consisting of personal information like names, addresses, and
Social Security numbers were stolen.

http://www.linuxsecurity.com/content/view/122945


* FAQ: The new 'annoy' law explained
  1st, June, 2006

So what does the rewritten law now say?
The section as amended reads like this: "Whoever...utilizes any
device or software that can be used to originate telecommunications
or other types of communications that are transmitted, in whole or in
part, by the Internet... without disclosing his identity and with
intent to annoy, abuse, threaten, or harass any person...who receives
the communications...shall be fined under title 18 or imprisoned not
more than two years, or both."

http://www.linuxsecurity.com/content/view/122959


*
Euro Security Initiatives Proposed
  1st, June, 2006

The European Commission today issued a report that calls for greater
education on IT security, and the creation of a common framework for
collecting incident data.

In its report, the EC states that European spending on IT security
"represents only around 5 to 13 percent of IT expenditure, which is
alarmingly low." The commission calls for a cross-border effort to
educate users about security and to unify disjointed national efforts
to track exploits.

http://www.linuxsecurity.com/content/view/122963


* Study: Companies should do more to protect employees' personal
information
  2nd, June, 2006

A study on workplace privacy found that less than half of the people
surveyed believe their employers are doing a good job protecting the
privacy of their personal information.

The independent study, "Americans' Perceptions about Workplace
Privacy," was conducted by Elk Rapids, Mich.-based Ponemon Institute
LLC, which looks at information and privacy management practices in
business and government. The report, which was released yesterday, is
based on 945 responses from adults across the U.S. who work for
companies with at least 1,000 employees.

http://www.linuxsecurity.com/content/view/122973


* Stolen YMCA Computer Contains Members' Personal Information
  2nd, June, 2006

The Y-M-C-A of Greater Providence is reporting that one of its two
missing laptop computers contains members information.

The non-profit organization that provides a range of educational,
social and recreational services says it discovered last week that
the computers were missing.

http://www.linuxsecurity.com/content/view/122974


* The growing challenge of identity management
  2nd, June, 2006

Identity management is a security issue which is becoming
increasingly challenging as the perimeter of the network crumbles.
This is well illustrated by the DTI Information Security Breaches
Survey of 2006, which shows that one in five larger businesses had a
security breach associated with weaknesses in their identity
management, with the number of incidents being less for smaller
companies.

http://www.linuxsecurity.com/content/view/122981


* Stronger cybersecurity bill passes House committee
  31st, May, 2006

The U.S. House of Representatives Judiciary Committee today approved
a bill that would significantly strengthen existing federal
cybercrime law and provide law enforcement with increased enforcement
tools.The bill also offers authorities greater enforcement powers
and resources. Included is a section that provides an additional $10
million annually to the Secret Service, FBI and Department of Justice
to investigate and prosecute cybercrimes. The bill makes failing to
report breaches to the FBI or Secret Service than involve at least
5,000 customers a crime punishable by up to five years in prison.

http://www.linuxsecurity.com/content/view/122941


* Fed plan for cybersecurity R&D released
  2nd, June, 2006

The government has outlined its first steps for coordinating and
expanding federal research and development efforts aimed at improving
cybersecurity. The new Federal Plan for Cyber Security and
Information Assurance Research and Development, issued in April and
now available online, lays the groundwork for developing an R&D
agenda that will help address critical gaps in current technologies
and capabilities.

http://www.linuxsecurity.com/content/view/122980


* Phar out! Phishers are now Pharming
  29th, May, 2006

If the phishers don't get you the pharmers will, police have warned.

People are now getting wary of the scam called phishing - where
people are sent emails claiming to be from their bank asking them to
"confirm" their account details and passwords.

http://www.linuxsecurity.com/content/view/122918


* Hostage Threat to Home PCs
  30th, May, 2006

Family photos and other priceless content stored in your home
computer could one day be held hostage by a new breed of security
threat called "ransomware".

Ransomware typically takes the form of a trojan horse that holds
personal computer files "hostage" and then then demands a ransom for
their safe return.

http://www.linuxsecurity.com/content/view/122933


* Video: Hacking A College... or Two
  31st, May, 2006

Joel over at appiant.net has posted a great video of how he
used SQL injection to bypass security controls on a college website.
While his methods may seem 1-2-3 to web application security testers,
they are a great example of just how simple this type of attack is,
and a reminder that you MUST perform this same type of testing on
EVERY web application you deploy, period.

http://www.linuxsecurity.com/content/view/122943


* Turkish Hackers go on Defacement Rampage
  31st, May, 2006

Two Sony websites were hacked yesterday by a Turkish hacker (thanks
to Roberto Preatoni of Zone-H.org for heads up and explanation).  The
two site URLs are: http://sonymusic.it/index.php and
http://sonymusicstudios.co.uk/

http://www.linuxsecurity.com/content/view/122944


* Woman Targeted by Web Hackers
  1st, June, 2006

A woman from Greater Manchester has become a victim of an internet
scam in which hackers hijack computer files and blackmail owners to
get them back.

Helen Barrow, a 40-year-old nurse from Rochdale, is believed to be
one of the first victims of the con in the UK.

http://www.linuxsecurity.com/content/view/122962


* Swedish police Web site shut down by hacker attack
  2nd, June, 2006

The Web site of Sweden's national police was shut down after a hacker
attack that investigators on Friday said could be a retaliation for a
crackdown on a popular file-sharing site called The Pirate Bay.

http://www.linuxsecurity.com/content/view/122977


* Police will not pursue ransom hackers
  4th, June, 2006

After a Manchester woman was held to ransom by hackers, experts and
senior police officers have voiced concern that such cases are
falling between the cracks. Greater Manchester Police (GMP) will not
be pursuing the criminals who used a Trojan horse program to lock a
Manchester woman's files and demanded a ransom to release them.

http://www.linuxsecurity.com/content/view/122983


* Triangulation homes in on rogue WLan access points
  30th, May, 2006

Although wireless access points use encryption to secure network
traffic, access to the WLan is open to anyone with a valid log-in.
Foundry Networks aims to control this access based on the physical
location of the end-user.

The technology uses triangulation between three access points to
determine the location of a WLan user to within five metres, said the
company.

http://www.linuxsecurity.com/content/view/122931


* Wireless Authentication Solutions
  1st, June, 2006

As is the case with any valuable resource, there must be limitations
on who can access and use your wireless medium. In some situations,
such as when offering wireless access to attract customers, these
limitations will be minimal. In others, we want the greatest possible
protection available. Controlling access to computer resources is
best illustrated in the AAA framework: Authentication, Authorization,
and Accounting.

http://www.linuxsecurity.com/content/view/122964


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------




From isn at c4i.org  Thu Jun  8 05:03:57 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:03:57 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-23
Message-ID: <Pine.LNX.4.44.0606080403450.10145-100000@idle.curiosity.org>

========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-06-01 - 2006-06-08                        

                       This week: 79 advisories                        

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

Multiple browsers are affected by a vulnerability rated "Less
Critical", which can be exploited by malicious people to trick users
into disclosing sensitive information.

Additional details for the different affected browsers can be found in
the referenced Secunia advisories below.

References:
http://secunia.com/SA20442
http://secunia.com/SA20467
http://secunia.com/SA20449
http://secunia.com/SA20472
http://secunia.com/SA20470

 --

Updates have been released for several Mozilla based products,
including Firefox and Thunderbird, which corrects several
vulnerabilities.

Further details can be found in the referenced Secunia advisories
below.

References:
http://secunia.com/SA20376
http://secunia.com/SA20382
http://secunia.com/SA20394

 --

VIRUS ALERTS:

During the past week Secunia collected 44 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA20384] Microsoft Windows "mhtml:" URI Buffer Overflow
              Vulnerability
2.  [SA20376] Firefox Multiple Vulnerabilities
3.  [SA20153] Microsoft Word Malformed Object Code Execution
              Vulnerability
4.  [SA20442] Firefox File Upload Form Keystroke Event Cancel
              Vulnerability
5.  [SA19762] Internet Explorer "object" Tag Memory Corruption
              Vulnerability
6.  [SA20449] Internet Explorer File Upload Form Keystroke Event
              Cancel Vulnerability
7.  [SA20382] Thunderbird Multiple Vulnerabilities
8.  [SA20365] MySQL Multibyte Encoding SQL Injection Vulnerability
9.  [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
              Sensitive Information
10. [SA19521] Internet Explorer Window Loading Race Condition Address
              Bar Spoofing

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA20462] LocazoList Classifieds "msgid" Parameter SQL Injection
[SA20423] myNewsletter "UserName" SQL Injection Vulnerability
[SA20419] aspWebLinks SQL Injection and Password Change
Vulnerabilities
[SA20416] ASPScriptz Guest Book "submit.asp" Script Insertion
Vulnerabilities
[SA20411] CodeAvalanche FreeForum Multiple Vulnerabilities
[SA20483] WinGate WWW Proxy Server Buffer Overflow Vulnerability
[SA20477] Microsoft NetMeeting Denial of Service Vulnerability
[SA20449] Internet Explorer File Upload Form Keystroke Event Cancel
Vulnerability
[SA20425] ASP Discussion Forum "search" Parameter Cross-Site Scripting

UNIX/Linux:
[SA20487] Wikiwig "WK[wkPath]" File Inclusion Vulnerability
[SA20473] HP Tru64 UNIX and HP Internet Express Sendmail Vulnerability
[SA20415] iShopCart Buffer Overflow and Directory Traversal
Vulnerabilities
[SA20466] LoudHush iaxclient Unspecified Vulnerability
[SA20457] SUSE Updates for Multiple Packages
[SA20451] Debian update for postgresql
[SA20446] Debian update for centericq
[SA20435] Trustix update for postgresql
[SA20422] Red Hat update for dia
[SA20482] Red Hat update for spamassassin
[SA20443] Debian update for spamassassin
[SA20430] SpamAssassin "spamd" Shell Command Injection Vulnerability
[SA20498] GANTTy Cross-Site Scripting and Information Disclosure
[SA20476] Sylpheed-Claws URI Check Bypass Security Issue
[SA20497] Asterisk IAX2 Channel Driver Denial of Service Vulnerability
[SA20461] Debian update for freeradius
[SA20424] Slackware update for mysql
[SA20421] Red Hat update for quagga
[SA20420] Red Hat update for zebra
[SA20456] Avaya Products XScreenSaver Insecure Temporary File Creation
Vulnerability
[SA20445] Sun StorADE Privilege Escalation Vulnerability
[SA20459] Avaya PDS HP-UX Kernel Denial of Service Vulnerability

Other:
[SA20479] Ingate Firewall and SIParator Two Vulnerabilities
[SA20474] D-Link DWL-2100AP Exposure of Configuration Files

Cross Platform:
[SA20480] Clan Manager Pro cmpro_header.inc.php File Inclusion
[SA20475] MiraksGalerie Multiple File Inclusion Vulnerabilities
[SA20468] DreamAccount "da_path" File Inclusion Vulnerabilities
[SA20463] dotWidget CMS "file_path" Parameter File Inclusion
Vulnerability
[SA20448] Informium "CONF[local_path]" File Inclusion Vulnerability
[SA20440] CS-Cart "classes_dir" Parameter File Inclusion Vulnerability
[SA20439] WebspotBlogging Multiple File Inclusion Vulnerabilities
[SA20437] DotClear "blog_dc_path" File Inclusion Vulnerability
[SA20434] Claroline Two File Inclusion Vulnerabilities
[SA20429] DokuWiki Spell Checker Code Execution Vulnerability
[SA20426] AssoCIateD "root_path" File Inclusion Vulnerabilities
[SA20408] REDAXO "REX[INCLUDE_PATH]" File Inclusion Vulnerabilities
[SA20486] Open Business Management Multiple Vulnerabilities
[SA20471] Kmita FAQ Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA20469] Alex News-Engine "newsid" Parameter SQL Injection
Vulnerability
[SA20465] Coppermine Photo Gallery usermgr.php Unspecified
Vulnerability
[SA20460] LifeType "articleId" SQL Injection Vulnerability
[SA20458] MediaWiki Edit Form Script Insertion Vulnerability
[SA20450] Dmx Forum Disclosure of Sensitive Information
[SA20447] Weblog Oggi Script Insertion Vulnerability
[SA20438] BlueShoes Framework Multiple File Inclusion Vulnerabilities
[SA20433] FunkBoard Authentication Bypass and Cross-Site Scripting
[SA20428] Particle Wiki Script Insertion and SQL Injection
[SA20427] Particle Gallery "imageid" SQL Injection Vulnerability
[SA20414] TAL RateMyPic Multiple Vulnerabilities
[SA20413] Snort "http_inspect" Preprocessor Bypass Vulnerability
[SA20410] Unak-CMS SQL Injection and Cross-Site Scripting
Vulnerabilities
[SA20409] SimpleBoard "sb_authorname" Script Insertion Vulnerability
[SA20452] TIBCO Rendezvous HTTP Administrative Interface Buffer
Overflow
[SA20500] GD Graphics Library GIF File Handling Denial of Service
[SA20491] Particle Links "username" Parameter Cross-Site Scripting
[SA20490] Particle Whois "target" Parameter Cross-Site Scripting
[SA20478] DokuWiki Restricted Page Content Disclosure Vulnerability
[SA20472] Mozilla SeaMonkey File Upload Form Keystroke Event Cancel
Vulnerability
[SA20470] Netscape File Upload Form Keystroke Event Cancel
Vulnerability
[SA20467] Mozilla Suite File Upload Form Keystroke Event Cancel
Vulnerability
[SA20455] KnowledgeTree Open Source Cross-Site Scripting
Vulnerabilities
[SA20453] PHP ManualMaker Multiple Cross-Site Scripting
Vulnerabilities
[SA20444] PHP Pro Publish "catname" Parameter Cross-Site Scripting
[SA20442] Firefox File Upload Form Keystroke Event Cancel
Vulnerability
[SA20441] OSADS Board Comments Script Insertion Vulnerability
[SA20436] PyBlosxom Contributed Packages Cross-Site Scripting
Vulnerability
[SA20418] dotProject Cross-Site Scripting Vulnerability
[SA20417] LabWiki Cross-Site Scripting Vulnerabilities
[SA20412] Drupal Taxonomy Module Cross-Site Scripting Vulnerability
[SA20431] TIBCO Hawk "tibhawkhma" Privilege Escalation Vulnerability

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA20462] LocazoList Classifieds "msgid" Parameter SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-05

ajann has discovered a vulnerability in LocazoList Classifieds, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20462/

 --

[SA20423] myNewsletter "UserName" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-06

FarhadKey has discovered a vulnerability in myNewsletter, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20423/

 --

[SA20419] aspWebLinks SQL Injection and Password Change
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data, Security Bypass
Released:    2006-06-02

ajann has discovered two vulnerabilities in aspWebLinks, which can be
exploited by malicious people to conduct SQL injection attacks and to
bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20419/

 --

[SA20416] ASPScriptz Guest Book "submit.asp" Script Insertion
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-06

omnipresent has discovered some vulnerabilities in ASPScriptz Guest
Book, which can be exploited by malicious people to conduct script
insertion attacks.

Full Advisory:
http://secunia.com/advisories/20416/

 --

[SA20411] CodeAvalanche FreeForum Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-02

Some vulnerabilities have been discovered in CodeAvalanche FreeForum,
which can be exploited by malicious people to conduct script insertion
attacks and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20411/

 --

[SA20483] WinGate WWW Proxy Server Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2006-06-07

kcope has discovered a vulnerability in WinGate, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20483/

 --

[SA20477] Microsoft NetMeeting Denial of Service Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-06-07

HexView has reported a vulnerability in Microsoft NetMeeting, which can
be exploited by malicious users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20477/

 --

[SA20449] Internet Explorer File Upload Form Keystroke Event Cancel
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-06

A vulnerability has been reported in Internet Explorer, which can be
exploited by malicious people to trick users into disclosing sensitive
information.

Full Advisory:
http://secunia.com/advisories/20449/

 --

[SA20425] ASP Discussion Forum "search" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-02

omnipresent has discovered a vulnerability in ASP Discussion Forum,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20425/


UNIX/Linux:--

[SA20487] Wikiwig "WK[wkPath]" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-07

Kacper has discovered a vulnerability in Wikiwig, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20487/

 --

[SA20473] HP Tru64 UNIX and HP Internet Express Sendmail Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-07

HP has acknowledged a vulnerability in HP Tru64 UNIX and HP Internet
Express running sendmail, which can be exploited by malicious people to
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20473/

 --

[SA20415] iShopCart Buffer Overflow and Directory Traversal
Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Exposure of system information, Exposure of sensitive
information, System access
Released:    2006-06-02

K-sPecial has reported some vulnerabilities in iShopCart, which can be
exploited by malicious people to disclose potentially sensitive
information and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20415/

 --

[SA20466] LoudHush iaxclient Unspecified Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-06-06

A vulnerability with an unknown impact has been reported in LoudHush.

Full Advisory:
http://secunia.com/advisories/20466/

 --

[SA20457] SUSE Updates for Multiple Packages

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information, DoS, System access
Released:    2006-06-05

SUSE has issued updates for multiple packages. These fix
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service), to disclose potentially sensitive information,
and to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20457/

 --

[SA20451] Debian update for postgresql

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-06-05

Debian has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20451/

 --

[SA20446] Debian update for centericq

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-05

Debian has issued an update for centericq. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20446/

 --

[SA20435] Trustix update for postgresql

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Manipulation of data
Released:    2006-06-05

Trustix has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20435/

 --

[SA20422] Red Hat update for dia

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-02

Red Hat has issued an update for dia. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20422/

 --

[SA20482] Red Hat update for spamassassin

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2006-06-07

Red Hat has issued an update for spamassassin. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20482/

 --

[SA20443] Debian update for spamassassin

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2006-06-06

Debian has issued an update for spamassassin, which can be exploited by
malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20443/

 --

[SA20430] SpamAssassin "spamd" Shell Command Injection Vulnerability

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2006-06-06

A vulnerability has been reported in SpamAssassin,  which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20430/

 --

[SA20498] GANTTy Cross-Site Scripting and Information Disclosure

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting, Exposure of system information
Released:    2006-06-07

luny has reported two vulnerabilities in GANTTy, which can be exploited
by malicious people to disclose system information and conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20498/

 --

[SA20476] Sylpheed-Claws URI Check Bypass Security Issue

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-06-07

A security issue has been reported in Sylpheed-Claws, which potentially
can be exploited by malicious people to bypass certain security
restrictions.

Full Advisory:
http://secunia.com/advisories/20476/

 --

[SA20497] Asterisk IAX2 Channel Driver Denial of Service Vulnerability

Critical:    Less critical
Where:       From local network
Impact:      DoS
Released:    2006-06-07

A vulnerability has been reported in Asterisk, which can be exploited
by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20497/

 --

[SA20461] Debian update for freeradius

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, DoS
Released:    2006-06-05

Debian has issued an update for freeradius. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20461/

 --

[SA20424] Slackware update for mysql

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-06-05

Slackware has issued an update for mysql. This fixes two
vulnerabilities, which can be exploited by malicious users to disclose
potentially sensitive information.

Full Advisory:
http://secunia.com/advisories/20424/

 --

[SA20421] Red Hat update for quagga

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of system information, DoS
Released:    2006-06-02

Red Hat has issued an update for quagga. This fixes two security issues
and a vulnerability, which can be exploited by malicious, local users to
cause a DoS (Denial of Service) and by malicious people to bypass
certain security restrictions, and to disclose system information.

Full Advisory:
http://secunia.com/advisories/20421/

 --

[SA20420] Red Hat update for zebra

Critical:    Less critical
Where:       From local network
Impact:      Security Bypass, Exposure of system information, DoS
Released:    2006-06-02

Red Hat has issued an update for zebra. This fixes two security issues
and a vulnerability, which can be exploited by malicious, local users
to cause a DoS (Denial of Service) and by malicious people to bypass
certain security restrictions, and to disclose system information.

Full Advisory:
http://secunia.com/advisories/20420/

 --

[SA20456] Avaya Products XScreenSaver Insecure Temporary File Creation
Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-06

Avaya has acknowledged a vulnerability in various Avaya products, which
can be exploited by malicious, local users to perform certain actions
with escalated privileges.

Full Advisory:
http://secunia.com/advisories/20456/

 --

[SA20445] Sun StorADE Privilege Escalation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-05

A vulnerability has been reported in Storage Automated Diagnostic
Environment (StorADE), which can be exploited by malicious, local users
to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/20445/

 --

[SA20459] Avaya PDS HP-UX Kernel Denial of Service Vulnerability

Critical:    Not critical
Where:       Local system
Impact:      DoS
Released:    2006-06-06

Avaya has acknowledged a vulnerability in Avaya Predictive Dialing
System (PDS), which can be exploited by malicious, local users to cause
a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20459/


Other:--

[SA20479] Ingate Firewall and SIParator Two Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, DoS
Released:    2006-06-07

Two vulnerabilities have been reported in Ingate Firewall and
SIParator, which can be exploited by malicious people to conduct
cross-site scripting attacks and to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/20479/

 --

[SA20474] D-Link DWL-2100AP Exposure of Configuration Files

Critical:    Less critical
Where:       From local network
Impact:      Exposure of sensitive information
Released:    2006-06-07

A security issue has been reported in D-Link DWL-2100AP, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20474/


Cross Platform:--

[SA20480] Clan Manager Pro cmpro_header.inc.php File Inclusion

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-07

Sx02 has discovered two vulnerabilities in Clan Manager Pro, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20480/

 --

[SA20475] MiraksGalerie Multiple File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-07

Federico Fazzi has discovered some vulnerabilities in MiraksGalerie,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20475/

 --

[SA20468] DreamAccount "da_path" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-06

David "Aesthetico" Vieira-Kurz has reported some vulnerabilities in
DreamAccount, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20468/

 --

[SA20463] dotWidget CMS "file_path" Parameter File Inclusion
Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

David 'Aesthetico' Vieira-Kurz has reported a vulnerability in
dotWidget CMS, which can be exploited by malicious people to compromise
a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20463/

 --

[SA20448] Informium "CONF[local_path]" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

Kacper has reported a vulnerability in Informium, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20448/

 --

[SA20440] CS-Cart "classes_dir" Parameter File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

Kacper has reported a vulnerability in CS-Cart, which can be exploited
by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20440/

 --

[SA20439] WebspotBlogging Multiple File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

Kacper has reported some vulnerabilities in WebspotBlogging, which can
be exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20439/

 --

[SA20437] DotClear "blog_dc_path" File Inclusion Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

rgod has reported a vulnerability in DotClear, which can be exploited
by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20437/

 --

[SA20434] Claroline Two File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

rgod has reported two vulnerabilities in Claroline, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20434/

 --

[SA20429] DokuWiki Spell Checker Code Execution Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

Stefan Esser has reported a vulnerability in DokuWiki, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20429/

 --

[SA20426] AssoCIateD "root_path" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-02

Kacper has discovered some vulnerabilities in AssoCIateD, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20426/

 --

[SA20408] REDAXO "REX[INCLUDE_PATH]" File Inclusion Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-02

beford has discovered some vulnerabilities in REDAXO, which can be
exploited by malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20408/

 --

[SA20486] Open Business Management Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-07

r0t has reported some vulnerabilities in Open Business Management,
which can be exploited by malicious users to conduct SQL injection
attacks and by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20486/

 --

[SA20471] Kmita FAQ Cross-Site Scripting and SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-06

luny has reported two vulnerabilities in Kmita FAQ, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20471/

 --

[SA20469] Alex News-Engine "newsid" Parameter SQL Injection
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-06

ajann has discovered a vulnerability in Alex News-Engine, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20469/

 --

[SA20465] Coppermine Photo Gallery usermgr.php Unspecified
Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Unknown
Released:    2006-06-07

A vulnerability with an unknown impact has been reported in Coppermine
Photo Gallery.

Full Advisory:
http://secunia.com/advisories/20465/

 --

[SA20460] LifeType "articleId" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-05

rgod has discovered a vulnerability in LifeType, which can be exploited
by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20460/

 --

[SA20458] MediaWiki Edit Form Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-06

A vulnerability has been reported in MediaWiki, which can be exploited
by malicious people to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20458/

 --

[SA20450] Dmx Forum Disclosure of Sensitive Information

Critical:    Moderately critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-06

DarkFig has discovered two security issues in Dmx Forum, which can be
exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/20450/

 --

[SA20447] Weblog Oggi Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-05

luny has discovered a vulnerability in Weblog Oggi, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20447/

 --

[SA20438] BlueShoes Framework Multiple File Inclusion Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      System access
Released:    2006-06-05

Kacper has reported some vulnerabilities in BlueShoes Framework, which
can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20438/

 --

[SA20433] FunkBoard Authentication Bypass and Cross-Site Scripting

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Cross Site Scripting
Released:    2006-06-06

Some vulnerabilities have been reported in FunkBoard, which can be
exploited by malicious people to bypass certain security restrictions
and to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20433/

 --

[SA20428] Particle Wiki Script Insertion and SQL Injection

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-05

Some vulnerabilities have been discovered in Particle Wiki, which can
be exploited by malicious people to conduct script insertion attacks
and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20428/

 --

[SA20427] Particle Gallery "imageid" SQL Injection Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-05

r0t has discovered a vulnerability in Particle Gallery, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20427/

 --

[SA20414] TAL RateMyPic Multiple Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-02

Some vulnerabilities have been discovered in TAL RateMyPic, which can
be exploited by malicious people to conduct script insertion attacks,
cross-site scripting attacks, and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20414/

 --

[SA20413] Snort "http_inspect" Preprocessor Bypass Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass
Released:    2006-06-02

Blake Hartstein has reported a vulnerability in Snort, which can be
exploited by malicious people to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20413/

 --

[SA20410] Unak-CMS SQL Injection and Cross-Site Scripting
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-02

Some vulnerabilities have been reported in Unak-CMS, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20410/

 --

[SA20409] SimpleBoard "sb_authorname" Script Insertion Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-02

Yannick von Arx has discovered a vulnerability in SimpleBoard, which
can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20409/

 --

[SA20452] TIBCO Rendezvous HTTP Administrative Interface Buffer
Overflow

Critical:    Moderately critical
Where:       From local network
Impact:      DoS, System access
Released:    2006-06-06

A vulnerability has been reported in TIBCO Rendezvous, which can be
exploited by malicious people to cause DoS (Denial of Service) and
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20452/

 --

[SA20500] GD Graphics Library GIF File Handling Denial of Service

Critical:    Less critical
Where:       From remote
Impact:      DoS
Released:    2006-06-07

Xavier Roche has discovered a vulnerability in the GD Graphics Library,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service) against applications and services using libgd.

Full Advisory:
http://secunia.com/advisories/20500/

 --

[SA20491] Particle Links "username" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-07

luny has discovered a vulnerability in Particle Links, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20491/

 --

[SA20490] Particle Whois "target" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-07

luny has discovered a vulnerability in Particle Whois, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20490/

 --

[SA20478] DokuWiki Restricted Page Content Disclosure Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Security Bypass, Exposure of sensitive information
Released:    2006-06-07

A vulnerability has been reported in DokuWiki, which can be exploited
by malicious users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20478/

 --

[SA20472] Mozilla SeaMonkey File Upload Form Keystroke Event Cancel
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-06

A vulnerability has been reported in Mozilla SeaMonkey, which can be
exploited by malicious people to trick users into disclosing sensitive
information.

Full Advisory:
http://secunia.com/advisories/20472/

 --

[SA20470] Netscape File Upload Form Keystroke Event Cancel
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-06

A vulnerability has been reported in Netscape, which can be exploited
by malicious people to trick users into disclosing sensitive
information.

Full Advisory:
http://secunia.com/advisories/20470/

 --

[SA20467] Mozilla Suite File Upload Form Keystroke Event Cancel
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-06

A vulnerability has been reported in Mozilla Suite, which can be
exploited by malicious people to trick users into disclosing sensitive
information.

Full Advisory:
http://secunia.com/advisories/20467/

 --

[SA20455] KnowledgeTree Open Source Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-06

r0t has reported two vulnerabilities in KnowledgeTree Open Source,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20455/

 --

[SA20453] PHP ManualMaker Multiple Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-05

luny has reported some vulnerabilities in PHP ManualMaker, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20453/

 --

[SA20444] PHP Pro Publish "catname" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-05

Soot has reported a vulnerability in PHP Pro Publish, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20444/

 --

[SA20442] Firefox File Upload Form Keystroke Event Cancel
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Exposure of sensitive information
Released:    2006-06-06

Charles McAuley has reported a vulnerability in Firefox, which can be
exploited by malicious people to trick users into disclosing sensitive
information.

Full Advisory:
http://secunia.com/advisories/20442/

 --

[SA20441] OSADS Board Comments Script Insertion Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-05

A vulnerability has been discovered in OSADS, which can be exploited by
malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20441/

 --

[SA20436] PyBlosxom Contributed Packages Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-06

A vulnerability has been reported in Contributed Packages for PyBlosxom
1.3, which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20436/

 --

[SA20418] dotProject Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-05

A vulnerability has been reported in dotProject, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20418/

 --

[SA20417] LabWiki Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-05

Two vulnerabilities have been discovered in LabWiki, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20417/

 --

[SA20412] Drupal Taxonomy Module Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-02

A vulnerability has been reported in Drupal, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20412/

 --

[SA20431] TIBCO Hawk "tibhawkhma" Privilege Escalation Vulnerability

Critical:    Less critical
Where:       Local system
Impact:      Privilege escalation
Released:    2006-06-06

A vulnerability has been reported in TIBCO Hawk, which can be exploited
by malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/20431/



========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Subscribe:
http://secunia.com/secunia_weekly_summary/

Contact details:
Web	: http://secunia.com/
E-mail	: support at secunia.com
Tel	: +45 70 20 51 44
Fax	: +45 70 20 51 45




From isn at c4i.org  Thu Jun  8 05:03:21 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:03:21 -0500 (CDT)
Subject: [ISN] Hacker Said to Resell Internet Phone Service
Message-ID: <Pine.LNX.4.44.0606080403090.10145-100000@idle.curiosity.org>

http://www.nytimes.com/2006/06/07/technology/07cnd-voice.html

By KEN BELSON and TOM ZELLER Jr.
June 7, 2006

Federal authorities arrested one man in Miami and another in Spokane,
Wash., today in connection with what they said was a hacking scheme
involving the resale of Internet telephone service.

The suspects were said to have illegally tapped into the lines of
legitimate Internet phone companies, saddling them with the expense of
extra traffic, while collecting more than $1 million in connection
fees.

The case, one of the first involving this kind of elaborate Internet
phone hacking, illustrated how Internet-based communications may be
criminally exploited, and raised fresh questions about the security of
phone traffic over largely unregulated networks.

Prosecutors say that starting in November 2004, the man arrested in
Miami - Edwin Andres Pena, 23, a Venezuelan who has permanent
residency in the United States - used two companies he created to
offer wholesale phone connections at discounted rates to small
Internet phone companies.

Instead of buying access to other networks to connect his clients'
calls, Mr. Pena paid about $20,000 to Robert Moore, the man arrested
in Spokane, to create "what amounted to 'free' routes by
surreptitiously hacking into the computer networks" of unwitting
Internet phone providers, and then routing his customers' calls over
those providers' systems, according to the federal complaint.

To evade detection, Mr. Pena is said to have hacked into computers run
by an unsuspecting investment company in Rye Brook, N.Y.,
commandeering its unprotected servers to re-route phone traffic
through them. These steps made it appear as if this company was
sending calls to more than 15 Internet phone companies.

In one three-week period, for instance, prosecutors say that one of
the victimized Internet phone providers, based in Newark, received
about 500,000 calls that were made to look as if they came from the
company in Rye Brook.

In all, more than 15 Internet phone companies, including the one in
Newark, were left having to pay as much as $300,000 each in connection
fees for routing the phone traffic to other carriers, without
receiving any revenue for the calls, prosecutors said.

"Emerging technologies and the Internet represent a sea of opportunity
for business, but also for sophisticated criminals," Christopher J.  
Christie, the United States Attorney for New Jersey, said in a
statement. "The challenge, which we and the F.B.I. continue to meet
with investigations and prosecutions like this one, is to stay ahead
of the cyber-criminal and protect legitimate commerce."

The companies in Newark and Rye Brook, and others said to have been
victimized, were not identified by name in the complaint, which was
filed with the United States District Court in Newark.

Mr. Pena, however, appears to have used the money he received from his
customers to go on a spending spree, buying real estate in south
Florida, a 40-foot Sea Ray Mercruiser motor boat, and luxury cars
including a BMW and a Cadillac Escalade.

Mr. Pena appeared to be smitten with his possessions, frequently
posting pictures of his cars on Web sites devoted to car enthusiasts.

So far, most of the concern about the safety of Internet-based
communications has focused on the ability of criminals to eavesdrop on
calls, to fake caller ID's and to steal long-distance phone service.

In this case, Mr. Pena is said to have mimicked legitimate
telecommunications brokers, who typically help connect long distance
calls by buying minutes from large carriers and reselling them for a
profit to smaller phone companies.




From isn at c4i.org  Thu Jun  8 05:03:38 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:03:38 -0500 (CDT)
Subject: [ISN] Spies on the Hill: Former Capitol Police Chief Gainer Dishes
 About Secret Intel Unit
Message-ID: <Pine.LNX.4.44.0606080403230.10145-100000@idle.curiosity.org>

http://public.cq.com/public/20060602_homeland.html

By Jeff Stein
CQ Staff
June 2, 2006 

No self-respecting federal agency goes without its own intelligence
service these days, and the U.S. Capitol Police is no exception.

The Capitol Police have a little-known intelligence unit that takes up
a whole floor of its seven-story, century-old headquarters at First
and D Streets Northeast, according to its just-retired police chief.

Terrance W. Gainer, who turned in his badge, gun and police-issued
Blackberry two months ago after four years of occasionally rough times
with protesters and headstrong lawmakers, says his unit collaborated
closely with the CIA and the FBI-led Joint Terrorism Task Force, and
had liaison officers at most of the the 16 spy agencies that make of
the U.S. intelligence community.

Gainer also says his intelligence unit - fewer than 50 in a 600-strong
corps, he indicated - often swept congressional hearing rooms and
offices for secret electronic listening devices and fielded
plainclothes officers to see who might be scouting the facilities for
a terrorist attack.

"We are a very, very full-service police department, and know for
certain that the goal we have as counterterrorism police is stopping
an attack before it starts," Gainer says.

The intelligence unit's head, Deputy Chief Mike Jarboe, could not be
reached for comment on the Capitol Police's counterintelligence and
security activities.

"I'm going to guess they're not going to be very talkative," Gainer
said in the first of two interviews over the past few weeks." As a
rule, I have a different philosophy on the press, as some might
suspect, and it got me in trouble with some of the House members.

"I think there ought to be a little open dialog," said Gainer, who was
chief of the Illinois state police before coming to Washington in
1998, "and I don't like to deny that which is obvious.

"I think in some respects you want our enemy to know that we are
capable, but you don't want them to know the specifics of our
capabilities. . . . And that's always a fine line."


"Holy Cow"

Every morning at 8:45, Gainer says he, his top officers and delegates
from the House and Senate sergeant at arms offices gathered for an
intelligence briefing in "a secure location" that he would not
identify.

That facility, as well as an area in Capitol Police headquarters, had
a so-called Secure Compartmented Intelligence Facility, or SCIF, that
prevented hostile intelligence agencies from listening in on
conversations, Gainer said.

"Our intel people would talk about threats picked up by other intel
agencies, We'd also talk about major hearings, dignitary visits to the
Hill, and so on."

At least twice a month, and sometimes weekly, the Capitol Police
intelligence unit and senior commanders got briefings from the CIA and
FBI in the Hill's SCIF.

"We had some 'holy cow' moments," Gainer said, declining to provide
details. But overall, "It would be rare, in that kind of meeting, that
I would learn something I hadn't already been briefed on."


Moles

As for finding "bugs" in Capitol facilities, Gainer would only say, "I
wouldn't comment on that, but I will tell you this, that we feel
comfortable with the meetings that are conducted in there and our
sweeps."

Gainer also revealed this little-known detail: Capitol Police carry
out what he calls "counterintelligence" activities.

"It's not putting people under cover to develop informants. We don't
do that," he said.

"We have plainclothes officers who go out and do counterintelligence
work. We're always trying to figure out what the bad guys are trying
to figure out in watching us or observing what we do."

In the spy trade, counterintelligence usually means penetrating the
opposition's spy service and looking for moles within its own.

But that's not what Capitol Police "special agents" - a designation
Gainer said he bestowed on his intelligence specialists for its
"cachet" - do, the retired chief says.

"Counterintelligence, from our perspective," Gainer explains, "is very
limited in scope. It might be something as simple as, during the State
of the Union address or the inauguration, having people out watching
the crowd.

"So we're looking at people who are watching us. If we got a phony
call on a suspicious package, the terrorists might be watching to see
how we respond - how many units, how many people, how we lay ourselves
out. So we have people in plainclothes looking at the lookers. And we
might decide to talk to someone who's doing some taping, we might tape
people who are taping us, and cross-reference that with what's going
on in other jurisdictions."

In the investigation of last summer's London subway and bus bombings,
authorities "captured tapes that showed different places in D.C. and
on the Hill," said Gainer, 58. "Maybe it was pre-operational stuff."

But the Capitol Police's intelligence unit's purview isn't necessarily
confined to Capitol Hill, he said.


Sharing

All 535 members of Congress "and their families" are under the Capitol
Police's protective wing.

"We don't go out to their home towns, but our responsibility extends
to where those men and women are, and their families. So either we or
those local police departments stay on top of what's going on."

"If there's something that is of greater scope than our area then we
work with the the FBI and the Joint Terrorism Task Forces," he says.  
And the intel unit has "connections in each of the the states, with
the local FBI field office, or places like L.A., New York, Chicago -
they all have intelligence squads."

It works the other way, too, Gainer said, with threats against members
of Congress relayed quickly to Capitol Police intelligence. It wasn't
always that way. Now the department's problem is information overload.

"I think the biggest concern we have now is everybody is sharing so
much because no one wants to be accused of not sharing. We would have
a daily intel briefing telling us what was going on in the world, and
sometimes you would say, 'Why in the world are we being told this,
because it's laughable.'"

"They might lay out a lot of information and then say the person
giving this to us is unreliable, has given us bad information in the
past and is crazy. And we'd go, 'then why share it with us?'"

Today, he says, relations with the CIA, FBI and other intelligence
agencies are tight. During the CIA and FBI briefings, there's a lot of
unprecedented give and take with Capitol Police analysts, many of whom
are drawn from the military intelligence services. Those who aren't
are sent to the military intelligence schools and the FBI for
training, Gainer said.

"At the end of those briefs, the FBI and CIA would give more details
and answer your questions. In other words, they would let those
'intellectual' discussions go on. They might say, 'This is our read of
this bit of intelligence, give us yours,' " Gainer says.

"Sometimes our analytical people would write reports that ran counter
to [theirs], which was the accumulated intel from 18 agencies. Our
guys would write theirs from our perspective and say, 'Why couldn't it
mean this?'"

Despite the new collaboration between the Capitol Police and federal
spy agencies, along with bag checks, floating security units, New
Jersey barriers and anthrax mail sniffers, a determined terrorist can
probably get through, Gainer volunteered.

"Because it's an open campus, someone can ride a bus up there - but
not a truck - a bike with saddlebags on us. That presents a challenge.  
But our concern was the smaller events. Working with our federal
intelligence agency partners, we think we have a pretty good handle on
the potential for our adversaries to do big stuff."

Big stuff?

"A 9/11, a nuclear attack, a dirty bomb - all those are possible," he
says.

But the Capitol is much better protected than when he arrived, he
maintained, despite such panicky moments as the "shooting" in the
Longworth House Office Building garage last week that shook the whole
city but most likely was a construction crew dropping pipes.

"Between us and some of the other federal brethren, I feel we have a
pretty good handle on what's in the air," Gainer said, "and which way
the wind is blowing. . . ."

[...]




From isn at c4i.org  Thu Jun  8 05:04:17 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:04:17 -0500 (CDT)
Subject: [ISN] Fighting cyber crime in Nigeria
Message-ID: <Pine.LNX.4.44.0606080404030.10145-100000@idle.curiosity.org>

http://www.tribune.com.ng/08062006/infosys2.html

By OLUWASEUN AYANTOKUN
Info Systems 
Lagos
8th June, 2006

When efforts are being made to remove the rebellious shoot of the 
proverbial tump, it obstinately sprouts another.So is cybercrime, 
which has continued to grow by leaps and bounds, just as the 
government frantically keeps on fighting financial crimes. hile the 
war is yielding results by enhancing the image of Nigeria 
abroad,cybercrime has continued to dent it. The Internet creates 
unlimited opportunities for commercial, social and educational 
activities. But as we can see with cybercrime, the net introduces its 
own peculiar risks. 

The convenience associated with IT and the Internet is now being 
exploited to serve criminal purposes. Cybercrime covers internet fraud 
not just online 419 - the use of computers and or the internet to 
commit crime. Computer-assisted crime include e-mail scams, hacking, 
distribution of hostile software (viruses and worms), denial of 
service attacks, theft of data, extortion, fraud and impersonation.

Recently, a report indicated that Nigeria is losing about $80 
million(N11.2 billon) yearly to software piracy.The report was the 
findings of a study, conducted by Institute of Digital 
Communications(IDC), a market research and forecasting firm, based in 
South Africa, on behalf of Business Software Alliance of South Africa. 
As it is now, cybercrime is an image nightmare for Nigeria.When you 
come across phrases like "Nigerian scam", the assumption that crosses 
your mind is that all (or conservatively, most) scam emails originate 
from Nigeria, or Nigerians.

In 2004, the federal government established a cybercrime working 
group,the Nigeria Cyber Working Group(NCWG),with the purpose of aiding 
Nigeria's demystification of the hydra-headed monster.The NCWG is an 
Inter-Agency body made up of all key law enforcement, security, 
intelligence and ICT agencies of government, plus major private 
organisations in the ICT sector.

Some of these agencies include the Economic and Financial Crimes 
Commission (EFCC), Nigeria Police Force (NPF), the National Security 
Adviser (NSA), the Nigerian Communications Commission (NCC), 
Department of State Services (DSS), National Intelligence Agency 
(NIA),Nigeria Computer Society(NCS), Nigeria Internet Group(NIG), 
Internet Services Providers' Association of Nigeria (ISPAN); National 
Information Technology Development Agency (NITDA), and Individual 
citizens representing public interest. The working group has two 
chairpersons and one coordinator. 

The duties of the Working Group include: Engaging in public 
enlightenment programs, building institutional consensus amongst 
existing agencies, providing technical assistance to the National 
Assembly on cyber crime and in the Drafting of the cyber crime act; 
laying the groundwork for a cyber crime agency that will eventually 
emerge to take charge of fighting cyber crime in Nigeria. In addition, 
the working group was tasked with the responsibility of working with 
global cyber crime enforcement agencies in the USA , the UK and other 
countries, who are at fore-front of fightingcyber crime.

All this has quite created a lot of talk about fighting cybercrime 
without a significant result to show for it.Early this year, an 
on-line news magazine doubted Mr Nuhu Ribadu, the executive chairman 
of the Economic and Financial Crimes Commission, who vowed that 
Nigeria would"deal fatal blow" to cybercrime networks? According to 
Mr. Ribadu, Nigeria "will monitor cybercafes and take on a 
'significant' number of cases against such criminals based in Nigeria" 
The news magazine,InfoSec News queried,"prosecution of cyberscams is 
fine, but are there sufficient laws for this? If there are laws, why 
weren't they enforced so far, and if there are no laws, why is this 
not the first step?" How effectively then can the war against 
cybercrime be prosecuted since there is an awareness of the menace it 
poses to society? "Fighting cybercrime requires not just IT knowledge 
but IT intelligence on the part of the security agencies.

For now,there is an IT security divide - a serious shortage of skills 
to deal with the threats associated with IT. Shouting and moaning 
about cybercrime isn't enough. All the talk is meaningless unless the 
gap is closed. Security agencies need to be equipped with the skills, 
the know-how and the insight necessary to fight cybercrime 
effectively.While resources are needed to fight the menace, it is 
imperative to avoid the misdirected approach of'throwing money' at the 
problem. The approach must be based on policies and strategies. Such 
policies must be based on knowledge. Knowledge not just for the 
operatives, but also for those that will commit resources. For 
example, do the decision makers have any REAL, PRACTICAL appreciation 
of technology, not to talk of cybercrime? What is their stake on the 
basics of information security in today's high-tech, business 
environment? The cybercriminals seem to have the technology advantage.

"Essentially, cybercrime is information and intelligence- based 
activity. You cannot fight cybercrime with ignorance, strong 
directives or boastful talk?, Mr Jide Awe, an ICT expert, said in a 
conference paper presented in 2004. Furthermore, legislation needs to 
keep pace with e-crime, especially as it becomes more prevalent and 
sophisticated. "Apart from awareness and culture, security measures 
(technical and non technical) will need to be put in place and 
enforced, as part of the solutions. This might involve raising 
penalties and increasing the seriousness of e-offences. The right 
culture should create a high level of awareness amongst stakeholders", 
added the ICT expert.

Cybercrime cannot be divorced from the prevalent high level of 
corruption and wide spread poverty and unemployment in the Nigerian 
society.Heavier punishments and enlightenment, closing down cyber 
caf?s, issuing draconian directives may therefore not be meaningful 
without addressing the causes. To fight crime you attack the causes of 
crime.Littlewonder then that after the initial excitement after the 
set up of the NCWG and some spineless fight by the security agencies, 
the noise died down.

Also in terms of strategy, it is crucial to thoroughly address issues 
relating to enforcement whenever the bill before the National Assembly 
to curb the crime is passed into law. "Mishandling of enforcement can 
backfire. Enforcement can only work if it avoids harassment, abuse of 
privacy and extortion. Care must be taken not to throw out the baby 
with the bath water. Don't create a situation where genuine users of 
the Internet are frustrated out and unable to benefit from the 
Internet.In today's world, computing tools and the Internet are used 
to effectively promote social development and business growth. 
Strategies must strike a balance between security concerns and other 
developmental needs",Mr Awe suggested. 

In April, at Heinrich Boll Foundation (HBF) Conference Hall where some 
stakeholders in the ICT industry gathered to discuss how to facilitate 
information security, reduce security breaches, and steps to contain 
cyber crime in Africa,Dr. Martins Ikpehai, chief executive officer, 
Computer Audit andSecurity Associates Ltd, Lagos stated that"Computer 
security and cyber crime awareness should be created with a view to 
sensitising all users of the internet facility with the emerging 
indicators of crime and fraud being committed through computer".

Other participants at the three-day conference agreed in various 
papers presented that the law enforcement agencies and judiciary in 
the continent have roles to play in devising ways of curbing internet 
fraud and enhancing their skills in computer security and risk 
management.The group was also hopeful that the Computer Security and 
Cybercrime Bill it sponsored to the National Assembly, will be passed 
on time and that its passage would mark the beginning of the war 
against internet crime in the country. 

Of course how far can the country go withiut an active legislation in 
place?According to the participants,it is also very necessary for 
relevant authorities to conduct survey and research with a view to 
containing cyber-related crimes and computer security breaches.Mr Awe 
who also paticipated at the conference charged the information 
security expertise in the continent toidentify threats to computer 
security, protect both internal and external threats among which human 
error is a major concern which needs human approach. The situation on 
the ground, therefore, shows the country still has a long way to go. 

? 2004 - 2006 African Newspapers of Nigeria Plc. 
 



From isn at c4i.org  Thu Jun  8 05:04:39 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:04:39 -0500 (CDT)
Subject: [ISN] Privacy Lost
Message-ID: <Pine.LNX.4.44.0606080404260.10145-100000@idle.curiosity.org>

http://www.cbsnews.com/stories/2006/06/07/opinion/main1690428.shtml

By Tom Kellerman
CBS 
June 7, 2006

In today's age of digital everything, one can reminisce about the days 
of true privacy. Much of the discussion of late has centered upon the 
NSA's domestic spying program. Americans from the deep red states to 
the blue have felt betrayed by Uncle Sam as a result of his 
anti-terror efforts. The naivet? exhibited by privacy advocates 
everywhere stems from a lack of appreciation that the world is truly 
flat - privacy has been traded for convenience. True privacy has 
become pure nostalgia in this age of digital everything. All the 
fretting about the National Security Agency's domestic spying program 
is understandable, but it misses one spectacularly big point: domestic 
privacy in America simply does not exist anymore. Those who use 
e-commerce most are at greatest risk. The Privacy Rights Clearinghouse 
reported that more 80 million Americans have had their personal 
information jeopardized by data breaches since Feb. 15, 2005. A more 
recent study conducted by IBM claimed that three times more Americans 
thought they were more likely to be victimized by cybercrime than 
physical crime. 

Most Americans are unaware that government Big Brother no longer has a 
monopoly on domestic spying. There are in fact thousands upon 
thousands of Big Brothers in cyberspace and on the digital airwaves. 
These Big Brothers are intent upon criminal gain rather than national 
security. These Big Brothers exist in the underground hacker 
community, among other places. Since the wide spread adoption of 
e-commerce and e-finance the burgeoning hacker community has evolved 
into a force to be reckoned with on the world stage. 

An entire subculture of highly educated and sophisticated cyber 
criminals exists. Much as the Italian Mafia in the U.S. moved into 
narcotics trafficking in the 1970's, other organized criminal 
syndicates have realized that identity theft, funds transfer and 
extortion are the most lucrative business models in the information 
age. A recent FBI study determined that 9 out of 10 American 
businesses fell victim to cyber crime last year. The FBI Director, 
Robert Mueller, declared cyber crime his number one criminal priority. 
According to the Organization for Economic Cooperation and Development 
one in three computers is compromised ? remotely controlled by someone 
other than you. 

The virtual takeover of Americans' privacy has been largely due to the 
proliferation of Trojan Horse programs. Trojan Horse programs are 
smaller, digital, and far more prolific than in the days of Troy. 
Trojans cloak malicious code by appearing as innocuous attachments in 
order to gain access inside a user's computer system. Once a Trojan 
Horse has been introduced into a user's computer system, it plants a 
program that listens for a variety of user communications and secretly 
installs secret passageways into a user's computer. Through these 
backdoors, remote hackers can launch malicious code and vandalize, 
alter, steal, move, or delete any file on the infected computer. They 
can also harvest sensitive user information such as financial account 
numbers and passwords from the data in local files, and then transmit 
them through backdoors. 

Most Americans think that one must be very technical to invade someone 
else's privacy in this fashion. That belief is dangerously misguided. 

Much as one need not understand the inner workings of a handgun to use 
one, you don't need to be a sophisticated programmer to be an adept 
cyber crook. By merely running query in a search engine for Trojan 
horse programs or keyloggers one will find tens of thousands of 
relevant downloadable programs at their fingertips. One merely needs 
to comprehend the lexicon associated with hacker tools to launch cyber 
attacks. The Internet has become a virtual arms bizarre. The free 
distribution of cyber weapons takes place millions of times every day. 
Underground Internet Relay Chat rooms and Web sites like 
http://astalavista.box.sk have mirrored the American gun shows; the 
only exception being that all the guns and ammo are free. 


Some examples might shock you: 

Did you know that the Pentagon the most secure infrastructure in the 
world was hacked for over eight months by a network of Chinese 
computers named Titan Rain? These computers were implanted within the 
DOD's internal networks so as to steal our aeronautical specifications 
for advanced jets and space craft. 

Did you know that the greatest threat facing our banks is not armed 
robbers but cyber thieves stealing your identity and setting up 
fraudulent lines of credit in your name? Only 2 percent of mounting 
bank crime losses are from physical robberies now. Today's bandits now 
hide safely in a hotel room halfway around the world while they steal 
your financial futures. 

Did you know that the 202 deaths of foreigners in Bali in 2002 were 
financed by cyber crime? Imam Samudra was convicted of engineering the 
devastating Bali nightclub bombings four years ago. Samudra published 
a jailhouse autobiography that contained a chapter titled "Hacking, 
Why Not?" Samudra urged fellow Muslim radicals to take the holy war 
into cyberspace by attacking U.S. computers, with the particular aim 
of committing credit card fraud online. 

Today's' digital world has become a boon to an illegal underground 
economy that trades in our secrets. Governments no longer have a 
monopoly on technology and thus no longer have a monopoly on being Big 
Brother. Indeed, the proliferation of criminal, digital Big Brothers 
far exceeds the government's ability to protect citizens in 
cyberspace. 

A good place to begin reclaiming privacy and real cyber security in 
vital areas of life and commerce is with the banks and corporations 
that we do business with. Just as some corporations do a better job at 
protecting the environment there are those who do a better job at 
ensuring our privacy and cyber security. There is no way government 
can do the job itself; the resources and resourcefulness of the entire 
private sector are necessary. 

In cyberspace privacy cannot exist without cyber security. You might 
attempt to protect your computer and the information on it. But you 
can't protect the security of every institution that holds information 
about you. Much like the concept of "rewind" the concept of personal 
privacy is becoming ancient history. 

-=-

Tom Kellermann is a cyber security consultant who formerly held the 
position of Senior Data Risk Management Specialist for the World Bank 
Treasury Security Team. He was responsible for cyber intelligence and 
policy management within the World Bank treasury and regularly advised 
central banks around the world. He is a Certified Information Security 
Manager (CISM).

?MMVI, CBS Broadcasting Inc. All Rights Reserved. 




From isn at c4i.org  Thu Jun  8 05:04:56 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:04:56 -0500 (CDT)
Subject: [ISN] DOD data center worked overtime on stolen personnel files
Message-ID: <Pine.LNX.4.44.0606080404460.10145-100000@idle.curiosity.org>

http://www.fcw.com/article94816-06-07-06-Web

By Bob Brewin
June 7, 2006 

The Defense Manpower Data Center (DMDC) worked during the past weekend
to determine that a stolen Department of Veterans Affairs database,
which contained sensitive personnel information on 26.5 million
veterans, also contains information on as many as 1.1 million
active-duty personnel, a DOD spokesman said.

Army Lt. Col. Jeremy Martin, a Pentagon spokesman, said the VA
informed DOD June 1 that the stolen database may have included
information on active personnel.

DOD then asked the VA to transmit an original of the file stolen from
the home of a VA data analyst May 3 to DMDC. That file, Martin
emphasized, was encrypted and then transmitted over a secure link from
the VA to DMDC.

DMDC employees then worked over the weekend to compare records in the
VA file with records of active-duty and reserve personnel and
determined that records for as many as 1.1 million out of 1.4 million
active duty-personnel may have been included in the stolen VA
database, Martin said.

He added that records on 430,000 members of the National Guard and
645,000 members of the Reserves -- or roughly 90 percent of Reserve
and Guard personnel -- may have been on the stolen database.

Martin said DMDC employees worked over the weekend because "responding
to the compromise of service personnel's information was an urgent
priority and required immediate attention."

Once DMDC completed its work, DOD informed the VA June 5, and VA
Secretary Jim Nicholson announced the latest fallout from the data
theft June 6, which has consumed the agency since it surfaced in late
May.

The VA "committed to providing updates on this incident as new
information is learned," Nicholson said. The department is working
with DOD to notify all affected personnel.

Nicholson said the VA is in discussion with several entities to
provide credit-monitoring services for active-duty and military
personnel potentially at risk from the data theft.

David Rubinger, a spokesman for Equifax, a large credit-reporting
service, said the company has not received any such request from the
VA, but added that individual fraud alerts by veterans has spiked ever
since the VA announced the theft.

Martin said DMDC is still comparing its files with the VA database, a
process which it should complete by the end of the week, at which time
the center could determine a smaller number of records are at risk
from the VA data theft. Martin said the number of records at risk from
the theft could lower, but it will not increase.





From isn at c4i.org  Thu Jun  8 05:05:21 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:05:21 -0500 (CDT)
Subject: [ISN] IRS Laptop Lost With Data on 291 People
Message-ID: <Pine.LNX.4.44.0606080405120.10145-100000@idle.curiosity.org>

http://www.washingtonpost.com/wp-dyn/content/article/2006/06/07/AR2006060701987.html

By Christopher Lee
Washington Post Staff Writer
June 8, 2006

An Internal Revenue Service employee lost an agency laptop early last
month that contained sensitive personal information on 291 workers and
job applicants, a spokesman said yesterday.

The IRS's Terry L. Lemons said the employee checked the laptop as
luggage aboard a commercial flight while traveling to a job fair and
never saw it again. The computer contained unencrypted names, birth
dates, Social Security numbers and fingerprints of the employees and
applicants, Lemons said. Slightly more than 100 of the people affected
were IRS employees, he said. No tax return information was in the
laptop, he said.

"The data was not encrypted, but it was protected by a double-password
system," Lemons said. "To get in to this personal data on there, you
would have to have two separate passwords."

Lemons said the Treasury Department's inspector general for tax
administration is investigating the loss. The IRS is notifying
affected individuals and advising them on steps to guard against
identity theft. Lemons declined to name the airline or the employee,
or to say whether the worker was disciplined, citing the ongoing
investigation.

The Department of Veterans Affairs suffered a much larger data breach
last month when thieves broke into a VA data analyst's home and stole
a laptop and external hard drive containing personal information of
26.5 million veterans and active-duty military members.

Colleen M. Kelley, president of the National Treasury Employees Union,
said IRS employees are worried. "The first thing that comes to mind is
identity theft and why care and caution wasn't taken to encrypt their
data," she said.

Lemons said tax return information is always encrypted if IRS workers
carry it into the field. He could not cite a similar policy for
personal employee data but said, "typically it's our policy to encrypt
any sensitive information."

Kelley said she is pressing the IRS to give employee data the same
care and protection as taxpayer information. "They are taking this
seriously and I would expect to see some changes in policy and
procedures in the future," she said.

? 2006 The Washington Post Company




From isn at c4i.org  Fri Jun  9 12:43:20 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:20 -0500 (CDT)
Subject: [ISN] CPA group says hard drive with data on 330,
	000 members missing
Message-ID: <Pine.LNX.4.44.0606091143090.29708-100000@idle.curiosity.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001030

By Jaikumar Vijayan
Computerworld
June 07, 2006

Adding to the lengthening list of organizations reporting data
compromises, the American Institute of Certified Public Accountants
(AICPA) today confirmed that a computer hard drive containing the
unencrypted names, addresses and Social Security numbers of nearly all
of its 330,000 members has been missing since February.

The hard drive had been accidentally damaged by an AICPA employee and
was sent out for repair to an external data-recovery service in
violation of the AICPA's policies, said Joel Allegretti, a spokesman
for the New York-based organization. It was on its way back to the
AICPA via FedEx but failed to arrive. Allegretti did not say when
exactly the drive went missing except to note that the package
containing it was due back at the AICPA "toward the end of February."

It took the organization until March 31 to "re-create the drive" and
determine what data it contained. The AICPA began notifying affected
members of the potential compromise of their personal data on May 8
and has since completed the task, Allegretti said.

Jim McClusky, a spokesman for FedEx Corp., said it is unclear what
exactly happened to the drive. But he stressed that it is a mistake to
characterize the package as being lost.

"We did handle the shipment, and we are working closely and
cooperatively with our customer to determine where the package might
be," he said. "It is still being investigated. At this point, we are
looking at it as a missing shipment; that doesn't mean it's lost."

Based on investigations so far, it does not appear that information on
the hard drive has been misused, Allegretti said.

Following the loss, the AICPA is offering affected members a year's
worth of free credit-monitoring services. The incident has also
prompted the group to begin deleting all Social Security numbers from
its member database.

While a note posted on the organization's Web site says the collection
of Social Security numbers has been a long-standing procedure, it
added that "we will cease collecting and maintaining them, except in
limited circumstances. And even for those, we are accelerating our
efforts to develop other means of uniquely identifying our members."

News of the AICPA breach comes amid a flurry of similar disclosures in
recent days. By far, the biggest was the May 22 disclosure by the U.S.  
Department of Veterans Affairs that it had lost personal data on more
than 26.5 million veterans discharged since 1975. Since then, the
agency has admitted that the breach may have exposed personal
information on about 2.2 million active-duty National Guard and
Reserve troops as well (see "Personal info on 2.2M troops part of VA
data theft" [1]).

Since then, there have been similar disclosures elsewhere, including
Texas Guaranteed Student Loan Corp., a Round Rock, Texas-based
nonprofit organization. TG said that an outside contractor lost an
unspecified piece of equipment containing the names and Social
Security numbers of approximately 1.3 million borrowers.

On May 26, Sacred Heart University in Fairfield, Conn., announced that
one of its computers had been hacked into, resulting in the potential
compromise of data belonging to 135,000 alumni and would-be students.  
And earlier this month, a password-protected laptop containing credit
card information on more than a quarter-million Hotels.com LP
customers was stolen from the car of an auditor at Ernst & Young LLP.

[1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000992




From isn at c4i.org  Fri Jun  9 12:43:41 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:41 -0500 (CDT)
Subject: [ISN] VA cuts telework, bans employee-owned computers
Message-ID: <Pine.LNX.4.44.0606091143260.29708-100000@idle.curiosity.org>

http://www.govexec.com/story_page.cfm?articleid=34291

By Daniel Pulliam
June 8, 2006

The Veterans Affairs Department has suspended use of employee-owned
computers for official agency business and has limited telework at one
of three major divisions, in an effort to prevent security breaches.

The agency also is issuing a directive reminding employees that
failure to comply with department policy regarding the protection of
personal data could result in administrative, civil or criminal
penalties, VA Secretary James Nicholson testified Thursday at a House
Government Reform Committee hearing. The panel called the hearing to
discuss the department's response to the early May theft of sensitive
records from the home of a VA employee.

A June 6 directive to the Veterans Benefits Administration bars
employees from removing claim files from their offices to work on them
from alternative locations, such as their homes. From June 26 until
June 30, all VA facilities will observe a Security Awareness Week.

Nicholson said about 35,000 employees have some level of access to the
department's servers through a virtual private network, also known as
a VPN, for the purpose of off-site access such as at an employee's
home.

Under recently issued policies, employees no longer will be allowed to
access the agency's VPN from personal computers. Every 30 days the VPN
settings will change, forcing laptop users to return to the agency for
updates and security screening, Nicholson testified.

But several outside observers have said that the data breach could
have been prevented if the VA employee had accessed the information he
needed over a network, rather than bringing it home on computer disks.

The GS-14 employee, who had worked at the department for 34 years, was
not authorized to telework, according to Nicholson, but he had been
taking data to his Aspen Hill, Md., home for the last three years. A
laptop computer owned by the employee and an external hard drive
containing the personal information of 26.5 million people was stolen
May 3 in what authorities say was a routine break-in.

VA officials took steps late last month to initiate the employee's
firing.

Nicholson said law enforcement authorities have apprehended a few
people who have committed burglaries similar to the one at the
employee's home, but the equipment did not match that containing the
data.

While the extent of the breach expanded this week to affect the
records of 2.2 million military personnel in addition to nearly all of
the nation's veterans, Nicholson said the agency has its hands "around
the four corners" of the hard drive's contents.

"I am outraged at the theft of this data and the fact an employee
would put it at risk by taking it home in violation of VA policies,"  
Nicholson said in his testimony. "We remain hopeful that this was a
common theft, and that no use will be made of the VA data."

Nicholson said the VA's chief information officer currently lacks
enough authority to guard against data breaches, but as of last
October, the department started centralizing its information
technology functions around the CIO office.

At the hearing, David M. Walker, chief of the Government
Accountability Office, proposed that all federal agencies conduct a
privacy impact assessment to determine how personal information is
collected, accessed and stored. He also recommended that agencies
ensure they are in compliance with the 2002 Federal Information
Security Management Act.

Walker urged lawmakers to consider legislation that would require
agencies to disclose breaches involving personal data, and create
additional requirements for accessing such information.

"There is a gap here when it comes to sensitive personal information,"  
Walker said.

Clay Johnson, deputy director for management in the Office of
Management and Budget, testified that he believes the administration
has enough authority to prevent future breaches across the government,
but a review will be conducted to see if "extra teeth" are needed.

"I'm told that there are dozens of security breaches involving laptops
[each year]," Johnson said. "None of these involved 26 million names.  
This is the 100-year storm of security breaches."

Johnson said it is the administration's policy that all sensitive data
on laptops be encrypted, but it's not always enforced. In the VA case,
the information on the employee's stolen laptop and external hard
drive was not encrypted, leaving it vulnerable to identity thieves.




From isn at c4i.org  Fri Jun  9 12:43:55 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:55 -0500 (CDT)
Subject: [ISN] NIST supplies IT security handbook to managers
Message-ID: <Pine.LNX.4.44.0606091143460.29708-100000@idle.curiosity.org>

http://www.fcw.com/article94829-06-08-06-Web

By Wade-Hahn Chan
June 8, 2006 

The National Institute of Standards and Technology has released a
draft of its Information Security Handbook. The handbook provides an
overview of information security measures to give managers a better
understanding of how to implement an information security program.

According to NIST's computer security resource center, the purpose of
the handbook is to inform the information security management team
about expected implementation and oversight of various aspects of
information security in their organizations. The publication includes
summaries of existing NIST publications and standards.

The 124-page document includes a section on designing, implementing
and overseeing a program for awareness and training for information
security standards. Other topics include summaries of the
responsibilities of agency heads, developing a life cycle for systems
development and detailing specific performance metrics for systems
evaluation. There is an extensive Frequently Asked Questions section
toward the end of the publication.

NIST is requesting that comments on the handbook be sent to
handbk-100 at nist.gov. NIST will be accepting comments until August 7.




From isn at c4i.org  Fri Jun  9 12:44:12 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:44:12 -0500 (CDT)
Subject: [ISN] Microsoft product phones home every day
Message-ID: <Pine.LNX.4.44.0606091144020.29708-100000@idle.curiosity.org>

http://www.theregister.co.uk/2006/06/08/ms_wga_phones_home/

By John Oates
8th June 2006 

Microsoft has admitted that Windows Genuine Advantage (WGA) will phone 
Redmond every day - something it neglected to tell users before they 
installed it.

WGA is designed to detect pirated copies of MS software but is also 
creating some false positives - two UK dealers have contacted the Reg 
to report customers complaining that WGA had branded their software as 
an illegal copy.

The software checks what is installed on your machine and then reports 
back to Microsoft - it sends your IP number and information on your 
software set-up. If your software is dodgy you will start receiving 
pop-up reminders from Microsoft.

Michaela Alexander, head of anti-piracy at Microsoft UK, told the Reg: 
"First of all this is a pilot - customers have the choice to subscribe 
or not. WGA is very careful about which license keys are checked - 
some numbers have been leaked and therefore have been culled by 
Microsoft. If customers bought a genuine copy of Windows but as a 
result of a poor installation or a repair a different license key was 
used then WGA would flag it as not genuine."

But Alexander said all this was detailed in the opt-in process. But 
she added: "The last thing we want is unhappy customers so we are 
investigating this - but it is a pilot and this is part of the 
process."

The word from the US is that Microsoft will change WGA so it only 
phones home once a fortnight, instead of every day, and will do a 
better job of letting users know what the software is doing. More from 
Seattle Post Intelligencer here [1].

One of the dealers with the original problem emailed us the following:

 The problem was caused by an active-x control being blocked by IE 
 security. The fix was to go to http://www.microsoft.com/genuine/diag 
 and following instructions. 
 
 This runs through a series of checks to ensure that the validation 
 process can operate correctly, then advises of the necessary changes 
 in IE setup to permit correct validation. In the case of our clients, 
 the problem was correctly diagnosed and the resolution worked fine. 

 It's just alarming that for a simple security problem, Microsoft had 
 informed the end user (by way of a message displayed on their screen) 
 that they might be [quote] "The victim of software counterfeiting". ?

[1] http://seattlepi.nwsource.com/local/6420AP_WA_Microsoft_Monitoring_Piracy.html




From isn at c4i.org  Fri Jun  9 12:44:29 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:44:29 -0500 (CDT)
Subject: [ISN] Academy hackers under investigation
Message-ID: <Pine.LNX.4.44.0606091144150.29708-100000@idle.curiosity.org>

http://www.theoaklandpress.com/stories/060806/loc_2006080604.shtml

By DAVE GROVES
Of The Oakland Press 
June 8, 2006

BLOOMFIELD HILLS - The principal of the acclaimed International
Academy said he believes the school's image will not be marred by what
he describes as serious but immature mistakes made by five students.

Bert Okma said he and other academy employees are completing an
investigation into the mostly freshmen students' hacking of a school
information system and the alteration of several academic grade
records.

"I think they saw it as a game ... and a chance to improve their
academic standing," the principal said. "If they had been willing to
dedicate as much time to their studies as they did to this, we
wouldn't be dealing with the issue."

Administrators have had extensive conversations with the students, who
came forward after several teachers recognized disparities between
grades in their personal records and those appearing on the school's
computer system.

An investigation revealed that sometime in November, the students had
installed software on the system that provided them with faculty user
names and passwords.

International Academy's Joint Steering Committee has reviewed the
situation and determined that the five students will face disciplinary
action ranging from loss of academic credit to expulsion.

The extent of the consequences will be determined through hearings
conducted with school officials, the students and their parents in
coming weeks. Okma said mitigating circumstances will be considered
individually at that time.

Students also could face criminal charges depending on the
investigation fi ndings and desires of school administrators.

Lt. Steve Cook of the Bloomfield Township Police Department said that
the school has not yet requested police involvement in the matter.

"Depending on what their investigation reveals, could there be
criminal charges issued? I would say there is that possibility," he
said.

Cook did not want to speculate on potential charges.

Meanwhile, academy staff are undertaking the daunting task of
reviewing all test grades recorded for all students this year. This is
because the students responsible for the computer security breach are
suspected to have changed both their own grades and those of others.

Okma said that while teachers are frustrated, disappointed and hurt by
the revelation, they remain resolved not to let it mar the
overwhelmingly positive view they have of the student body as a whole.

Okma believes the same sentiment will prevail outside the school.

"The reputation of the International Academy is sound and well-earned,
and I don't see this impacting that," he explained. "Everybody
understands that young people can make mistakes."

And such mistakes on the part of local youth are not unprecedented.

Last month, three North Farmington High School students were suspended
after obtaining staff passwords to district computers. Officials are
working to fi gure out what the students intended to do with the
information.

The Farmington Hills Police Department is investigating the matter.  
Chief William Dwyer said felony charges could come next month.

"It's still ongoing," he said. "This is an extensive investigation."

Farmington school officials were alerted to the theft after a student
came forward to report the incident. With the passwords, the students
would have had to access the system while at school and not at home.  
Officials do not know if any of the students accessed the system.

No information on the students has been released.




From isn at c4i.org  Fri Jun  9 12:45:02 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:45:02 -0500 (CDT)
Subject: [ISN] Linux Advisory Watch - June 9th 2006
Message-ID: <Pine.LNX.4.44.0606091144340.29708-100000@idle.curiosity.org>

+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  June 9th, 2006                             Volume 7, Number 24n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, advisories were released for motor, typespeed, lynx-cur,
xmcd, postgresql, centericq, freeradius, spamassassin, dia, tetex,
squirrelmail, mc, gdm, gnome-panel, dovecot, evolution, x11, libtiff,
openldap, MySQL, postgresql, quagga, zebra, and rug.  The distributors
include Debian, Fedora, Mandriva, Red Hat, and SuSE.

---

Security on your mind?

Protect your home and business networks with the free, community
version of EnGarde Secure Linux.  Don't rely only on a firewall to
protect your network, because firewalls can be bypassed.  EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.

The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages.  Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more.  The result for you is high security, easy
administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely
free and open source.  Updates are also freely available when
you register with the Guardian Digital Secure Network.

http://www.engardelinux.org/modules/index/register.cgi

---

EnGarde Secure Linux v3.0.7 Now Available

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7).  This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.

The following reported bugs from bugs.engardelinux.org
are fixed in this release:

#0000067 SIMAP AND SPOP3 packages are built
disabling plaintext auth

Several other bugs are fixed in this release as well.
New features include:

* A new package (hwlister) which can be used to
  generate an inventory of all the hardware which
  comprises your system.  This package is now
  installed by default with EnGarde Secure Linux.

* PHP was re-build with cURL support and a race
  condition was fixed in shadow-utils.

* The latest stable versions of: MySQL (5.0.22),
   apache (2.0.58), asterisk (1.2.8), bacula (1.38.9),
   imap (2004g), openssl (0.9.8b), php5 (5.1.4),
   postfix (2.2.10), snort (2.4.4), sudo (1.6.8p12),
   syslog-ng (1.6.11), vim (6.4.010), and zaptel (1.2.6).

* Several new packages:
  - binstats (1.08)
  Binstats is a statistics generation tool for installed
  programs. It is also useful for cleaning up a system by
  helping find duplicate executables, unused libraries,
  statically linked binaries and duplicate man pages.

- bitchx (1.1)
 BitchX is an IRC (Internet Relay Chat) client that is
 based on ircII (but heavily modified).  It is ncurses based
 and allows the user to get onto IRC without requiring the
 use of GUI client.

- bittorrent (4.9.2)
  Bittorrent is a scatter-gather network file transfer
  protocol used for distributing files.  It works in the
  opposite method of regular downloads with regard to the
  fact that the more people are currently downloading a
   file using bittorrent, the faster it will go.

- ethereal (0.99.0)
  Ethereal is a network protocol analyzer.  This version is
  ncurses based and allows the user to examine and capture
  data from a live network.

- hyperion (1.0.2)
  Hyperion is an IRC daemon that allows clients to connect
  to it. This is the server that is used by Freenode.

- john (1.7.0.2)
  "John" is a password cracker whose primary purpose is to
   detect weak passwords in order to strengthen the overall
   security of a system.

- libapache-mod_fcgid (1.09)
  mod_fcgid is an apache web server module that acts as a
  binary compatibility alternative to mod_fastcgi.  It comes
  with a new process management strategy.

- libapache-mod_mono (1.1.14)
  mod_mono is an apache web server module that provides
  ASP.NET support for the apache web server.

- libapache-mod_security (1.9.3)
  mod_security is an apache web server module that acts as an
  intrusion detection and prevention engine for web applications.
  It acts as another line of defense between improperly coded
  applications and the webserver.

- makejail (0.0.5)
  Makejail, in conjunction with binstats, determines which binaries
  a program is going to need to be chrooted and creates a chroot
  jail for it.

- mc (4.6.0)
  Midnight Commander is a console based ncurses visual file manager
  similar to Norton Commander.  It has the ability to handle
  archives, FTP site, and many other files built in.

- paketto (1.10)
  The Paketto Keiretsu is a collection of tools that use new and
  unusual strategies for manipulating TCP/IP networks. scanrand is
  said to be faster than nmap and more useful in some scenarios.

- psad (1.4.5)
  PSAD is a collection of utilities that work with the linux
  firewalling code (IPTables) to detect port scans and other
  suspect traffic.  It also includes the ability to configure
  threshold levels based on how stringent your ruleset is.

- slat (2.0)
  SLAT provides a systematic way of determining if your SE Linux
  policy achieves your desired security goal.  This is a useful
  tool when creating or modifying SELinux policy.

All new users downloading EnGarde Secure Linux for the first
time or users who use the LiveCD environment should download this
release.

Users who are currently using EnGarde Secure Linux do not need
to download this release -- they can update their machines via
the Guardian Digital Secure Network WebTool module.

http://www.linuxsecurity.com/content/view/123016/65/

----------------------

Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.

http://www.linuxsecurity.com/content/view/119415/49/

--------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

* Debian: New motor packages fix arbitrary code execution
  31st, May, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122940


* Debian: New typespeed packages fix arbitrary code execution
  31st, May, 2006

Niko Tyni discovered a buffer overflow in the processing of network
data in typespeed, a game for testing and improving typing speed,
which could lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/122948


* Debian: New lynx-cur packages fix several vulnerabilities
  1st, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122956


* Debian: New xmcd packages fix denial of service
  2nd, June, 2006

The xmcdconfig creates directories world-writeable allowing local
users to fill the /usr and /var partition and hence cause a denial of
service.  This problem has been half-fixed since version 2.3-1.

http://www.linuxsecurity.com/content/view/122971


* Debian: New PostgreSQL packages fix encoding vulnerabilities
  3rd, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122984


* Debian: New centericq packages fix arbitrary code execution
  3rd, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122985


* Debian: New freeradius packages fix arbitrary code execution
  3rd, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122986


* Debian: New spamassassin packages fix remote command execution
  6th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123002


+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

* Fedora Extras 5 update: dia-0.95-3
  6th, June, 2006

This update fixes CVE-2006-1550, CVE-2006-2453, CVE-2006-2480.

http://www.linuxsecurity.com/content/view/123007


* Fedora Core 4 Update: spamassassin-3.0.6-1.fc4
  6th, June, 2006

Resolves CVE-2006-2447.  Note that you are affected by this bug only
if you launched spamd with both --vpopmail and --paranoid, which is
not a common configuration.

http://www.linuxsecurity.com/content/view/123011


* Fedora Core 5 Update: spamassassin-3.1.3-1.fc5
  6th, June, 2006

3.1.3 Resolves CVE-2006-2447. Note that you are affected by this bug
only if you launched spamd with both --vpopmail and --paranoid, which
is not a common configuration.	Also included are bug fixes from
3.1.2.

http://www.linuxsecurity.com/content/view/123015


* Fedora Core 4 Update: tetex-3.0-10.FC4
  7th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123033


* Fedora Core 4 Update: squirrelmail-1.4.6-7.fc4
  7th, June, 2006

CVE-2006-2842 Squirrelmail File Inclusion

http://www.linuxsecurity.com/content/view/123034


* Fedora Core 5 Update: mc-4.6.1a-13.FC5
  7th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123035


* Fedora Core 5 Update: gdm-2.14.4-1.fc5.3
  7th, June, 2006

This update resolves an issue in gdm-2.14.4-1.fc5.2 where GDM would
choose the wrong X server path.

http://www.linuxsecurity.com/content/view/123036


* Fedora Core 5 Update: gnome-panel-2.14.2-1.fc5.1
  7th, June, 2006

The gnome-panel package has been rebuilt against the latest
evolution-data-server package.

http://www.linuxsecurity.com/content/view/123037


* Fedora Core 5 Update: squirrelmail-1.4.6-7.fc5
  7th, June, 2006

CVE-2006-2842 Squirrelmail File Inclusion Vulnerability

http://www.linuxsecurity.com/content/view/123038


* Fedora Core 5 Update: dovecot-1.0-0.beta8.1.fc5
  7th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123039


+---------------------------------+
|  Distribution: Mandriva         | ----------------------------//
+---------------------------------+

* Mandriva: Updated evolution packages fix DoS (crash) vulnerability
on certain messages.
  1st, June, 2006

Evolution, as shipped in Mandriva Linux 2006.0, can crash displaying
certain carefully crafted images.

http://www.linuxsecurity.com/content/view/122966


* Mandriva: Updated xorg-x11 packages to address bug with keyboard
layouts.
  5th, June, 2006

A misapplied patch in a recent X.org updated caused keyboard layout
problems which resulted in some users being unable to use the
CTRL-ALT-function key combination to switch to a console, as well as
other keyboard mapping issues.
Updated packages have been re-patched to correct these issues.

http://www.linuxsecurity.com/content/view/123000


* Mandriva: Updated libtiff packages fixes tiffsplit vulnerability
  5th, June, 2006

A stack-based buffer overflow in the tiffsplit command in libtiff
3.8.2
and earlier might might allow attackers to execute arbitrary code via
a long filename.

http://www.linuxsecurity.com/content/view/123001


* Mandriva: Updated openldap packages fixes buffer overflow
vulnerability.
  7th, June, 2006

A stack-based buffer overflow in st.c in slurpd for OpenLDAP might
allow attackers to execute arbitrary code via a long hostname.
Packages have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/123029


* Mandriva: Updated MySQL packages fixes SQL injection vulnerability.
  7th, June, 2006

SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x
before 5.0.22 allows context-dependent attackers to execute arbitrary
SQL commands via crafted multibyte encodings in character sets such
as SJIS, BIG5, and GBK, which are not properly handled when the
mysql_real_escape function is used to escape the input. MySQL 4.0.18
in Corporate 3.0 and MNF 2.0 is not affected by this issue. Packages
have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/123030


* Mandriva: Updated postgresql packages fixes SQL injection
vulnerabilities.
  7th, June, 2006

Updated package.

http://www.linuxsecurity.com/content/view/123032



+---------------------------------+
|  Distribution: Red Hat          | ----------------------------//
+---------------------------------+

* RedHat: Moderate: quagga security update
  1st, June, 2006

Updated quagga packages that fix several security vulnerabilities are
now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/122967


* RedHat: Moderate: zebra security update
  1st, June, 2006

Updated zebra packages that fix several security vulnerabilities are
now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/122968


* RedHat: Moderate: dia security update
  1st, June, 2006

Updated Dia packages that fix several buffer overflow bugs are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/122969


* RedHat: Moderate: spamassassin security update
  6th, June, 2006

Updated spamassassin packages that fix an arbitrary code execution
flaw are now available. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/123010


+---------------------------------+
|  Distribution: SuSE             | ----------------------------//
+---------------------------------+

* SuSE: cron local privilege escalation
  31st, May, 2006

The code in do_command.c in Vixie cron does not check the return code
of a setuid call, which might allow local users to gain root
privileges if setuid fails in cases such as PAM failures or resource
limits.  This problem is known to affect only distributions with
Linux 2.6 kernels, but the package was updated for all distributions
for completeness.  This problem is tracked by the Mitre CVE ID
CVE-2006-2607.

http://www.linuxsecurity.com/content/view/122947


* SuSE: kernel (SUSE-SA:2006:028)
  31st, May, 2006

Multiple vulnerabilities have been fixed in the linux kernel.

http://www.linuxsecurity.com/content/view/122949


* SuSE: rug (SUSE-SA:2006:029)
  31st, May, 2006

Updated package.

http://www.linuxsecurity.com/content/view/122950


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------




From isn at c4i.org  Fri Jun  9 12:42:47 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:42:47 -0500 (CDT)
Subject: [ISN] Social Engineering, the USB Way
Message-ID: <Pine.LNX.4.44.0606091142340.29708-100000@idle.curiosity.org>

http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

By Steve Stasiukonis
JUNE 7, 2006

We recently got hired by a credit union to assess the security of its
network. The client asked that we really push hard on the social
engineering button. In the past, they'd had problems with employees
sharing passwords and giving up information easily.  Leveraging our
effort in the report was a way to drive the message home to the
employees.

The client also indicated that USB drives were a concern, since they
were an easy way for employees to steal information, as well as bring
in potential vulnerabilities such as viruses and Trojans. Several
other clients have raised the same concern, yet few have done much to
protect themselves from a rogue USB drive plugging into their network.  
I wanted to see if we could tempt someone into plugging one into their
employer's network.

In the past we had used a variety of social engineering tactics to
compromise a network. Typically we would hang out with the smokers,
sweet-talk a receptionist, or commandeer a meeting room and jack into
the network. This time I knew we had to do something different. We
heard that employees were talking within the credit union and were
telling each other that somebody was going to test the security of the
network, including the people element.

We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless
vendor giveaway thumb drives collected over the years and imprinted
them with our own special piece of software. I had one of my guys
write a Trojan that, when run, would collect passwords, logins and
machine-specific information from the user's computer, and then email
the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the
credit union's internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software.

After about three days, we figured we had collected enough data. When
I started to review our findings, I was amazed at the results. Of the
20 USB drives we planted, 15 were found by employees, and all had been
plugged into company computers. The data we obtained helped us to
compromise additional systems, and the best part of the whole scheme
was its convenience. We never broke a sweat. Everything that needed to
happen did, and in a way it was completely transparent to the users,
the network, and credit union management.

Of all the social engineering efforts we have performed over the
years, I always had to worry about being caught, getting detained by
the police, or not getting anything of value. The USB route is really
the way to go. With the exception of possibly getting caught when
seeding the facility, my chances of having a problem are reduced
significantly.

You've probably seen the experiments where users can be conned into
giving up their passwords for a chocolate bar or a $1 bill. But this
little giveaway took those a step further, working off humans' innate
curiosity. Emailed virus writers exploit this same vulnerability, as
do phishers and their clever faux Websites. Our credit union client
wasn't unique or special. All the technology and filtering and
scanning in the world won't address human nature. But it remains the
single biggest open door to any company's secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and
see for yourself how long it takes for human nature to manifest
itself.

- Steve Stasiukonis is VP and founder of Secure Network Technologies Inc.   
  Special to Dark Reading




From isn at c4i.org  Fri Jun  9 12:43:00 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:00 -0500 (CDT)
Subject: [ISN] 'BlueBag' PC sniffs out Bluetooth flaws
Message-ID: <Pine.LNX.4.44.0606091142490.29708-100000@idle.curiosity.org>

http://www.infoworld.com/article/06/06/07/79045_HNbluebag_1.html

By Robert McMillan
IDG News Service
June 07, 2006

If you happened to fly through Milan's Malpensa Airport last March, 
your mobile phone may have been scanned by the BlueBag.

Billed as a research lab on wheels, BlueBag was created by Milan's 
Secure Network SRL to study how malicious software might be able to 
spread among devices that use the Bluetooth wireless standard.

Basically, it's a Bluetooth-sniffing computer hidden in a suitcase [1] 
(Note: PDF file) that was rolled through train stations, a shopping 
center, and even a computer security conference show floor this year 
to see how many Bluetooth-enabled devices attackers could potentially 
infect with a worm or a virus.

The answer: quite a lot. In just under 23 hours of travel, BlueBag was 
able to spot more 1,400 devices with which, in theory, it could have 
connected. Among the discoverable devices were a number of Nokia 
Corp.'s mobile phones and TomTom International BV's Go global 
positioning systems, said Stefano Zanero, Secure Network's co-founder 
and chief technology officer.

"Most of the devices that we found were from the same manufacturers 
because their default Bluetooth connection setup is to be 
discoverable, which is very good for ease of use, but very bad for 
security," he said.

Though many Bluetooth devices are designed to be hidden or detectable 
for very short periods of time, some manufacturers make their products 
detectable by default to simplify hook up with other Bluetooth-enabled 
machines -- a car sound system for example. Unfortunately, this 
practice also makes life easier for hackers, Zanero said. "Any 
discoverable device is potentially vulnerable to attacks," he said.

For example, BlueBag found 313 devices with the OBEX (Object Exchange) 
vCard and vCalendar exchange service enabled, making them prey for 
known Bluetooth virus attacks.

BlueBag's data is going to help Zanero and his researchers understand 
how attackers might use Bluetooth's ability to connect with other 
devices to create a targeted attack.

In a scenario they've envisioned, the bad guys could infect Bluetooth 
devices in a train station one morning, telling them to infect other 
equipment and seek out specific pieces of information. "You can 
deliver your malware, leave it for a few hours, and then catch it when 
[the user] goes home," Zanero said. "This makes it possible to perform 
the targeted attack that we have in mind."

At the August Black Hat USA 2006 conference in Las Vegas, the Secure 
Network team plans to unveil some proof of concept malware showing how 
this type of attack might work.

The hard part has been devising a protocol that will allow the malware 
to report back to an attacker. And since the researchers can't 
actually infect a bunch of Bluetooth phones, they need BlueBag to 
provide them with data so they can estimate how such malware might 
spread. "This gives you the figures you need for creating some small, 
not-very-reliable models of how these worms could interact," Zanero 
said.

Secure Network's research, which was co-sponsored by antivirus vendor 
F-Secure Corp. is not the first to highlight Bluetooth's security 
vulnerabilities.

A year ago, hackers showed how they could connect to hands-free
Bluetooth systems in some cars [2] to eavesdrop on telephone
conversations and even talk to unsuspecting drivers. The software,
called Car Whisperer, took advantage of poor security programming
techniques on the part of the car manufacturers.

And variants of the Cabir Bluetooth viruses [3] have been around for
two years now. Cabir, which has never become widespread, preys on the
kind of discoverable phones that BlueBag measured.

To avoid being bitten by Bluetooth attacks, Zanero says users should 
check their settings and make sure their device is set to be "hidden" 
or "non-discoverable."

This isn't a panacea, but it will make things harder for attackers. 
Using Bluetooth is "like sex," Zanero said. "It's better with 
precautions."

[1] http://www.securenetwork.it/bluebag_brochure.pdf
[2] http://www.infoworld.com/article/05/08/03/HNcarwhisperer_1.html
[3] http://www.f-secure.com/v-descs/cabir.shtml




From isn at c4i.org  Mon Jun 12 04:22:44 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:22:44 -0500 (CDT)
Subject: [ISN] Another federal breach exposes employee records
Message-ID: <Pine.LNX.4.44.0606120322320.30807-100000@idle.curiosity.org>

http://www.govexec.com/dailyfed/0606/060906tdpm1.htm

By Heather Greenfield
National Journal's Technology Daily
June 9, 2006 

The Energy Department disclosed to Congress on Friday that it suffered
a security breach from a hacker in September that compromised 1,500
personnel records.

The news broke just as a House Energy and Commerce Oversight and
Investigations Subcommittee was supposed to start a hearing on how
secure Energy Department computers are in light of recently reported
data breaches at the Internal Revenue Service and Veterans Affairs
Department.

Kentucky Republican Ed Whitfield, chairman of the Subcommittee, said
there is no excuse for the department to have its current "F" in
cyber-security compliance -- or for waiting eight months to tell the
Energy secretary or his committee about the security breach.

"It's unbelievable [that] 1,500 personnel files can be compromised
with Social Security numbers," Whitfield said. "The impact that can
have on individuals is quite disturbing."

Full Energy and Commerce Committee Chairman Joe Barton, R-Texas,
visited the hearing room to express his outrage at the data breach and
later called Energy Secretary Samuel Bodman. "If the administration
won't do something about this incident, this committee will," he said.

While most of the details of the hacking incident were discussed later
in executive session, a government agency that tests the department by
breaking into its computer system said the attack was at the National
Nuclear Security Administration.

NNSA Administrator Linton Brooks said he learned of the
"sophisticated" hacking incident in September. He said he did not know
whose job it was to tell Bodman, but he wished he had.

"Mr. Brooks, I'm going to recommend you be removed from office, and I
think you would do the country a service if you resigned," Barton
said. Brooks said that because the breach was labeled a
counterintelligence issue, the two sides of the organization each
assumed the other had notified the secretary. Barton called that
explanation "hogwash."

Energy Chief Information Officer Thomas Pyke said he was aware of
various hacking incidents but only learned of the personnel data
involved two days ago.

Pyke said the department faces hundreds of thousands of attacks each
day. In the event where the records were exposed, he said the attack
penetrated both a firewall and a detection system.

Glenn Podonsky, director of the office of security and safety
performance assessment, told lawmakers that in November, his team
successfully accessed Energy's unclassified computer system. He said
they gained access to financial and personal data, and could have
impersonated or monitored department executives.

"We basically had domain control," Podonsky said. He said with
security improvements made since then that the office could break in
but not gain domain control.

He said his office believes Energy is moving too slowly in making
security improvements and noted that part of the problem is because of
work done by outside contractors.

Whitfield also wanted to know why the Energy Department has failed to
report 50 percent of attacks to its computer systems. Podonsky said he
agreed they should be reported to help law enforcers track them.

?2006 by National Journal Group Inc. All rights reserved.




From isn at c4i.org  Mon Jun 12 04:24:18 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:24:18 -0500 (CDT)
Subject: [ISN] Washington Whispers
Message-ID: <Pine.LNX.4.44.0606120324100.30807-100000@idle.curiosity.org>

http://www.usnews.com/usnews/politics/whispers/articles/060619/19whisplead.htm

By Paul Bedard
6/19/06

'Secretary of Tech' Is No Fan of E-mail

He may be in charge of the gizmos used to find illegal border crossers
and deadly chemicals in subways, but Homeland Security Secretary
Michael Chertoff likes to keep his personal tech simple. "I don't use
E-mail," he confides. "You just get deluged with a lot of garbage."  
Chertoff describes his experience with electronic mail as "picking
through genuine work E-mails and invitations to baby showers." Worse:  
"People sometimes will think you've gotten something that you actually
haven't gotten." Been there.

Chertoff insists he's not out of touch just because he isn't glued to
a BlackBerry. "I rely on people communicating with my staff," he says.  
"At any moment, I can request an update, and I can always be reached."  
His E-mail discipline has roots in last year's Hurricane Katrina, when
unfiltered messages about the levee breach flooded in after he'd left
for the night. "It is unhelpful to have 15 or 16 E-mails coming from
all different directions being thrown at you," he says. "When people
rely on E-mail chains, it can sometimes leave the decision maker
unable to sort out good information from information that's just plain
wrong." His new rule for aides: Verify the info before clicking
"forward." As for this hurricane season, he's doing better than E-mail
by personally traveling to the Gulf region to view rescue drills. "I'm
going down there," he says, "and kicking the tires myself."

[...]




From isn at c4i.org  Mon Jun 12 04:24:32 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:24:32 -0500 (CDT)
Subject: [ISN] Audit finds security weaknesses at NASA center
Message-ID: <Pine.LNX.4.44.0606120324220.30807-100000@idle.curiosity.org>

http://www.gcn.com/online/vol1_no1/40990-1.html

By Patience Wait
GCN Staff
06/09/06

At a time when the public has a heightened awareness of computer
security problems at government agencies, the NASA inspector general
has found that one of the space agency's centers has not put in place
sufficient IT security to protect data and systems from possible
compromise.

"Weaknesses in these areas could lead to the compromise of the
computer network," the IG found.

The center audited by the IG was not identified, and only a summary of
the report [1] was released June 2.

According to the report summary, NASA system administrators at the
center did not:

* Periodically review critical firewall audit logs and modems used to
  protect the computer network

* Monitor for the use of files and commands with security risks

* Consistently perform system backups

* Meet NASA requirements for storing backup media.

The IG's audit found other problems as well. System administrators
also accessed a key server containing security information without
adequate encryption and did not remove unnecessary services from the
network. Software patches were not installed in a timely manner to fix
security weaknesses in the network servers, and vulnerabilities found
during security scans of the systems were not promptly fixed. Finally,
NASA had no formal policy governing foreign nationals' use of laptops
or other electronic devices while visiting the NASA center or working
onsite.

"We recommended that the NASA center take actions to improve security
controls over the network, to include developing, implementing, and
enforcing procedures and controls over auditing and monitoring, the
use of software and unnecessary services, the installation of patches,
and system backups," the summary concluded. "We also recommended that
the center develop and implement a formal policy to prohibit foreign
nationals' onsite use of their own laptops and other electronic
devices."

Of 13 specific recommendations made by the IG, NASA agreed with nine,
and has already taken or planned corrective actions. The internal
auditors planned follow-up actions on those issues not yet resolved.

[1] http://www.hq.nasa.gov/office/oig/hq/audits/reports/FY06/ig-06-008-summary.pdf




From isn at c4i.org  Mon Jun 12 04:27:24 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:27:24 -0500 (CDT)
Subject: [ISN] Ex-Boss Describes Sys Admin's Anger During PaineWebber
 Sabotage Trial
Message-ID: <Pine.LNX.4.44.0606120327100.30807-100000@idle.curiosity.org>

http://www.informationweek.com/news/showArticle.jhtml?articleID=188703100

By Sharon Gaudin 
InformationWeek 
Jun 8, 2006

Newark, N.J. -- On the day a system administrator at UBS PaineWebber
learned his annual bonus had fallen short by about $15,000, he leveled
an ultimatum at his boss: give him a written contract for more money
or he was walking out the door, according to testimony Thursday in the
federal criminal computer sabotage trial.

But prosecutors charge that quitting his job wasn't the only thing on
his mind in late February of 2002. They say Roger Duronio, a
three-year employee in the financial giant's IT department, had
already hatched a plan to plant malicious code on the network that
would wipe out critical data across the country and drive down the
company's stock price.

Once Duronio packed up and was escorted out the building that day, he
headed straight to a broker's office to buy stock options that would
pay out if UBS suffered a setback. And that, the government contends,
put the final stages of Duronio's plot into action.

"On the day the actual bonuses were paid out.... Roger came into my
office and, in somewhat of an upset tone, said he wanted a written
contract for his compensation," Rajeev Khanna, manager for UBS's Unix
Systems Group at the time of the attack, told the jury in his second
day of testimony in U.S. District Court before Judge Joseph Greenaway.  
"He said if he did not have a contract by the end of the day, he was
going to start packing.... He was visibly upset. It was his tone and
there was some redness on his face."

Duronio faces four counts, including computer sabotage, securities
fraud, and mail fraud, in connection with the incident, which left
about 8,000 of the company's brokers without the ability to trade for
a day or more, and 9,000 other workers without the ability to access
their desktops. It also leveled servers in the company's home office
in Weehawkin, N.J., and in nearly every branch office around the
country.

Duronio reportedly wanted to take home $175,000 a year. At the time he
quit his job at UBS, he was making a base salary of $125,000 and had
an opportunity for a maximum bonus of $50,000.

It was the loss of that $15,000 that pushed Duronio to walk away from
his job and try to make bigger money by investing in short-term "put
options," which are a type of investment that only pay out if the
company's stock price falls. The shorter the term--in this case 11
days--the bigger the payout.

The prosecution says Duronio started building components of the
malicious code " what they're calling a logic bomb " the previous
November.

By the time Duronio found out for sure in February that he wasn't
getting the bonus he'd been expecting, the logic bomb was already
built and loaded onto the main host server in UBS's data center in
Weehawkin, N.J., and on about 370 branch servers around the country.  
When he quit his job that day, the government says, the code was
already sitting quietly on the servers just waiting for 9:30 a.m. on
March 4 to go off.

In earlier testimony at the trial, PaineWebber employees described how
the network still hasn't recovered, four years later.

But Chris Adams, Duronio's defense attorney and a partner at Walder,
Hayden & Brogan in Roseland, N.J., says his client not only didn't
commit the crime, he was a valuable employee at UBS PaineWebber, which
changed its name to UBS Wealth Management USA in 2003.

UBS' network was riddled with security holes that left them wide open
to attack, Adams said in his opening statements Tuesday. The network
also left Duronio wide open to someone else using his ID and passwords
to masquerade as the system administrator and move around undetected
in the system.

On cross examination Thursday, Adams asked Khanna, who had been
Duronio's supervisor, if the defendant had been a good worker and
integral to the IT team.

Khanna replied that he "would not say" Duronio had been outstanding.  
But he agreed with Adams that he had marked Duronio as someone who
"consistently meets and sometimes exceeds" expectations.

Khanna described Duronio as a valuable worker even in his main
testimony in front of the prosecutor, Assistant U.S. Attorney Mauro
Wolfe. "Overall, I gave him a satisfactory rating," he testified. "He
did what he was asked to do and he did it well."

Khanna said that's why he went to bat for Duronio and sought a raise
for him in 2000, not long after the defendant started work at UBS.  
Duronio's pay went up $10,000 that year. "He expressed some concerns
about cash flow and not having enough money coming in on a monthly
basis," said Khanna.

But by the fall of 2001, it became clear that the drooping economy and
the troubled market were taking a toll on UBS. Khanna said he simply
had a much smaller pool of bonus money to work with that year. As the
manager of a few people himself, Duronio was even in on some of the
conversations about having to lessen workers' bonuses that year,
Khanna added.

And even when Duronio threatened to quit on the spot if he wasn't
given a contract that day, Khanna says he went to his supervisor and
to Human Resources to see if anything could be done. Later, when
Khanna escorted Duronio back to his desk to collect his things, he
said he had already packed them up into a box.

The defense will continue its cross-examination of Khanna on Friday
morning.

Copyright ? 2006 CMP Media LLC, All rights reserved.




From isn at c4i.org  Mon Jun 12 04:23:03 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:23:03 -0500 (CDT)
Subject: [ISN] China's hi-tech military disaster
Message-ID: <Pine.LNX.4.44.0606120322510.30807-100000@idle.curiosity.org>

http://www.timesonline.co.uk/article/0,,2089-2220162,00.html

By Michael Sheridan
Far East Correspondent
The Sunday Times 
June 11, 2006 

A DULL boom shook the misty bamboo forests of Guangde county, 125
miles southwest of Shanghai, last Sunday, and a plume of smoke rose in
the sky, causing Chinese villagers to look up in alarm from their
tasks.

Within 24 hours China officially admitted that a "military aircraft"  
had crashed, that President Hu Jintao had ordered an investigation and
that state honours would be bestowed on the victims.

Security teams sealed off the area, carting away the charred remains
of 40 people and collecting wreckage with painstaking care. It looked
like a routine military accident.

In fact the crash would reverberate all the way to Washington and Tel
Aviv, revealing details of a covert Chinese espionage effort to copy
Israeli technology in an attempt to match the United States in any
future air and sea battle.

The first clues were given by two Chinese-controlled newspapers in
Hong Kong, Ta Kung Pao and Wen Wei Po. On Monday they printed articles
disclosing that the plane was a Chinese version of the formidable
Airborne Warning and Control System (Awacs) aircraft flown by the
United States to manage air, sea and land battles.

They indicated that it was a Russian Ilyushin four-engined cargo jet,
rebuilt to house a conspicuous array of radars and codenamed KJ-2000.  
The doomed flight, they implied, had been a test mission.

The disaster robbed China of 35 of its best electronic warfare
technicians, according to sources in Hong Kong. There were also five
crew members on board.

With memories fresh in Beijing of a Boeing 767 bought for the use of
former president Jiang Zemin and found to be riddled with
eavesdropping devices, there were bound to be suspicions of sabotage.

The Communist party showed how seriously it took the crash by
entrusting the inquiry to Guo Boxiong, vice-chairman of the party?s
central military commission, who handles sensitive security matters.

It was without question a calamity for the Chinese military. But for
the Americans, who lost a spy plane forced down by a Chinese
interceptor jet in 2000, it was not a cause for sincere mourning. The
US Seventh Fleet is ranged off the Chinese coast, in constant contact
with Chinese planes and submarines probing its readiness to defend the
self-ruled democracy on Taiwan.

Both America and Taiwan spend undisclosed billions trying to penetrate
the wall of secrecy that surrounds China's military build-up, which
was criticised once again last week by Donald Rumsfeld, the US defence
secretary.

Spies from Taiwan are known to have scored remarkable successes. In
one recent case reported by The Washington Post, they placed in their
president's hands the proceedings of a secret standing committee
meeting on Taiwan policy within days of its taking place.

American intelligence, by contrast, concentrates on a war fought with
science and stealth to preserve its technological advantage.

For as long as the Chinese have tried to buy, steal or copy high-grade
military technology - at least since the early 1990s - the CIA and the
White House have sought to frustrate them. China relies on foreign
know-how. British propellers from the Dowty company are fitted to its
Y-8 early warning aircraft and radars made by Racal Electronics are
installed on its naval surveillance planes.

But the crown jewels of electronic warfare are made in America, which
means that China's hunger for secrets can be exploited by its foes.  
Late in the cold war, the CIA supplied faulty computer items to the
Soviets, which resulted in death and destruction. So suspicions of
treachery in Beijing are bound to be reinforced by the tale of
intrigue and deception that unfolded upon examination of what led to
the fatal end of the KJ-2000.

"The PLA [People's Liberation Army] air force and navy have long
required airborne early warning aircraft," stated a report by the US
Congressional Research Service in November 2001. "Each is looking for
8-10 aircraft to supplement their own unsuccessful efforts."

In 1999 the Chinese thought they had the perfect deal. A Russian
Ilyushin-76 transport, serial number #762, was bought and flown to a
military airfield in Israel, where it was fitted with the world's most
advanced Awacs system, the Phalcon, perfected by technicians at Israel
Aircraft Industries. The cost: $250m (?135m).

Inevitably, the CIA heard of the deal and the issue went all the way
to the White House, which exerted tremendous pressure on Israel.

On July 11, 2000, Ehud Barak, then the Israeli prime minister, broke
off from peace talks at Camp David to tell President Bill Clinton that
the sale had been cancelled. Barak confided that he had sent a
personal letter of regret to Jiang Zemin.

But Chinese persistence ensured the matter did not end there. In 2002,
according to aviation specialist websites, aircraft #762, stripped of
the Phalcon system, was flown from Israel back to Russia and on to an
airfield in east China that is home to the Nanjing Research Institute
of Technology.

Moreover, the Chinese technicians had not wasted their time in Israel.  
"It's not unreasonable to believe that the Israelis offered the
Chinese industrial participation to seal this high dollar deal," said
a US Department of Defence analyst, quoted in a report for the US Army
War College.

"The Phalcon system makes extensive use of commercial off-the-shelf
products, which gives easy access to the basic building blocks of the
system," the unnamed analyst added.

In 2003 aviation specialists photographed two IL-76 Awacs prototypes,
by then codenamed KJ-2000, on test flights over Nanjing. One was #762,
the other was coded B-4040.

Late last year the local aviation authorities - which in China are
controlled by the military - bought sophisticated Monopulse secondary
surveillance radars from Telephonics Corp, a New York-based subsidiary
of the Griffon Corporation, which supplies the US Awacs fleet.

The radars were due for delivery early in 2006. Their purpose was
stated to be civil aviation, but critics in Congress say the Chinese
buy such items for "dual use" in military systems.

According to specifications published by the Federation of American
Scientists, such radars can be closely integrated with an Awacs plane
to enhance targets. There is now speculation among military and
aviation attach?s in the region that the ill-fated KJ-2000 may have
been testing a hitherto unproven technical capability of precisely
this nature when it crashed.

That should provide more than enough questions for Vice-Chairman Guo
and his bloodhounds from the military commission to get their teeth
into.
 
Copyright 2006 Times Newspapers Ltd.
 



From isn at c4i.org  Mon Jun 12 04:23:15 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:23:15 -0500 (CDT)
Subject: [ISN] Microsoft to ease up on piracy check-ins
Message-ID: <Pine.LNX.4.44.0606120323050.30807-100000@idle.curiosity.org>

http://news.com.com/Microsoft+to+ease+up+on+piracy+check-ins/2100-7348_3-6082334.html

By Joris Evers 
Staff Writer, CNET News.com
June 9, 2006

Microsoft is cutting the cord on its antipiracy tool.

The software maker this month plans to update the Windows Genuine
Advantage Notifications program so that it only checks in with
Microsoft once every two weeks, instead of after each boot-up, a
company representative said Friday. By year's end, the tool will stop
pinging Microsoft altogether, the representative said.

The changes come after a critic likened the antipiracy tool to
spyware. He found that the program, designed to validate whether a
copy of Windows has been legitimately acquired, checks in with
Microsoft on a daily basis. Microsoft did not disclose in any of its
documentation that the application would phone home.

Microsoft earlier this week had vowed to better disclose the actions
of WGA Notifications. Now the company says it will gradually let go of
the program once it is installed on Windows PCs.

"We are changing this feature to only check for a new settings file
every 14 days," Microsoft said in a statement on its Web site. "Also,
this feature will be disabled when WGA Notifications launches
worldwide later this year."

No meaningful data is exchanged during the check-in with Microsoft,
the software maker said. Unlike the initial validation, which sends
system information to Microsoft, the check-in operation is limited to
the download of the new settings file, the company said.

Microsoft launched WGA in September 2004 and has gradually expanded
the antipiracy program. It now requires validation before Windows
users can download additional Microsoft software, such as Windows
Media Player and Windows Defender. Validation is not required for
security fixes.

Originally, people had to validate their Windows installation only
when downloading additional Microsoft software. Since November last
year, however, Microsoft has been pushing out the WGA Notifications
tool along with security updates to people in a number of countries,
including the U.S.

The first time that users run WGA Validation to check if their Windows
version is genuine, the information sent to Microsoft is the Windows
XP product key, PC maker, operating system version, PC bios
information and the user's local setting and language. Microsoft
discloses in the WGA tool license that this information is being sent.

Copyright ?1995-2006 CNET Networks, Inc. All rights reserved.




From isn at c4i.org  Mon Jun 12 04:23:57 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:23:57 -0500 (CDT)
Subject: [ISN] Linux Security Week - June 12th 2006
Message-ID: <Pine.LNX.4.44.0606120323220.30807-100000@idle.curiosity.org>

+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  June 12th, 2006                            Volume 7, Number 24n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Building a
heterogeneous home network for Linux and Mac OS X," "Fundamentals of
Storage Media Sanitation," and "Password Cracking and Time-Memory
Trade Off."

---

Security on your mind?

Protect your home and business networks with the free, community
version of EnGarde Secure Linux.  Don't rely only on a firewall to
protect your network, because firewalls can be bypassed.  EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.

The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages.  Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more.  The result for you is high security, easy
administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely
free and open source.  Updates are also freely available when
you register with the Guardian Digital Secure Network.

http://www.engardelinux.org/modules/index/register.cgi


---

EnGarde Secure Linux v3.0.7 Now Available

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7).  This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.

http://www.linuxsecurity.com/content/view/123016/65/

---

pgp Key Signing Observations: Overlooked Social and
Technical Considerations

By: Atom Smasher

While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking.

http://www.linuxsecurity.com/content/view/121645/49/

---

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf


+---------------------+
| Security News:      | <<-----[ Articles This Week ]----------
+---------------------+

* Cleaning up data breach costs 15x more than encryption
  7th, June, 2006

Protecting customer records is a magnitude less expensive than paying
for cleanup after a data breach or massive records loss, a research
company said Tuesday. Gartner analyst Avivah Litan said in a research
note that data protection is cheaper than a data breach. She recently
testified on identity theft at a Senate hearing held after the
Department of Veterans Affairs lost 26.5 million vet identities.

http://www.linuxsecurity.com/content/view/123023


* A Comparison of SNMP v1, v2 and v3
  5th, June, 2006

During its development history, the communities of researchers,
developers, implementers and users of the DARPA/DoD TCP/IP protocol
suite have experimented with a wide range of protocols in a variety
of different networking environments. The Internet has grown,
especially in the last few years, as a result of the widespread
availability of software and hardware supporting this system. The
scaling of the size and scope of the Internet and increased use of
its technology in commercial applications has underscored for
researchers, developers and vendors the need for a common network
management framework within which TCP/IP products can be made to
work.

http://www.linuxsecurity.com/content/view/122997


* Disaster Practice
  4th, June, 2006

When the British government wanted to test the resiliency of its
financial institutions, it commissioned "an afternoon from hell". The
buildup started on a Monday morning last November. First, there was a
failure in the clearing systems used to transfer money between banks
after routine systems maintenance. Then, terrorists staged a series
of bomb attacks around Britain, causing hundreds of casualties in
London and considerable damage to major financial centres. Around the
same time, malicious hackers tried their best to break into the
banks' systems.  All in all, 'twas was a bad day. The disaster
recovery simulation was organized by the Tripartite Authorities, a
group comprising the Financial Services Authority, the UK Treasury
Department and the Bank of England.

http://www.linuxsecurity.com/content/view/122979


* May's Security Streams
  5th, June, 2006

Here's May's summary of all the security streams during the month.
This is perhaps among the few posts in which I can actually say
something about the blog, the individual behind it, and its purpose,
which is to - question, provoke, and inform on the big picture. After
all, "I want to know God's thoughts... all the rest are details", one
of my favorite Albert Einstein's quotes. The way we often talk about
a false feeling of security, we can easily talk about a false feeling
of blogging, and false feeling of existence altogether. It is often
assumed that the more you talk, the more you know, which is exactly
the opposite, those that talk know nothing, those that don't, they
do. There's nothing wrong with that of refering to yourself, as
enriching yourself through past experience helps you preserve your
own unique existence, and go further. Awakening the full potential
within a living entity is a milestone, while self preservation may
limit the very development of a spirit -- or too much techno
thrillers recently? :)

http://www.linuxsecurity.com/content/view/122995


* (IN)SECURE Magazine Issue 7 Has Been Released
  9th, June, 2006

(IN)SECURE Magazine is a free digital security magazine in PDF
format. In this issue you can read about SSH port forwarding, server
monitoring with munin and monit, compliance vs. awareness, and much
more. Get your copy today!

http://www.linuxsecurity.com/content/view/123055


* Abandon E-mail!
  5th, June, 2006

Back in 1972, by some accounts, a new form of communication known as
e-mail was born. It was a practical implementation of electronic
messaging that was first seen on local timeshare computers in the
1960s. I can only imagine how much fun and revolutionary it must have
been to use e-mail in those early years, to have been at the bleeding
edge of the curve.  Almost ten years later, in November 1981,
Jonathan Postel published RFC 788 (later deprecated by RFC 821, also
by Postel, and RFC 822 by David Crocker), thereby inventing the
foundations of the Simple Mail Transport Protocol (SMTP) - a proposal
that would revolutionize e-mail again. Since that time, e-mail has
become as important an invention to the world as the telegraph and
the telephone, and it has long been synonymous with the Internet
itself.

http://www.linuxsecurity.com/content/view/122992


* Building a heterogeneous home network for Linux and Mac OS X
  8th, June, 2006

You can find plenty of information online about building
heterogeneous networks involving Windows, but relatively little about
connecting Macs with Linux PCs in a home or small office network. Mac
OS X's Unix base, however, means there are plenty of good options for
networking a Mac with a Linux PC, despite the relative lack of
documentation. In this article, I'll discuss how to set up Mac-Linux
printer and file sharing using NFS and SSH.

http://www.linuxsecurity.com/content/view/123057


* Security Without Firewalls: Sensible Or Silly?
  6th, June, 2006

For years, infosec experts have called the firewall a critical
ingredient to security, whether it's in a large enterprise or on a
home PC. But the San Diego Supercomputer Center (SDSC) has defied
that logic with what some would consider surprising success.  Abe
Singer, computer security manager for the SDSC's Security
Technologies Group, explained how companies can maintain strong
firewall-free security at the 2006 USENIX Annual Technical Conference
Thursday. He has also produced a presentation (.pdf) on the subject.

http://www.linuxsecurity.com/content/view/122999


* Standards In Desktop Firewall Policies
  7th, June, 2006

The idea of a common desktop firewall policy in any size organization
is a very good thing. It makes responses to external or internal
situations such as virus outbreaks or network-oriented propagation of
viruses more predictable. In addition to providing a level of
protection against port scanning, attacks or software
vulnerabilities, it can provide the organizations local security team
a baseline or starting point in dealing with such events. The purpose
of this article is to discuss the need for a desktop firewall policy
within an organization, determine how it should be formed, and
provide an example of one along with the security benefits it
provides an organization.

http://www.linuxsecurity.com/content/view/123025


* Users hit by multi-browser threat
  8th, June, 2006

Security vendors have warned of a flaw that affects an unusually
broad cross-section of browsers -- Internet Explorer, Firefox and the
Mozilla suite on Windows, Linux and Mac OS X -- and could be used to
hoover up files from vulnerable systems.

The problem is in the way the browsers implement scripting --
JavaScript in Firefox and Active Scripting in IE. Both browsers have
a design error in which a script can cancel certain keystroke events
when users are entering text.

http://www.linuxsecurity.com/content/view/123042


* UTM - Preparing for New Generation of Security Threats
  6th, June, 2006

Securing networks has rapidly taken center stage among most
enterprises as the threat from increasingly sophisticated attacks
becomes more complex and costly to manage. According to the research
group IDC, enterprises worldwide spent an estimated $32.6Bn in 2005
on network security but are still faced with an ever-changing
landscape of new security threats. Traditional network defense
solutions such as firewalls and intrusion prevention devices must be
supplemented by secure content management devices in order to block
the full range of sophisticated attacks including viruses, spyware,
spam and phishing.

http://www.linuxsecurity.com/content/view/122998


* Social Engineering, The USB Way
  7th, June, 2006

We recently got hired by a credit union to assess the security of its
network. The client asked that we really push hard on the social
engineering button. In the past, they'd had problems with employees
sharing passwords and giving up information easily. Leveraging our
effort in the report was a way to drive the message home to the
employees.  The client also indicated that USB drives were a concern,
since they were an easy way for employees to steal information, as
well as bring in potential vulnerabilities such as viruses and
Trojans. Several other clients have raised the same concern, yet few
have done much to protect themselves from a rogue USB drive plugging
into their network. I wanted to see if we could tempt someone into
plugging one into their employer's network.

http://www.linuxsecurity.com/content/view/123031


* Researchers eye machines to analyze malware
  8th, June, 2006

The reverse engineer--better known amongst security researchers by
his nom de plume, Halvar Flake-- created an automated system for
classifying software into groups, a process he believes for which
machines are much better suited. Research using the system has
underscore the sometimes-arbitrary decisions humans make in
classifying malicious programs, he said.

http://www.linuxsecurity.com/content/view/123050


* The top five ways to prevent IP spoofing
  9th, June, 2006

The term "spoofing" is generally regarded as slang, but refers to the
act of fooling -- that is, presenting a false truth in a credible
way. There are several different types of spoofing that occur, but
most relevant to networking is the IP spoof. Most types of spoofing
have a common theme: a nefarious user transmits packets with an IP
address, indicating that the packets are originating from another
trusted machine.

http://www.linuxsecurity.com/content/view/123066


* How To Analyze HijackThis Logs
  5th, June, 2006

HijackThis is a free tool developed by Merijn Bellekom, a student in
The Netherlands. Spyware removal software such as Adaware or Spybot
S&D do a good job of detecting and removing most spyware programs,
but some spyware and browser hijackers are too insidious for even
these great anti-spyware utilities.

HijackThis is written specifically to detect and remove browser
hijacks, or software that takes over your web browser, alters your
defaut home page and search engine and other malicious things.

http://www.linuxsecurity.com/content/view/122989


* How-To: Back-up your blog (Linux)
  7th, June, 2006

Bad things happen. If you've ever worried that the over caffeinated
tech might spill his latte down your web server, then today's How-To
will help you out. Forgetting to back up your blog (or your website)
is something that isn't a big deal until you need it -- like backing
up anything, really. But your blog's files and databased aren't
really so simply accessible as the files on your PC, so today we're
showing you how to automatically back up your blog (or website) with
some freely available tools that will use a minimum amount of your
precious bandwidth.

http://www.linuxsecurity.com/content/view/123019


* EnGarde Secure Community 3.0.7
  6th, June, 2006

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.7 (Version 3.0, Release 7).  This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, several updated packages, and several
new packages available for installation.

http://www.linuxsecurity.com/content/view/123016


* Symantec to Port Veritas Storage Software to IBM Linux Platform
  8th, June, 2006

Software security and storage specialist Symantec June 7 announced an
agreement with IBM to port its Veritas Cluster Server, Veritas
Storage Foundation family and NetBackup recovery technology to IBM's
Linux on POWER platform, opening a new door to the open-source
enterprise storage market.

http://www.linuxsecurity.com/content/view/123056


* Announcement: RSBAC 1.2.7
  9th, June, 2006

The RSBAC team is happy to announce that RSBAC 1.2.7 has just been
released for both kernels 2.4.32 and 2.6.16.

http://www.linuxsecurity.com/content/view/123060


* Non-standard Incident Prediction
  5th, June, 2006

We are all familiar with the use of firewall logs, intrusion
detection alerts, antivirus warnings, and watching for "funny"
entries in our system logs as ways to indicate that somebody on the
Internet is up to no good.  But those traditional detection systems
don't do any good against attacks that are not oriented on one of the
traditional seven layers of the OSI model.

http://www.linuxsecurity.com/content/view/122988


* The Enterprise Gets Googled
  5th, June, 2006

On February 14, 2006, many Google e-mail users received an unexpected
Valentine's Day present. When they logged in to their accounts, there
it was: instant messaging, fully integrated with their e-mail system.
Gmail users could now chat in the same browser window as their inbox.
Just as with e-mail, the system would save a transcript of every chat
and, better yet, the text of archived transcripts would be
searchable. There was nothing to download, nothing to install.

http://www.linuxsecurity.com/content/view/122990


* Spyware infections spreading, security expert says
  5th, June, 2006

Spyware programs are increasing in number and growing in
sophistication to avoid detection, making it harder to guard against
infections and more costly to repair their damage, according to a
security expert whose company tracks them on a regular basis.

http://www.linuxsecurity.com/content/view/122993


* Open source consortium addresses security
  5th, June, 2006

The Open Web Application Security Project (OWASP) has announced the
availability of a process guide that it hopes will help a broad range
of developers incorporate security into the software application
development lifecycle (SDLC).

http://www.linuxsecurity.com/content/view/122994


* Fundamentals of Storage Media Sanitation
  6th, June, 2006

One of the most fundamental principles of information security is
that its all about the data. Data in transit or at rest is the
primary focus of administrative, physical, and technical safeguards.
Security professionals are doing better every day when it comes to
protecting information in static production environments. But what
happens when magnetic, optical, or semiconductor media is repurposed
or retired? In this paper, I define media sanitation and how it fits
into an overall security program. Next, I examine how attackers can
extract information from electronic media even after its been
overwritten. Finally, I explore ways you can protect your
organization from attacks both casual and highly motivated.

http://www.linuxsecurity.com/content/view/123003


* How to win friends and influence people with IT security
certifications
  7th, June, 2006

The public and private sectors put IT Security on top of their agenda
these days, and, as a result, the IT and Information Security job
market is growing. At some point though, the market will saturate as
businesses seek to curb their investments, security services become
more standardized and IT as a whole moves to a more service-oriented
business model. Is your career strategy ready?

http://www.linuxsecurity.com/content/view/123009


* A Continuing Work in Progress: The State of Linux 2006
  7th, June, 2006

To label Linux a purely enthusiast or hobbyist operating system is
overly facile; such a stance also categorically denies that Linux has
any real industry presence. On the contrary, prominent top-tier
manufacturers such as Dell, IBM, Sun Microsystems, and
Hewlett-Packard all openly support Linux in select product lines, and
many lower-tier manufacturers have adopting this platform to
establish cost-effective price points in various highly competitive
marketplaces. Government support for Linux also comes in a variety of
forms. Most notably, this includes the NSA-sponsored Security
Enhanced Linux (SELinux) policy extensions adopted into the
mainstream by Red Hat starting with Fedora Core 2 (the current
version is Fedora Core 5). SELinux extends basic security
functionality to the Linux platform, and makes it easier to create a
hardened installation. These are only a few examples of where Linux
is actively developed by high-visibility organizations, all of which
take this platform very seriously.

http://www.linuxsecurity.com/content/view/123020


* JavaScript security threat to Internet Explorer and Firefox
  7th, June, 2006

A JavaScript security bug has been discovered in both the Internet
Explorer and Firefox browsers. The threat covers the Windows, Linux,
and Mac operating systems, say internet security software companies.

http://www.linuxsecurity.com/content/view/123022


* Cybercrime Spurs College Courses In Digital Forensics
  7th, June, 2006

One of the hottest new courses on U.S. college campuses is a direct
result of cybercrime.  Classes in digital forensics - the collection,
examination and presentation of digitally stored evidence in criminal
and civil investigations - are cropping up as fast as the hackers and
viruses that spawn them. About 100 colleges and universities offer
undergraduate and graduate
courses in digital forensics, with a few offering majors. There are
programs at Purdue University, Johns Hopkins University, the
University of Tulsa, Carnegie Mellon University and the University of
Central Florida. Five years ago, there were only a handful.

http://www.linuxsecurity.com/content/view/123026


* Cyber extortion, A very real threat
  7th, June, 2006

Criminal gangs are increasingly using the internet as a tool to
extort money from businesses. Thousands of distributed denial of
service attacks (DDoS) are occurring globally every day and it is
vital that senior management wakes up to the very real risk of such
an assault.

http://www.linuxsecurity.com/content/view/123028


* Password Cracking and Time-Memory Trade Off
  8th, June, 2006

Every time I go on line, I usually am up to no good. My intentions
are often never hostile, but I do take part in the shady business of
password cracking. Meaning I actively use unorthodox methodology,
that I know for a fact the FBI frowns down upon, to obtain hashes.
Once obtained I usually spend a few hours cracking these hashes via
good old fashion bruteforcing. Now, bruteforcing is the most reliable
method of password cracking in existence today.

http://www.linuxsecurity.com/content/view/123041


* The top 9 ways to secure mobile devices
  8th, June, 2006

In the past six months a disturbing trend has emerged involving the
theft of laptops containing sensitive personal information -- most
recently from the home of a U.S. Department of Veterans Affairs data
analyst.

http://www.linuxsecurity.com/content/view/123048


* Digital forensics hits U.S. college campuses
  9th, June, 2006

About 100 colleges and universities offer undergraduate and graduate
courses in digital forensics, with a few offering majors. There are
programs at Purdue University, Johns Hopkins University, the
University of Tulsa, Carnegie Mellon University and the University of
Central Florida. Five years ago, there were only a handful.

http://www.linuxsecurity.com/content/view/123062


* British Library to secure its digital treasures
  9th, June, 2006

The British Library is adopting a new data security system that will
enable it to safely store web publishing content.

The library has selected nCipher to protect the integrity of its
National Digital Library.

This library will contain everything from digitised versions of
centuries-old manuscripts to digital journals and web archives, and
is expected to amass up to 300 terabytes of content over the next
five years.

http://www.linuxsecurity.com/content/view/123063


* Browsers, Phishing, and User Interface Design
  6th, June, 2006

 Occasionally a criminal is so, well, clever that you have to admire
him even as you wish that he spends the rest of his life in jail.
Take Arnold Rothstein, for instance. One of the kingpins of organized
crime in New York City during Prohibition and before, the "Great
Brain," as he was termed, was more than likely behind the infamous
Black Sox scandal, in which the 1919 World Series was fixed in favor
of the Cincinnati Reds.

http://www.linuxsecurity.com/content/view/123005


* Personal Displays Keep Data Private
  7th, June, 2006

The dueling needs for privacy and data sharing played out here at the
annual SID (Society of Information Display) International Symposium.
Vendors showed new technologies that can keep neighbors on a flight
from getting a glimpse of the corporate secrets on a laptop screen
and new ways to share video on an iPod or handheld.

http://www.linuxsecurity.com/content/view/123024


* When data walks
  7th, June, 2006

The recent theft of data on 26.5 million veterans sends agencies a
chilling message: Lock down your own data security and privacy
policies immediately or you might wind up with confidential data
walking out your own door. The Veterans Affairs Department probably
is not the only agency whose security and privacy policies have
gaping holes, government and industry experts agree.

http://www.linuxsecurity.com/content/view/123027


* IRS missing laptop with employee data
  7th, June, 2006

The IRS said that one of its laptops containing data about 291 IRS
employees and job applicants went missing in early May when it was
lost in transit to an agency event. The information contained on the
laptop included fingerprints, names, dates of birth and Social
Security numbers for the 291 individuals.

http://www.linuxsecurity.com/content/view/123021


* Ervin: DHS Fails Security Mission
  8th, June, 2006

Clark Ervin was strolling down a Manhattan street in April 2005 when
the red light on his BlackBerry indicated he had a message. The
former inspector general of the Homeland Security Department looked
at the device and saw that the Associated Press had reported the
results of the latest IG investigation on airport security. Those
results showed no improvement in screeners abilities to detect
deadly weapons, compared with the results of similar investigations
done in 2001 and 2003. It was far easier than it should have been
even after the [Sept. 11, 2001] attacks for government investigators
to sneak these weapons through, said Ervin, who served as the
department's first IG for about two years. He recounted the story
in his keynote speech today at the 26th Annual Management of Change
Conference sponsored by the American Council for Technology and by
the Industry Advisory Council, to illustrate an important point.

http://www.linuxsecurity.com/content/view/123051


* House rejects Net neutrality rules
  9th, June, 2006

The U.S. House of Representatives definitively rejected the concept
of Net neutrality on Thursday, dealing a bitter blow to Internet
companies like Amazon.com, eBay and Google that had engaged in a
last-minute lobbying campaign to support it.

http://www.linuxsecurity.com/content/view/123067


* Police will not pursue ransom hackers
  4th, June, 2006

After a Manchester woman was held to ransom by hackers, experts and
senior police officers have voiced concern that such cases are
falling between the cracks. Greater Manchester Police (GMP) will not
be pursuing the criminals who used a Trojan horse program to lock a
Manchester woman's files and demanded a ransom to release them.

http://www.linuxsecurity.com/content/view/122983


* A degree in hacking
  6th, June, 2006

The University of Advancing Technology (UAT) in Phoenix, Ariz., is
marketing its new Network Security program as a way to get a degree
in hacking. The school is drawing the interest of geeks who use
Windows, Linux, and Macintosh, according to UAT's IT manager Raymond
Todd Blackwood, and even a few who want to go to the dark side of
network security.  Hackerdegree.com's Web page looks like a
non-Windows desktop with a few terminals open, inviting the curious
to learn more about fighting "cybercrime," "cybertheft," and even
"cyberterrorism."

http://www.linuxsecurity.com/content/view/123004


* Forget your password? Be google!
  8th, June, 2006

For more and more websites you need to register or pay to have full
access. The odd thing is that Google has the complete and full index
of the website. So what's going on here? Why must regular users pay
or register to have access when the google search engine bot has full
access?. The reason is simple; every site wants to use the benefits
of the wonderful world of Google, for webmasters free advertising is
always welcome. But there is a simple way to be the Google
(search)Bot. In this little article i will try to explain it.

http://www.linuxsecurity.com/content/view/123040


* Man charged with selling hacked VOIP services
  8th, June, 2006

A Miami man was charged Wednesday with stealing more than 10 million
minutes of VOIP (Voice over Internet Protocol) telephone service and
then selling them to unsuspecting customers for as little as US$0.004
per minute.

http://www.linuxsecurity.com/content/view/123052


* PC hidden in 'BlueBag' exposes Bluetooth flaws
  8th, June, 2006

If you happened to fly through Milan's Malpensa Airport last March,
your mobile phone may have been scanned by the BlueBag. Billed as a
research lab on wheels, BlueBag was created by Milan's Secure Network
SRL to study how malicious software might be able to spread among
devices that use the Bluetooth wireless standard.

http://www.linuxsecurity.com/content/view/123053

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------




From isn at c4i.org  Mon Jun 12 04:27:37 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:27:37 -0500 (CDT)
Subject: [ISN] Researchers eye machines to tackle malware
Message-ID: <Pine.LNX.4.44.0606120327250.30807-100000@idle.curiosity.org>

http://www.theregister.co.uk/2006/06/10/machines_analyse_malware/

By Robert Lemos
SecurityFocus 
10th June 2006 

The reverse engineer - better known amongst security researchers by
his nom de plume, Halvar Flake - created an automated system for
classifying software into groups, a process for which he believes
machines are much better suited.

Research using the system has underscored the sometimes-arbitrary
decisions humans make in classifying malicious programs, he said.  
Among other anomalies, he found that Sasser.D has only a 69 per cent
correlation to previous members of the Sasser family, while two
examples of bot software, Gobot and Ghostbot, are more similar.

"It's like putting donkeys and bunnies in the same class because they
both have long ears," Dullien, the founder and CEO of
reverse-engineering tool maker Sabre Security, said in a recent
interview.

The current problems with classifying and naming viruses are among the
reasons that automated classification technology has once again become
a focus of research. The plethora of names for specific malicious
programs has caused confusion amongst consumers, despite a project
that seeks to provide guidance, if not to consumers, to software
analysts and incident responders.

In January, when a new computer virus appeared on the internet,
anti-virus companies rushed to issue alerts and inundated consumers
with a confusing array of names: Blackmal, Nyxem, MyWife, KamaSutra,
Blackworm, Tearec and Worm_Grew all describe the same mass-mailing
computer virus.

Several research projects hope to improve upon that record.

Last month, at the annual conference of the European Institute for
Computer Anti-Virus Research (EICAR), Microsoft released early results
of its development of a system to automate classification of malicious
software based on the actions performed by the code at runtime.

"A significant challenge we have today is the large number of active
malware samples, totaling on the order of tens of thousands, and
increasing rapidly," Microsoft researcher Tony Lee said in a recent
blog posting following the conference. "It has become apparent to us
that the traditional manual analysis process is not adequate in
dealing with malware of this order of magnitude, and that we should
seek automation technologies to aid human analysts."

The researchers modeled a piece of malicious software as the series of
actions that the software takes at the operating system level.  
Referred to as "events" in a paper written by Lee and anti-malware
program team manager Jigar Mody, the actions can include data copying,
changing registry keys and opening network connections.

The researchers then trained a recognition engine using an adaptive
clustering algorithm - similar to self-organising maps - and
classified a previously unseen subset of malware using the trained
system. Using more clusters typically resulted in better
classification. When the software samples were classified based on 100
events, accuracy fell below 80 per cent, while classification based on
500 and 1,000 events typically has accuracy rates above 90 per cent.

Reverse engineer Dullien takes a different approach. Working with
other researchers at Sabre Security, he used automated tools to
deconstruct the actual code of virus and bot software, removing any
common libraries that the code might use and then comparing the
relationships between functions to characterise the software.

Using a database of 200 samples of bot software, a test case for the
automated process resulted in two major families of code, three
smaller groups, and several pairs and singletons. The system also
identified variants of bot software not recognised by a
signature-based anti-virus system.

Dullien believes that static analysis is a better approach to malware
classification than Microsoft's runtime analysis. Actions that a
malicious program does not perform right away - known as time-delayed
triggers - can foil runtime analysis, he said. And virus and
attack-tool writers could add a few lines of code to a program to
confuse runtime analysis, he added.

"The approach presented in the paper can be trivially foiled with very
minor high-level-language modifications in the source of the program,"  
he stated in a blog entry analysing Microsoft's system.

Microsoft declined to make its researchers available for interviews.  
However, in the paper, the authors argued that a combination of both
static analysis and runtime analysis would likely perform best. For
example, static analysis appears to deliver results more quickly;  
Microsoft's behavioral classification requires three hours to cluster
400 files at the 1,000 event limit, according to the paper.

In some ways, software classification resembles the state of
biological classification back in the time of Carl Linnaeus. The 18th
century botanist pushed the scientific community of his day into
accepting a hierarchical classification system for plants and animals.  
However, early classifications relied on external similarities, much
in the way that many of today's classifications rely on external
attributes of programs rather than their internal processes.

At least one other project hopes to help human analysts do a better
job of classification.

OffensiveComputing.net, a project founded by researchers Val Smith and
Danny Quist, aims to create a database of malware that records a
number of basic attributes of the code, including checksums,
anti-virus scanner results, and what type of packer the malware uses
to compress itself. The project started in response to the increase in
code sharing amongst virus and attack-tool writers and the faster
development of exploits and the faster incorporation of those exploits
into existing malicious software, OffensiveComputing's Smith said.

"The biggest benefit is more rapid response to complex threats. As the
synergy between viruses, Trojans, worms, rootkits and exploits grows,
waiting for a solution becomes more dangerous."

OffensiveComputing's database gives incident response workers and
analysts access to meaningful data about malicious software, which is
especially necessary until automated analysis programs, such as
Microsoft's and Dullien's classification systems, mature. The project
strives to be adaptable, involve the community, have measurable
results, and remain open, Smith said.

"There is an arms race going on between analysts and malware authors,
so any solution will have to keep pace with advances on both sides."

This article originally appeared in Security Focus.

Copyright ? 2006, SecurityFocus




From isn at c4i.org  Tue Jun 13 08:07:07 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:07:07 -0500 (CDT)
Subject: [ISN] OU has been getting an earful about huge data theft
Message-ID: <Pine.LNX.4.44.0606130706350.1019-100000@idle.curiosity.org>

http://www.athensnews.com/issue/article.php3?story_id=25220

By Jim Phillips 
Athens NEWS Senior Writer 
2006-06-12

Ohio University has spent more than $77,000 sending letters to alumni
and students affected by a computer security breach.

It's harder to put a price tag on the blow to alumni goodwill, as the
number of people affected by hacking of OU computer databases
continues to rise with the discovery of new hacking incidents.

"This is damaging OU's reputation far more than its drunk football
coach, magazine pictorials or its #2 party-school ranking, and you can
tell (OU President Roderick) McDavis that this really sucks. A lot!"  
wrote one incensed alum May 10.

Another signed off his May 3 e-mail with, "You incompetent f---ing
a--holes. I will never donate a penny to you."

After announcing two computer security breaches in May, OU got
hundreds of e-mails from alums regarding the issue. The Athens NEWS
has examined more than 600 of them, provided by the university in
response to a records request.

The great majority were simply requests for information, trying to
learn whether the sender's personal data were accessed by the hackers,
and to get more detailed guidance on what to do if they were.

A number of writers, however, expressed anger, frustration and in some
cases, a distinct reluctance to donate any more money to OU.

"It was my intention to leave a sizable endowment to OU, but not any
longer," announced one.

"My husband has graciously given to the university's alumni
association many times; we will now think twice before we do it
again," warned another.

Other comments along these lines include:

"I am disgusted with you and will NEVER do anything to help you
financially." "I will definitely be reflecting on this incident the
next time I receive an appeal for a donation to OU." "I have donated
to the university for many years, but this shortcoming, and other
matters having to do with the university, make me hesitant to make
further contributions."

Some alums questioned why OU keeps Social Security numbers on
long-gone graduates, including those who haven't been donors. Some
asked to have their data removed from OU computers - a request the
university promptly grants.

Dozens wanted to know if OU will cover the expenses they rack up in
taking precautions against identity theft, or financial losses if
they're the victim of such thefts.

A handful talked about lawsuits, and one alum simply sent OU a bill.

Molly Tampke, interim vice president for university advancement,
admitted last week that she can't gauge how the alumni perception of
the computer data breaches will affect giving to OU.

Tampke acknowledged that the incidents seem to have undermined alumni
confidence in some cases, but she continued to hold out hope that
alums will look past the problems when it comes time to open their
checkbooks.

"It does concern me that alumni would feel like they couldn't trust
us," Tampke said. "In terms of long-term effects for financial
support, I don't think we know. But I think ultimately people believe
in us, and want to support Ohio University... I don't want to look
cavalier by any means, but I believe in the loyalty of our alums."

THE PICTURE JUST GOT darker, however. While investigating the previous
cases in which hackers gained access to personal data - including
Social Security numbers - on close to 200,000 students and alums, OU
recently found two more such incidents. These affect the personal data
of about 2,480 university subcontractors and an additional 4,900
current and former students.

According to a story in the Columbus Dispatch Saturday, the latest
hackings put OU at the top of universities nationally for the amount
of computer data stolen, well ahead of the next school on the list,
the University of Southern California.

More than one alum correspondent has questioned the competency of
those watching over OU's data cache, and one question in particular
keeps coming up in the e-mails sent by alums: Why did you have my
Social Security number on file, anyway?

"I'm trying to fathom a situation in which a serious breach of Social
Security numbers could occur and not be discovered for 13 months,"  
wrote one alum who works in fraud and compliance for Microsoft. "How
could this possibly happen without utter rank incompetence and a
carefree attitude toward data security?... I hope your IT staff was
fired."

Another writer noted that "the trend across the country is to de-link
Social Security numbers from other important identifying information"  
in computer databases.

Tampke said the reason for holding the numbers is "primarily to track
lost alumni." When an alum moves and doesn't leave a forwarding
address, she said, OU will give the person's Social Security number to
a tracking service, to find the new residence.

Given the risk of data theft, is this convenience worth it?

"That's a good question," Tampke said, adding that the issue is
"something that we want to sit down and have a very structured
conversation about," once the university has the fallout from the
hacking cases under control.

A recent internal memo on OU's damage-control efforts estimates that
the university has spent approximately $77,090 on printing and mailing
almost 244,000 letters to alums and donors affected by the security
breaches.

OU has sent out close to 126,000 e-mails in connection with the
incidents as well, the memo shows. Tampke said these numbers should be
pretty much up to date, and that the volume of correspondence over the
case has ebbed considerably.

"It's tapered off a lot," she said. "We're not getting nearly so many
e-mails. I got maybe three letters this week."

Some of the e-mails received by OU, however, suggest that the story is
far from over.

Dozens of writers have hinted - or come right out and said - that OU
should pick up the tab for any credit-monitoring services affected
alums have to pay for, or any losses they suffer through identity
theft. A smaller number have implied, with varying degrees of
specificity, that they may take the matter to court.

"If there is any financial damage or compromise to my other accounts
stemming from this breach of security, I will hold Ohio University at
fault and seek legal counsel to recover any and all loss, with
punitive damages," one alum threatened. "I will further network with
my other alumni to seek a class-action suit for the same."

OU has responded to questions about money liability with a standard
statement, which says that before OU would cover any losses related to
identity theft, it "would need some sort of definitive evidence that
an individual had experienced financial liability not otherwise
remedied by the laws that protect victims of identity theft and that
such harm had occurred as a direct result of this particular database
system compromise rather than a similar compromise of some other
organization's system in which the individual might also have a
record."

Some alums have called this a dodge. "As far as proving that identity
theft was a direct result of your system 'compromise,' you know as
well as anyone that you cannot prove that it was the only place that
information could have been received," one writer complained.

Barb Nalazek, OU's assistant legal affairs director, said that while
it may seem unfair to require an alum to prove that an identity theft
stemmed from OU's computer breach and not some other hacking incident,
in today's world of widespread data theft, this is only realistic.

"We're seeing breaches all the time," she said. "I don't want to sound
like I'm making excuses, but you really have to say, 'Do you really
know that no other company that has all that information on you didn't
breach that?'... It sounds like an excuse, but it's true."

On the expense issue, Nalazek noted that there are a few companies
that will provide one free 90-day credit watch per year.

By using all of these companies, she said, a person can keep an
ongoing watch on his or her credit record, "and it doesn't cost
anything... For what is an appropriate sort of due diligence, it
really is something we all should be doing, and there doesn't have to
be any financial cost."

As for losses incurred through identity theft, Nalazek pointed out
that the law already limits a person's individual financial liability
in the case of, say, misuse of a credit card.

"As long as you're monitoring your credit-card statements, your
liability is extremely limited," she said.

No one, apparently, has yet sued OU over the security breach, but the
e-mails contain a handful of veiled threats, not-so-veiled threats,
and queries on this issue.

"Is there already a class-action lawsuit against Ohio University at
this time?" asked one alum.

"Like many of my classmates, I'm also investigating Ohio University's
potential criminal and civil liability," noted another.

"If there is a lawsuit, believe me I will happily join it," announced
a third.

Nalazek confirmed that the idea of a class-action suit has apparently
crossed the mind of more than one OU alum, but said she knows of no
organized effort to file one.

"It's certainly not that we haven't heard those two words bandied
about by people contacting us," she acknowledged. "But as far as that
happening, there's nothing that we know of."

One resourceful alum dispensed with hints, threats and allegations,
and simply billed OU for the time she spent checking her credit
status. Calling the university "fully liable" for her outlay of time,
she e-mailed an invoice for three hours of work at her "usual billing
rate" of $165 an hour.

In its latest response, OU Legal Affairs Director John Burns has
contacted the firm the woman works for, asking for confirmation of her
hourly rate.

"(The alum's) hourly compensation claim is unique so far, and I am not
sure what Ohio University's decision will be," Burns states in a June
1 e-mail.

Not everyone who expressed an e-mail opinion about the data breach was
outraged. Some were understanding, a few sympathetic. One was nearly
whimsical.

"Please stop giving my information to identity thieves," the alum
asked politely. "Thank you for your consideration." In a postcript he
added, "I would give you the rest of my contact information, but I am
afraid it would be stolen."
 



From isn at c4i.org  Tue Jun 13 08:07:31 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:07:31 -0500 (CDT)
Subject: [ISN] Data breaches raise more questions about computer security law
Message-ID: <Pine.LNX.4.44.0606130707120.1019-100000@idle.curiosity.org>

http://www.govexec.com/dailyfed/0606/06126p1.htm

By Daniel Pulliam
dpulliam at govexec.com
June 12, 2006 

Recently reported breaches compromising sensitive data held by four
agencies have officials looking at ways to improve federal information
security laws.

Security experts and former government officials started pointing
fingers at alleged weaknesses in the 2002 Federal Information Security
Act earlier this year. In recent interviews, some said they believe
that the incidents could lead to changes in the law.

Alan Paller, director of research at the SANS Institute in Bethesda,
Md., a nonprofit cybersecurity research organization, called the
compromise of personnel records of 1,500 Energy Department employees
revealed last week, combined with last month's theft of personal data
on 26.5 million people from a Veterans Affairs Department employee's
home, "an indictment of FISMA."

In two unrelated incidents, laptop computers containing the personal
information -- including Social Security numbers, birthdates and names
-- of about 200 employees at the Social Security Administration and
the Internal Revenue Service were lost recently.

FISMA requires agencies to identity and categorize risks to their
information technology systems and then implement security controls
based on those risks.

Paller said agencies are using their technology security funds to pay
independent contractors to write FISMA-required reports as part of the
certification and accreditation process, leaving little money for
implementing actual security measures. A certification and
accreditation process is necessary, but it should be continuous and
automated, Paller said.

"There was a thought that to check security, you had to check with
people and talk to people, but because most attacks are done by
systems, you need systems to check the security," Paller said. "The VA
spent tens of millions of dollars certifying and accrediting these
systems, and they are not secure."

A VA spokesman said that the agency received $77 million for
information security in fiscal 2006 and $78 million has been proposed
for fiscal 2007.

Paller and Bruce Brody, vice president for information security at the
Reston, Va-based market research firm INPUT and associate deputy
assistant secretary for cyber and information security at the VA from
2001 to 2004, have been critical of FISMA in the past, and both met
with staffers from the House Government Reform Committee recently to
discuss possible changes to the law.

Brody, who also served as chief information security officer at the
Energy Department until December 2005, said that the Energy security
breach occurred during his tenure at the agency, but within the
National Nuclear Security Administration, which is autonomous from the
department under the National Nuclear Security Act.

Paller said he believes that effective reform is possible, but Brody
said the policy and legislative communities are unlikely to get the
changes right unless information security practitioners are involved.

Clay Johnson, the Office of Management and Budget's deputy director
for management, said last week OMB has 95 percent of the laws and
policies it needs to hold agencies accountable for locking down their
information systems, but "extra teeth" may be needed. He did not
specifically refer to FISMA.

Johnson said in testimony before the House Government Reform Committee
that the administration believes it generally has good policies and
laws for protecting data, but is "prepared to take more action as
necessary."

In a request for comment on the matter, OMB gave no indication that
changes to FISMA are being considered.

OMB spokeswoman Andrea Wuebker said that FISMA was established to
ensure that agencies meet consistent standards for security
requirements for information systems. Agencies are responsible for
ensuring that they are FISMA compliant and that their employees are
trained to work with tough security measures, Wuebker said.

"Sound standards and policies are in place, and OMB works with
agencies to make sure practices match these policies," Wuebker said.

?2006 by National Journal Group Inc. All rights reserved.




From isn at c4i.org  Tue Jun 13 08:06:32 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:06:32 -0500 (CDT)
Subject: [ISN] Lights out
Message-ID: <Pine.LNX.4.44.0606130706001.1019-100000@idle.curiosity.org>

http://www.fcw.com/article94825-06-12-06-Print

By Brian Robinson
June 12, 2006 

Most federal agencies and an increasing number of state and local
offices have made significant investments in communications services
that run over government-owned or commercial fiber-optic networks.  
Fiber can carry much more data than traditional copper lines and at
lower costs.

Besides government operations, a growing part of the country's economy
depends on the Internet and its fiber-based backbone - everything from
online shopping and entertainment to banking and health care.

But given its vital importance as a communications medium and general
concerns about terrorist threats to the country's economic and
critical infrastructure, just how secure are the country's fiber
networks?

Experts say fiber, like any network technology, is indeed vulnerable
to a determined eavesdropper with the know-how and right equipment.  
That means agencies should safeguard sensitive data.

 From a broader, more systemic perspective, however, the country's
fiber-optic infrastructure is more redundant and thus more resilient
than it was a few years ago, reducing the chances that an attacker
could cripple large segments of it, experts say. But localized
problems stemming from physical damage to the infrastructure -
intentional or not - still have the potential to affect its
availability.


Not a priority

For an increasingly technology-dependent country, the security of
fiber-optic networks is apparently low on the list of concerns for
those whose job it is to worry about such threats.

For example, in its recently published "Federal Plan for Cyber
Security and Information Assurance," the National Science and
Technology Council identified the Internet's Domain Name System,
network routing protocols and a host of other process control systems
most in need of security research and development. The report did not
address fiber networks and other infrastructure issues.

Meanwhile, the U.S. Cyber Consequences Unit (US-CCU), an independent
research group that advises the Homeland Security Department, did not
include the fiber infrastructure in a recent draft of a cybersecurity
issues checklist it gave to DHS.

That checklist identified measures at the enterprise or organizational
level, said Scott Borg, director of the US-CCU. The unit will probably
investigate fiber infrastructure security issues later, he said.

With technology budgets tighter than ever, organizations may decide
that fiber security is just not that pressing compared with other
cybersecurity issues, said Bernard Skoch, executive vice president of
Suss Consulting and a former principal director for network services
at the Defense Information Systems Agency.

"People in government are in a classic fight over funding and have to
prioritize their needs," Skoch said. "In some ways, it takes a greater
level of sophistication to say why something is not needed, and right
now, I think there are a lot of people who have concluded that the
fiber infrastructure mesh is well-enough protected."


Hacking fiber

Some experts say the notion that fiber networks are sufficiently
secure may not be a well-informed conclusion. Tapping fiber without
detection is difficult but certainly not impossible, they say.

One of the classic assumptions about such networks is that it is
inherently more secure than copper cable. A signal traveling over
copper tends to leak outside the cable, so anyone with a sensitive
scanner could pick up those signals and access the data.

Because fiber uses various wavelengths of light rather than electrons
to carry data, it does not routinely suffer from similar leakage.  
Stealing data in transit - between the two ends of the fiber - means
someone has to physically break a fiber strand to tap it or somehow
bend the fiber enough to induce light to exit the fiber. That is not
an easy task, some experts say.

Physically tapping into fiber means you will interrupt the data
stream, which will alert a network operator, said Frank Dzubeck,
president of Communications Network Architects, a network integrator.

"To detect the light passively, you have to first strip away all of
the shielding around the fiber and then put something in place to
catch the light bouncing off the glass of the fiber strand," he said.  
"And then you have to determine what the data is that you are
capturing. This is all involved specialty equipment. It's not
something you can purchase on the open market."

But Seth Page, chief executive officer of New York-based Oyster
Optics, which makes intrusion-detection equipment, said he believes
that the fiber infrastructure is vulnerable to hackers who can tap
fiber with common maintenance tools that are available worldwide.

"This same equipment with modifications can be used to capture 100
percent of the voice, video and data going across the network," Page
said. "All you need to do is get access to the fiber loop serving a
particular building."

Hackers don't even need to get all of the data traveling on the fiber,
he said. The packet headers reveal information about phone numbers, IP
addresses and the fiber service provider. Even if an organization
encrypts data and a hacker does not have the means to decrypt it, the
packet headers would not be encrypted, he said. The hacker could save
the rest of the data and attempt to decrypt it later.

The equipment that can capture light from the fiber can also easily
inject light into it, Page said. That would allow a hacker to modify
or jumble the data going through the fiber, corrupting it or causing a
denial-of-service attack on the network.

Perhaps the biggest danger to fiber networks is the so-called backhoe
effect, a decidedly low-tech danger.

It happens when contractors or private landowners dig into the ground
and inadvertently break fiber cables that telecommunications companies
have laid. As recently as 2004, telecom facilities were still among
the most likely to be affected by excavation work. The Common Ground
Alliance, an industry organization aimed at limiting damage caused by
such events, said telecom operations made up 27.5 percent of the
reports it received about such accidents.

"It's still probably the most significant threat," said M.E. "Mich"  
Kabay, associate professor of information assurance at Norwich
University in Vermont.


Nerve-wracking map

Fiber's vulnerability to errant digging underscores the notion that
deliberate tampering poses a real risk, Kabay said.

"The telcos are so concerned about making sure people don't dig where
their fiber-optic cables are," he said. "But on the other hand, if you
were a terrorist, where would you then go to bring down all of the
northeast corridor communications?"

The potential chaos that such sabotage could cause was highlighted in
2003 when a doctoral thesis written by George Mason University
graduate student Sean Gorman sparked widespread consternation in
industry and government.

Gorman used public sources to compile a map of all the major business
and industrial sectors in the country and overlay a representation of
the fiber infrastructure that connected them. With a single mouse
click, anyone could see the location of communications choke points
for vital sectors of the U.S. economy.

The infrastructure's resiliency has improved in recent years, however,
through an effort to re-engineer it into a hierarchical structure of
fiber rings that mesh together, Dzubeck said. "Nothing is centralized
in one spot anymore, so if you want to take out one of these [rings],
you'd have to take out many, many sections at once," he said. "There
are multiple paths communications can take through these rings, and if
you do cut a cable, you are only cutting one small section."

All of the fiber in place in the United States now is redundant
because of this new configuration, said Ron Martin, vice president of
service provider development for optical networking at Cisco Systems.

"Every fiber now has an alternate path through which the data can be
sent," Martin said. "If there is a fiber breakage or an equipment
failure, the communication reroutes itself, causing maybe hundreds of
milliseconds of disruption at most."

IP design also enables this dynamic rerouting. IP breaks data streams
into various packets that a network can route via different paths and
then reassemble at the final destination.

"We've not figured out a way to stop people [from] digging up our
fiber with backhoes, so the key is having some way to allow customers
to recover from those events," said Steven Parrott, a product
development manager at Sprint. "With IP, if you lose a particular
fiber path, it's very simple just to reroute the data."

The bottom line for users is that there is minimal, if any, disruption
in their communications, Parrott said.

Despite continuing instances of fiber breakages, the Alliance for
Telecommunications Industry Solutions reported that facility outages
were at a record low in 2004, and it was one of the best years for
network reliability.

Nobody fixes leaks in a roof unless it's raining, said John Pescatore,
vice president and research fellow at Gartner Research, who previously
worked at the National Security Agency and the U.S. Secret Service.

Without a smoking gun to indicate a threat or attack, most officials
do not worry about fiber's security, Pescatore said. "People don't
care."

[...]




From isn at c4i.org  Tue Jun 13 08:07:57 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:07:57 -0500 (CDT)
Subject: [ISN] Backdoors, Bots Biggest Threats To Windows
Message-ID: <Pine.LNX.4.44.0606130707390.1019-100000@idle.curiosity.org>

http://www.informationweek.com/news/showArticle.jhtml?articleID=189400457

By Gregg Keizer 
TechWeb.com 
Jun 12, 2006 

Backdoor Trojans are a clear and present danger to Windows machines,
Microsoft said Monday as it released the first-ever analysis of data
collected by the 15-month run of its Malicious Software Removal Tool,
a utility that seeks out and destroys over five-dozen malware
families.

According to Microsoft's anti-malware engineering team, Trojans that,
once installed, give an attacker access and control of a PC, are a
"significant and tangible threat to Windows users."

Of the 5.7 million unique PCs from which the Malicious Software
Removal Tool (MSRT) has deleted malware, 3.5 million of them -- 62
percent -- had at least one backdoor Trojan.

"Backdoor Trojans are a large part of the malware landscape," said
Matt Braverman, program manager on the team, and the author of a
report on the tool's data that was released Monday at Boston's TechEd
2006 conference.

Bots, a subset of Trojan horses, were especially "popular" on infected
PCs, Microsoft's data showed. Bots are small programs that
communicates with the controlling attacker, usually through Internet
Relay Chat (IRC) channels, less frequently via instant messaging. Of
the top 5 on the MSRT's removed malware list, three families -- Rbot,
Sdbot, and Geobot -- were bots.

Once backdoors and bots are accounted for, all other malware types
were seen on only a minority of machines.

"Rootkits are certainly present, but compared to other [malware types]
they're not extremely widespread yet," added Braverman. A rootkit was
present on 14 percent of the nearly 6 million computers that had to be
cleaned.

Since it debuted in January 2005, the MSRT has been run some 2.7
billion times on an increasing number of PCs. In March 2006, the last
month for which data was compiled, 270 million unique systems ran the
tool, which is automatically downloaded and run on systems with
Windows/Microsoft Update turned on.

Over those 15 months, the MSFT found malware on one in every 311
computers.

"I think that's a valid, accurate number," argued Braverman, even
though the MSFT doesn't detect and delete every form of malicious
software, and runs predominantly on Windows XP SP2 (and not at all on
older operating systems, such as Windows 98 and Windows NT).

The MSFT data also seemed to validate the long-standing premise that
Windows XP SP2 is more secure than earlier Microsoft operating
systems, said Braverman.

Although Windows XP SP2 systems account for 89 percent of all machines
from which malware was deleted, when the numbers are "normalized" --
to take into account the number of tool executions on each OS -- SP2's
rate falls precipitously to just 3 percent.

Together, Windows XP Gold (the original edition launched in October
2001) and Windows XP SP1 account for 63 percent of the deletions when
the numbers are normalized.

"This makes sense," Braverman's report read. "Windows XP SP2 includes
a number of security enhancements and patches for vulnerabilities not
found in earlier versions of Windows XP, making it more difficult to
be infected by malware in some cases.

"And it is likely that a user who has not yet upgraded to the latest
service pack would be more susceptible to social-engineering-based
attacks. In fact, this seems to hold true for Windows 2000 and Windows
Server 2003 as well, where the latest versions of the service packs
for those operating systems have the lowest number of normalized
disinfections compared with the older versions of the operating
systems."

"No, I couldn't claim that Windows XP SP2 itself was the only reason
why its normalized numbers are so low," admitted Braverman, who
pointed to the prodding those users get to turn on Automatic Update
(which not only patches their OS, but also runs MSFT monthly) and the
idea that they're less likely to engage in potentially risky behavior,
like opening attachments or visiting dangerous parts of the Internet.

Microsoft uses a combination of internally-generated metrics and
outside feedback -- including the WildList and customer comments -- to
decide which malware is added to the list targeted by the tool.  
Anti-virus scan results of Microsoft's for-a-fee security service,
OneCare, and its for-free Windows Live Safety Center, said Braverman,
are taken into account, as is data from the crash analysis tool that
users can invoke when Windows dies.

While the MSFT data has been used mostly by the anti-malware team
itself to develop new tools -- such as ones to more quickly crank out
signatures for bots -- Braverman sees it as a way for Microsoft and
its partners to get a better feel for the current security situation.

"It demonstrates Microsoft's understanding of the malware landscape,"  
he said even as that landscape -- and the tool itself -- change.

"We've already morphed our thinking about how to best attack malware
families," he added.

A version of the tool for Windows Vista Beta 2 will be released within
weeks, said Braverman, via Windows/Microsoft Update to help protect
users trying out the new operating system.

The newest edition of the MSFT will be released Tuesday as part of
Microsoft's monthly security update.

Copyright ? 2006 CMP Media LLC, All rights reserved.




From isn at c4i.org  Tue Jun 13 08:08:27 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:08:27 -0500 (CDT)
Subject: [ISN] Japanese virus shares private info
Message-ID: <Pine.LNX.4.44.0606130708010.1019-100000@idle.curiosity.org>

http://www.smh.com.au/news/security/japanese-virus-shares-private-info/2006/06/13/1149964511797.html

The Sydney Morning Herald
June 13, 2006 

A computer virus that targets the popular file-sharing program Winny
isn't the most destructive bug or even the most widespread. But it's
the most talked about in Japan as it generates headline after
headline, month after month.

The malware, called Antinny, finds random files on Winny users' PCs
and makes them available on the file-sharing network. So far, the data
leaked have been varied and plentiful: passwords for restricted areas
at airports, police investigations, customer information, sales
reports, staff lists.

The constantly updated virus seems to have spared no one airlines,
local police forces, mobile phone companies, the National Defence
Agency. Even an antivirus software manufacturer has suffered.

"The virus has been quite effective in getting information off a
user's computer and onto the Internet. The data is supposed to be
secret, so people are quite sensitive about it," said Tsukuba
University computer scientist Kazuhiko Kato.

Compared to attacks on Microsoft Corp's Windows software, the scope of
the Antinny outbreak is narrow. But the Winny mess has caused an
enormous brouhaha in Japan.

Antinny also may have the dubious distinction of being the first virus
to exploit the nature of file-sharing itself in Japan, if not in the
world, said Mamoru Saito of Telecom Information Sharing and Analysis
Centre Japan.

Other viruses and spyware are often found on such networks, though
none appears to take advantage of the underlying technology to spread
personal data.

And while Antinny's writers seem to be limiting themselves to Japanese
file-sharing software for now, he said, the code theoretically could
be modified to attack other file-sharing networks such as


Gnutella and BitTorrent.

The outbreak has triggered a broad damage-control effort by government
and businesses. They have banned Winny from in-house computers and
fired employees who use it on them. They've also demanded that staff
not take work home and delete Winny from any home PCs used for work.

"The most secure way to prevent the leakage of information is not to
use Winny on your computer," Chief Cabinet Secretary Shinzo Abe, the
government's top spokesman, told reporters.

But the outbreak shows little sign of abating.

"The problem has shown that many people just don't know how to use the
internet safely," said Takeshi Sato of the government's National
Information Security Centre.

File-sharing programs like Winny are used to find and get files from
music to video to documents from the computers of other people also
using the software. The PC owner typically has control over what is
made available by limiting sharing to a specific folder.

The virus takes advantage of this culture to propagate itself by
playing a "social" trick on users, said Telecom ISAC Japan's Saito.

When the virus is activated on a computer, it first chooses a new name
for itself by taking the names of other files users are likely to be
searching for usually photos or music. The resulting new name becomes
so long that, under normal Windows' settings, the three-letter file
extension that indicates the type of file disappears from view, he
said.

Careless users who download the file will see only the name and think
it is something they wanted say, a photo of a favorite movie star.  
They don't see that they are actually trying to open an application,
not a picture.

When they do, the virus then looks on the computer for the Winny
application, grabs random files off the hard drive and uses Winny to
make those files and itself available for download on the network.

And so the cycle repeats.

New strains of Antinny appear all the time. Software maker Trend Micro
listed 46 variations of the virus in its database as of mid-May. Trend
itself lost sales data due to a Winny leak in 2005.

"Just keeping your antivirus software up to date isn't enough, because
the updates can't keep up with all the new strains of the virus," the
government's Sato said.

The government's concerns about Winny go beyond viruses. It's often
used to share files and that often means illegally exchanging
copyrighted materials.

Winny was already on the government's radar screen in November 2004,
when its creator then an instructor at the prestigious University of
Tokyo was handed a three-year suspended sentence on charges of
violating copyright laws.

But now it is confidential data rather than hit songs that have Winny
back in the spotlight.

Japan Airlines, for example, discovered last December that an
Antinny-infected computer owned by one of its co-pilots leaked
passwords for restricted areas at 16 airports around Japan as well as
Guam's international airport. The airline was forced to alert the
airports to have passwords changed as a precaution.

In early March, Japan's National Defence Agency said it lost
"confidential information" due to a Winny leak, again from an
employee's home computer. While defence officials refused to say what
data had been lost, a news report said it included reports on training
exercises conducted in Okinawa with U.S. troops in 2005.

In the aftermath of the leaks, the agency ordered employees not to use
Winny on any computers used for work. It also announced plans to
purchase 56,000 computers so employees would no longer have to use
their own equipment for work.

Schools, internet providers and electric companies are among the
others who can tell of similar losses. Making matters worse, reports
began surfacing in May that the virus was now attacking another
Japanese file-sharing application called Share (pronounced
"shah-ray"), opening the door to yet more embarrassing leaks.

The excitement being generated is all the more remarkable when one
considers the outbreak's scale.

Because Antinny needs Winny to spread, both the virus and the files it
picks up are limited to a small section of internet users anywhere
from 300,000 to 600,000 people, based on government and industry
estimates.

Government statistics show Antinny was responsible for a minuscule
fraction of the 24,155 virus outbreaks reported between November 2005
and April 2006.

"Reports of the leaks make for good drama," Tsukuba's Kato said.  
"Still, they show that people need to be careful if they connect their
computers to the Internet."

The government and businesses are trying to help, with everything from
educational pamphlets and Web sites to free software that can remove
Antinny, Winny or both. But there are limits to what they can do.

"The industry is providing information about how to deal with the
problem," said Telecom ISAC-Japan's Saito. "The question is whether or
not the users do anything about it."

Copyright ? 2006. The Sydney Morning Herald.




From isn at c4i.org  Wed Jun 14 04:03:36 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:36 -0500 (CDT)
Subject: [ISN] Computer Security Market to Grow 13%
Message-ID: <Pine.LNX.4.44.0606140303260.9475-100000@idle.curiosity.org>

http://times.hankooki.com/lpage/biz/200606/kt2006061320215011910.htm

06-13-2006 

SEOUL (Yonhap) - South Korea??s computer security market is forecast
to grow 13 percent annually over the next five years as spending on
Internet security software rises in both the public and private
sectors, a report indicated on Tuesday.

The country??s digital security market is predicted to rise to 815
billion won ($850) by 2010, and the security appliance market is
projected to post an annual growth rate of 17.6 percent, according to
the report compiled by the South Korean unit of the International Data
Corp.

IDC Korea said the country??s computer security market posted 8.5
percent growth last year reaching 443 billion won.

The security appliance sector, in particular, is expected to grow
sharply in the future, the report said. adding that more and more
public institutions and private companies in the country are trying to
keep their computer networks safe from burgeoning cyber threats.




From isn at c4i.org  Wed Jun 14 04:03:05 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:05 -0500 (CDT)
Subject: [ISN] Hanford workers warned about security breach
Message-ID: <Pine.LNX.4.44.0606140302530.9475-100000@idle.curiosity.org>

http://seattlepi.nwsource.com/local/273650_hanfsecurity13.html

By SHANNON DININNY
THE ASSOCIATED PRESS
June 13, 2006

The U.S. Energy Department has warned about 4,000 current and former
workers at the Hanford Nuclear Reservation that their personal
information may have been compromised, after police found a 1996 list
with workers' names and other information in a home during an
unrelated investigation.

The discovery marks the second time in less than a week that the
Energy Department has warned employees and its contractors' employees
that their personal information may have been compromised.

Police in Yakima discovered the list while investigating an unrelated
criminal matter, the Energy Department said, adding that the list
included the names of people who worked for a former Hanford
contractor, Westinghouse Hanford, who were transferring to Fluor
Hanford or companies under contract to Fluor Hanford in 1996.

The Energy Department awarded Fluor Hanford the contract to clean up
the highly contaminated nuclear site in December 1996.

The list also included workers' Social Security numbers and
birthdates, as well as work titles, assignments and telephone numbers.

The department began notifying workers about the discovery Sunday.  
Employees at seven companies were warned to monitor their financial
accounts and billing statements for any suspicious activity.

There was no indication that Hanford's computer network was
compromised. The Energy Department and Fluor Hanford were working with
law enforcement officials to determine how the list was obtained and
why it was in the home, the Energy Department said in a statement
Monday.

"We, along with Fluor, are taking this very seriously," said Karen
Lutz, an Energy Department spokeswoman at the south-central Washington
site. "Obviously, there's a concern to get the word out, because so
many workers transfer to other contractors and other federal sites."

Also on Monday, Energy Department officials began contacting 1,502
individuals by phone to inform them that their Social Security numbers
and other information might have been compromised when a hacker gained
entry to a department computer system eight months ago.

The workers, mostly contract employees, worked for the National
Nuclear Security Administration, a semiautonomous agency within the
department that deals with the government's nuclear weapons programs.

The computer theft occurred last September, but Energy Secretary
Samuel Bodman and his deputy, Clay Sell, were not informed of it until
last week. It was first publicly disclosed at a congressional hearing
on Friday.

Following the Hanford report Monday, Sen. Maria Cantwell, D-Wash.,
demanded corrective actions to ensure that federal employees' personal
information remains secure.

"Today's news that the personal information of 4,000 Hanford workers
has been floating around in the open shows that we still have a long
way to go when it comes to keeping sensitive information out of the
wrong hands," Cantwell said.

Workers from the following companies were urged to check their
financial statements: Fluor Daniel Hanford, Lockheed Martin Hanford,
Rust Federal Services of Hanford, B&W Hanford, Numatec Hanford,
DynCorp Tri-Cities Services and Duke Engineering and Services Hanford.




From isn at c4i.org  Wed Jun 14 04:03:21 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:21 -0500 (CDT)
Subject: [ISN] Elections hacks don't guard us against hackers
Message-ID: <Pine.LNX.4.44.0606140303070.9475-100000@idle.curiosity.org>

http://www.miami.com/mld/miamiherald/14803773.htm

By FRED GRIMM
fgrimm at MiamiHerald.com
Jun. 13, 2006

For a county supervisor of elections needing someone to test the
vulnerabilities of his voting system, Dan Wallach's the man.

Wallach, who runs the security computer lab at Rice University, is a
nationally regarded expert on computer network security and voting
system vulnerabilities. He's associate director of ACCURATE (A Center
for Correct, Usable, Reliable, Auditable and Transparent Elections).  
Besides, his parents live in Lauderdale-by-the-Sea.

He is a perfect choice. But not in Florida.

Wallach and his associates at ACCURATE may represent academia's
leading experts on voting system security, but under the new rules
promulgated by the Florida Secretary of State, they don't qualify.

Any security test, the secretary of state's office insists, must be
performed by someone certified by the American Software Testing
Qualifications Board, the American Society for Quality or the EC
(E-Commerce) Council.

Not only is Wallach not certified by the three organizations, ''I've
never heard of them,'' he says.


TRAINING COURSE

Actually, the first two organizations are concerned with the overall
quality of manufactured software, not security. The EC Council website
offers a five-day training course into something called ''ethical
hacking.'' Five days of training, under the new rules, would trump the
most sophisticated r?sum?s in computer science.

Computer professor David Dill, of Stanford University, who served on
California's Ad Hoc Task Force on Touch Screen Voting, and whose
degree -- not the five-day kind -- comes from MIT, added his
apprehensions to the comments on the proposed rules the Florida
Secretary of State's office collected Monday. He said they would
``would exclude the most competent evaluators, such as those who have
found most of the reported security holes in existing voting systems.

''I have checked with several computer security experts, who not only
do not have these qualifications, but, like me, have never heard of
them. A little research on the Web reveals these certifications to be
of dubious relevance to voting system evaluation,'' Dill wrote.

Other rules would require that the voting-machine vendors and the
secretary's office get advance notice of any security test. And a
supervisor of elections contemplating a security test must first take
special pains to protect the machine manufacturer's secret operating
code.


CERTIFIED HACKERS

Wallach and Dill seemed puzzled. Wallach noted that a voting machine
ought to be secure no matter who tries to hack the system. The notion
that a would-be hacker must first be properly certified and possess
special qualifications (like a five-day online course), and the
vendors need advance notice becomes utterly irrelevant in cyberspace.

''If someone is malicious and his goal is to throw the election,
they're not going to ask permission.'' Wallach said.

Of course, the new rules aren't really about protecting the integrity
of elections. Only one Florida supervisor of elections allowed outside
experts to test his voting system security. And when Ion Sancho's
hackers discovered they could alter the outcome of an election and
wipe out all trace of the tampering last year, it was a huge
embarrassment to the Secretary of State's office. Instead of trying to
fix the flaws, state officials and Diebold -- a maker of voting
machines -- went after Sancho, disparaging his findings and suggested
that he ought to be tossed from office.

Then California -- not Florida -- directed a panel of computer science
experts to look into the Leon County findings. The panel found the
same flaws and more. Florida election bureaucrats were humiliated.

''The new rules are designed to make sure that they're never
embarrassed again, '' Sancho said Monday.

Florida first priority is to protect the vendors. We'll let California
worry about the damn voters.




From isn at c4i.org  Wed Jun 14 04:03:48 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:48 -0500 (CDT)
Subject: [ISN] KDDI suffers massive data breach
Message-ID: <Pine.LNX.4.44.0606140303390.9475-100000@idle.curiosity.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001150

Martyn Williams   
June 13, 2006
IDG News Service

Personal data on almost 4 million customers of Japanese telecom
carrier KDDI Corp. has been breached, the company said Tuesday.

The data includes the name, address and telephone number of 3,996,789
people who had applied for accounts with KDDI's Dion Internet provider
service up to Dec. 18, 2003, KDDI said. Additionally the gender,
birthday and e-mail addresses of some of the people was also leaked.

KDDI is Japan's second largest telecommunications carrier. It operates
fixed line, dial-up Internet, broadband and cellular services through
a number of different companies.

The carrier became aware of the leak on May 31 this year when it
received a phone call from someone claiming to possess a CD-ROM of the
data, said Yoko Watanabe, a spokeswoman for the Tokyo-based carrier.  
The original source of the data has yet to be determined and Watanabe
declined to comment on other aspects of the case, which is being
investigated by the police, she said.

The leak is just the latest of several to hit the headlines in Japan
this year. Personal information has been leaked by companies a number
of times onto the Internet through viruses that infect PCs running
file sharing programs. While the source of the data lost by KDDI is
not yet clear, the episode is likely to increase fears of identity
theft and other fraud in Japan.

In recent years the number of frauds committed against consumers using
such information has been on the rise. Armed with the name and address
or telephone number of a consumer, fraudsters can send out bills or
make calls demanding payment for services that were never delivered.  
The slick frauds often dupe consumers into sending money before they
realize they have been tricked.




From isn at c4i.org  Wed Jun 14 04:05:40 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:05:40 -0500 (CDT)
Subject: [ISN] PCs to developing world 'fuel malware'
Message-ID: <Pine.LNX.4.44.0606140305300.9475-100000@idle.curiosity.org>

http://www.theregister.co.uk/2006/06/13/pc_donation_peril/

By John Leyden
13th June 2006

Programs to send PCs to third world countries might inadvertently fuel
the development of malware for hire scams, an anti-virus guru warns.

Eugene Kaspersky, head of anti-virus research at Kaspersky Labs,
cautions that developing nations have become leading centres for virus
development. Sending cheap PCs to countries with active virus writing
cliques might therefore have unintended negative consequences, he
suggests.

"A particular cause for concern is programs which advocate 'cheap
computers for poor third world countries'," Kaspersky writes. "These
further encourage criminal activity on the internet. Statistics on the
number of malicious programs originating from specific countries
confirm this: the world leader in virus writing is China, followed by
Latin America, with Russia and Eastern European countries not far
behind."

But what about all the positive uses in education, for example,
possible through the use of second-hand PCs in developing nations? We
reckon these more than outweigh the possible misuse of some computers
at the fringes of such programs.

We wanted to quiz Kaspersky more closely on his comments but he wasn't
available to speak to us at the time of going to press.

A spokesman for Kaspersky Labs agreed that PC donation programs have
benefits but maintained that in countries with "fewer legitimate
openings" for work the possibility of "unintended side effects" can't
be overlooked. He said that Eugene Kaspersky's comments should be
viewed in the context of a wider discussion of criminal virus writing,
contained in an essay on the anti-virus industry here. ?




From isn at c4i.org  Wed Jun 14 04:06:05 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:06:05 -0500 (CDT)
Subject: [ISN] Black Hat Speakers + 2005 Content on-line
Message-ID: <Pine.LNX.4.44.0606140305540.9475-100000@idle.curiosity.org>

Forwarded from: Jeff Moss <jmoss at blackhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello ISN readers,

I have a brief announcement I would like to make.

The speaker selection for Black Hat USA 2006 is now complete. We have a
fantastic line up of Briefings presentations and our largest selection of
Training this year.
Briefings: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-schedule.html
Training: http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html

For the first time in four years, we have been able to expand our speaking
line. This is due to Caesars Palace has expanded their conference space, and
Black Hat will be getting the entire fourth floor to ourselves! This means that
for the first time in four years, we were able to expand the number of
presentation tracks, panels as well as offer more opportunities for networking
in our Human Network area.

Some notes from the schedule:
*A Root-kit focused track draws attention to the amount of work, and the speed
of advancement, going into this field.
*Ajax to Fuzzers--web app sec is taken to a new level. The largest number of
talks dealing with web application security ever delivered at a Black Hat. As
the web moves to a more interactive "web 2.0" model of participation it is only
natural for there to be more risks involved. 
*A Windows Vista Security track which has been garnering a lot of press
lately... this will be an unprecedented first comprehensive look at Vista
security issues
*Jim Christie is bringing his "Meet the Fed" panel over from DEF CON, and the
Hacker Court is back along with panels on Disclosure, a Public Forum on
Corporate Spyware Threats hosted by The Center for Democracy and Technology
Anti-Spyware Coalition, and a new challenge will be presented by the Jericho
Forum.

Remember, prices increase July 1st for both the Briefings and Trainings.
Register now to get the best rates!
http://www.blackhat.com/html/bh-registration/bh-registration.html#us

Other News:

Black Hat is pleased to release the presentations from last years Black Hat
2005 Briefings in both audio and video format.

Also a first they will be available for download in both H.264 .mp4 format
(iPod compatible) as well as .mp3 audio. Currently you have to subscribe to the
Black Hat .rss feed to get them, but in the coming weeks we will make them
available through the past conventions archive page.
http://www.blackhat.com/BlackHatRSS.xml

Black Hat would like to welcome the ISSA as a world wide supporting
association. http://www.issa.org/

Thank you,
Jeff Moss

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBRI9L4kqsDNqTZ/G1AQKjlQgAnLKMSLL6Uc4BznLQ+sGkCf+v4kBXmSR2
ogJYZ8eciZxwJMrAFGhXGhJOHGQJxp2U/HEnISNhg+3W6TGhyl9rVO62z+2aBSfw
bvb+RSWWgMitiQqZcsRO8LkPorJlnpHSLzNxpH1GaVLFyJ17YwSCm1a/n2QPv+Pq
4nlC3KLKwgmFXY6uAkg95InvOeLly5uIelAGEllzIZ676A4fp5VMBeXtT/PDJwbs
49nZE8IPmxFPL1d9V47eWmjNpqMZBtNHuTaEhBhpWc1YbY0oE7Txv0EFWY2HGBLZ
S4XnlJCO9rbD1y0fbd1qof3BKVGW/nXaBG9SBOnctbFSDeyEVUTD3w==
=++JQ
-----END PGP SIGNATURE-----




From isn at c4i.org  Wed Jun 14 04:04:58 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:04:58 -0500 (CDT)
Subject: [ISN] ...and now a word from one of our long time sponsors
Message-ID: <Pine.LNX.4.44.0606140304450.9475-100000@idle.curiosity.org>

http://attrition.org/news/content/06-06-13.001.html

Cliff Notes: If you drink Coca-Cola products, email the 'coke reward'
code to cokerewards at attrition.org to support a bunch of wack job
heathens

How many times have you thought, "If everyone sent me one penny, i'd
be rich!?" In the case of attrition staff, maybe you thought "If
everyone sent me one beer, i'd need a new liver in three months!"

Attrition has been going strong for almost eight years now. In that
time we haven't plagued the site with ad banners, pop-ups, or even the
cute little google ad-words. We've accepted PayPal donations for
several years and raked in a whopping 250 bucks (which we are honestly
very thankful for). Our Amazon wishlists are never used, half the mail
we get is mindless drivel complaining about insipid crap that is
usually answered by actually reading the web pages. The box has been
fully replaced two times due to hardware problems, payments are
routinely made to our landlord for the bandwidth abuse and to keep him
too drunk to find our power plug. In short, this isn't a site based
around profit or self reward. We're more like those monks that inflict
self pain thinking it brings them closer to a higher power. Misguided,
pain-ridden, stupid monks.

Since we've long been fans of the sci-fi idea of 'micro payments', and
no system is in place for such a beast to really work, we've come up
with one. Now you too can actually support the site without sending us
money or hate mail. Chances are, you are a cracked-out coke fiend like
most of us.  I prefer the hard-core street drug they call "Coke Zero"
these days, moving on from the weak suburban "Diet Coke" or that
old-folks home "Caffeine Free Diet Coke" that Munge sips on between
shots of Everclear.  If you support Coca-Cola like a true patriot, and
not those Pepsi jerks like a terrorist would, then you are in the
perfect position to contribute.

Coca-Cola is running a promotion where you receive a code for each
purchase you make. With those codes, you register on one of their web
sites and type in the codes to earn points. Enough points and you can
earn various prizes, most of which are not worth the time to read
about on the web site. If you click around enough, you get to the
distant "10,000+ Points" reward list, and things become brighter. In
this "pipe dream"  category is a pretty swell Sony LCD HDTV that would
be a nice reward for the pain and suffering we're put through.

So, next time you are getting your fix, take a few seconds to type in
the coke code and mail it to us. Only takes a minute of your time and
you can spend the rest of the day bragging about how you supported a
non-profit site on the intarweb. The codes can be found inside the
bottle caps of 2 liter, 1 liter or 20oz bottles, or in the tear off
flap of 12-pack cases.  They can be found in just about every variety
of Coca-Cola products and look something like BNMW7 Y49XR 4X7VJ.

This is it net denizens. Some 100,000,000 of you out there, and all it
takes is 2,000 of you to mail in the code from a single 12-pack to
reach our goal. You would be showing a small token of appreciation for
eight years of hard work and it doesn't even require a visit to the
post office.  If you send in 100 points worth of codes (ten cases, or
33 bottles), we'll hook you up with private access to the old image
gallery we used to make available (shut down long ago due to bandwidth
abuse), which is up to 5,263 unique images of all varieties, and zero
advertisements.

That's it, simple and possibly rewarding. cokerewards at attrition.org

Cut this out and post it at your work lounge!

.------------------------------.
|                              |
| E-mail Coca-Cola Reward Code |
|    to the heathens at        |
|  cokerewards at attrition.org   |
|                              |
`------------------------------'




From isn at c4i.org  Wed Jun 14 04:05:27 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:05:27 -0500 (CDT)
Subject: [ISN] ADSM endorses XBRL technology
Message-ID: <Pine.LNX.4.44.0606140305150.9475-100000@idle.curiosity.org>

http://www.itp.net/business/news/details.php?id=21007

By David Ingham
13 June 2006

Abu Dhabi Securities Market (ADSM) has recently taken further steps to
boost market transparency and improve its information technology
systems. ADSM has declared its aim to become ISO 17799 compliant and
has thrown its weight behind the XBRL information reporting standard.

EXtensible business reporting language (XBRL) enables computer-readable 
tags to be applied to individual items of financial data in business
reports. This helps to turn them from blocks of text into information
that can be understood and processed by computer software.

"XBRL complements ADSM's programme to adopt international best
practise standards of regulation and governance throughout the UAE
markets," said Rashed Al Baloushi, acting director general of ADSM.  
"It will give investors better access to a company's financial
information, allowing them to make more informed decisions.

"Furthermore, analysts will be able to compare detailed data more
efficiently and with increased accuracy. Under the current system, it
can be difficult to benchmark data efficiently." ADSM said it will
encourage all listed companies to adopt the technology, which it says
can reduce data processing costs in addition to improving
transparency.

It has already held one educational seminar, which was attended by
listed UAE companies and representatives from other markets in the
region.

Separately, ADSM has said that it plans to become the first UAE bourse
to achieve ISO 17799 certification. ISO 17799 is a set of procedures
designed to help companies improve their level of information
security. It covers ten aspects of e-security, including policies &
procedures, access control and business continuity. Company and
Cybertrust have been appointed to help ADSM benchmark its systems
against the ISO 17799 requirements.

"Since ADSM was established, we have been constantly reviewing and
updating our security systems in line with our growth," said Khalfan
Al Mazrouei, IT manager of ADSM.

"But, in order to bring our systems up to an international standards
we need ISO 17799 certification."




From isn at c4i.org  Thu Jun 15 02:24:27 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:24:27 -0500 (CDT)
Subject: [ISN] Stolen computer server sparks ID theft fears
Message-ID: <Pine.LNX.4.44.0606150124170.14026-100000@idle.curiosity.org>

http://msnbc.msn.com/id/13327187/

By Jim Popkin, Tim Sandler & the NBC Investigative Unit
NBC News
June 14, 2006

WASHINGTON - A thief recently stole a computer server belonging to a
major U.S. insurance company, and company officials now fear that the
personal data of nearly 1 million people could be at risk, insurance
industry sources tell NBC News.

The computer server contains personal electronic data for 930,000
Americans, including names, Social Security numbers and tens of
thousands of medical records. The server was stolen on March 31, along
with a camcorder and other office equipment, during a break-in at a
Midwest office of American Insurance Group (AIG), company officials
confirm.

An AIG spokesman says that there's no evidence that the thief has
accessed the personal data on the server or used it for any illicit
purpose. The server is password protected, the AIG spokesman adds.

The server contains detailed personal data from 930,000 prospective
AIG customers, whose information had been forwarded to the insurance
firm from 690 insurance brokers around the country. The potential
customers' employers were shopping with AIG for rates for excess
medical coverage, the spokesman says, when they forwarded the personal
data to AIG.

AIG has not yet notified any of the people whose personal data are on
the stolen server. AIG security officials have been conducting a
forensic analysis of the theft, and warned the 690 insurance brokers
of the problem on May 26.

The AIG spokesman tells NBC: "There is no indication that the thieves
were seeking data, rather than valuable hardware....To date, we are
unaware of any of this information being compromised."

In a police report on the incident, officers in the Midwestern city
state that the stolen server was worth $10,000. The police write that
the thief "came through the ceiling, going into their [AIG's] server
room." NBC News is not identifying the city at the company's request,
so as to not tip off the thief who may not realize he/she has valuable
personal information.

AIG describes itself as "the leading international insurance
organization with operations in more than 130 countries and
jurisdictions."

Ironically, an AIG member company announced earlier this year that it
now offers identity-theft insurance coverage.

? 2006 MSNBC Interactive




From isn at c4i.org  Thu Jun 15 02:24:48 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:24:48 -0500 (CDT)
Subject: [ISN] Intelligence can be pretty dumb
Message-ID: <Pine.LNX.4.44.0606150124380.14026-100000@idle.curiosity.org>

http://www.theinquirer.net/?article=32411

By Nick Booth
14 June 2006

SECURITY FIRMS must be ruthlessly cunning and intelligent to stay 
ahead of the fiendish legions of hackers, crackers and cunning con 
artists they constantly warn us about.

Or so you'd think.

But not if this recent example of 'intelligence' is typical.

All companies keep tabs on the opposition. Usually, they employ 
competitive intelligence companies, who use all kinds of dirty tricks 
to find out about rival's products, their marketing strategies and the 
incentives offered to resellers.

A typically fiendish scam would be to set up a phoney head hunting 
agency, then invite everyone that matters, at the target firm, for an 
"off the record" interview. Flattered by the attention, most CTOs and 
marketing directors are only too pleased to boast of the projects 
they're working on, the budgets they're in charge of and how many 
people are under them.

This information is all tabulated, and sold for hundreds of thousands 
of dollars, to the client. Clients like to outsource this furtive 
behaviour so they can distance themselves from it if they get caught.

Very cunning. Some security firms are slightly less sophisticated, it 
seems.

When security vendor Countersnipe launched its latest product, it 
expected a few bogus enquiries from its rivals. But a request from an 
outfit calling themselves Ychange seemed genuine enough.

'Jeff' from Ychange saw a demo and was so impressed he promised to 
show the product to Superluminal, his financial services client, which 
was just gagging to place a multi-million dollar order.

But a quick Whois check revealed that Superluminal's web site was 
owned by one of Countersnipe's rivals, Sourcefire. Perhaps Sourcefire 
didn't think anyone else would know about this new-fangled Internet 
thing.

"This has to be the least sophisticated attempt at spying I've ever 
seen," laughed Countersnipe's Amar Rathore, "I wouldn't mind, but 
they're a security firm, for God's sake. You'd think they'd know some 
cleverer tricks than that."

Sourcefire was unavailable for comment. ? 




From isn at c4i.org  Thu Jun 15 02:25:24 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:25:24 -0500 (CDT)
Subject: [ISN] Spam Is Good for Antispam Vendors
Message-ID: <Pine.LNX.4.44.0606150124560.14026-100000@idle.curiosity.org>

====================

This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

St. Bernard Software
   http://list.windowsitpro.com/t?ctl=2E774:4FB69

Patchlink
   http://list.windowsitpro.com/t?ctl=2E786:4FB69

CrossTec
   http://list.windowsitpro.com/t?ctl=2E76E:4FB69

====================

1. In Focus: Spam Is Good for Antispam Vendors

2. Security News and Features
   - Recent Security Vulnerabilities
   - Microsoft Releases Rebranded Antigen Products
   - 180solutions Merges with Hotbar, Renames Company Zango
   - Two-Factor Authentication Tokens

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Share Your Security Tips

4. New and Improved
   - Host-Based IPS Monitors Application Behavior

====================

==== Sponsor: St. Bernard Software ====

Get the #1 Ranked Internet Filtering Appliance Free
   iPrism, ranked #1 by IDC, gives you comprehensive protection from 
Web-based threats at the perimeter - spyware, IM and P2P are stopped 
before they can invade your networks. Now, get the appliance at no 
charge when you purchase a multi-year subscription. This is a limited-
time offer, so get a Quick Quote today.
   http://list.windowsitpro.com/t?ctl=2E774:4FB69

====================

==== 1. In Focus: Spam Is Good for Antispam Vendors ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about Okopipi--the current successor to Blue 
Security's Blue Frog antispam service. In closing that article, I 
described a dream situation in which Microsoft philanthropically backs 
the Okopipi project and bundles the antispam solution with every copy 
of Windows. This week, I'll point out some statistics and financial 
figures that show why I think that dream will never become a reality--
not with Microsoft or any other major antispam-solution provider.

First, let's look at the cost of spam for businesses: In February 2005, 
Ferris Research said, "Lost productivity and other expenses associated 
with spam will cost US businesses $17 billion in 2005.... Worldwide 
costs could reach $50 billion, primarily because of lost employee 
productivity. Not included in these figures are immeasurable items, 
such as the missed opportunity cost of a new customer order that's 
incorrectly discarded as spam." That's a lot of incentive for 
businesses to implement antispam solutions. 
   http://list.windowsitpro.com/t?ctl=2E77B:4FB69

Next, let's look at antispam-solution revenue figures: Also in February 
2005, IDC predicted that "...worldwide revenue for antispam solutions 
will exceed $1.7 billion in 2008, far surpassing the $300 million 
generated in 2003.... [The] development of spam from a mere nuisance to 
an increasingly serious problem [is] the driver for explosive revenue 
growth, innovation, and investment in the antispam market. The 
worldwide revenue for antispam solutions will experience a compound 
annual growth rate (CAGR) of 42% through 2008."
   http://list.windowsitpro.com/t?ctl=2E77A:4FB69

Now let's look at email usage and spam volume growth: In January 2006, 
the Radicati Group estimated that there were more than 1.2 billion 
active email accounts. Worldwide email traffic per day was about 135 
billion messages, of which 67 percent were spam. Then in May 2006, 
Radicati estimated that there were nearly 1.4 billion active email 
accounts and worldwide email traffic per day of about 171 billion 
messages, of which 71 percent were spam. 
   http://list.windowsitpro.com/t?ctl=2E771:4FB69
   http://list.windowsitpro.com/t?ctl=2E775:4FB69

Summarizing Radicati's data, the number of mailboxes increased by 200 
million, the volume of email traffic increased by 36 million messages, 
and the volume of spam increased by 31 million messages--all in less 
than half a year! The increases represent a tremendous gain in 
potential customers for antispam vendors, which of course can readily 
equate to huge increases in revenue. 

The spam problem has given birth to a billion-dollar market for 
antispam-solution providers. If we keep in mind that most companies 
exist for the primary purpose of generating income for their owners and 
investors, then we can easily see that no current antispam vendor has 
the impetus to stamp out spam because doing so would run counter to its 
fiduciary responsibility. 

Therefore, the Okopipi project will probably not be seen in a good 
light by any antispam-solution provider, except of course one that 
finds a way to profit from the ultimate antispam solution of stamping 
out spam completely.

====================

==== Sponsor: PatchLink ====

Does your patch management solution automatically track and re-deploy 
to ensure network security? 
   20% of patches unknowingly become un-patched. Learn more about 
automating the analysis, distribution and tracking of security patches 
using PatchLink's security patch & vulnerability management solution -- 
the world's largest repository of tested patches. Request a free trial 
disk.
   http://list.windowsitpro.com/t?ctl=2E786:4FB69

====================

==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=2E773:4FB69

Microsoft Releases Rebranded Antigen Products
   Microsoft announced the first release of its rebranded Antigen 
antivirus and antispam products for email systems. Microsoft acquired 
the Antigen product line with the 2005 purchase of Sybari Software. 
Read more about the Microsoft versions at
   http://list.windowsitpro.com/t?ctl=2E77E:4FB69

180solutions Merges with Hotbar, Renames Company Zango
   The often scrutinized adware company 180solutions announced that 
effective immediately it will merge with Hotbar and rename the newly 
combined entity Zango. 
   http://list.windowsitpro.com/t?ctl=2E77F:4FB69

Two-Factor Authentication Tokens
   Two-factor authentication offers stronger security and easier access 
than having to remember numerous passwords. Our buyer's guide helps you 
find the right two-factor solution to fit your needs. 
   http://list.windowsitpro.com/t?ctl=2E77C:4FB69

====================

==== Resources and Events ====

Win a new iPod (for Mac or PC)
   Download a Windows IT Pro podcast on Windows IT Pro Radio by your 
favorite author, editor, or industry figure. You'll automatically be 
entered to win!
   http://list.windowsitpro.com/t?ctl=2E787:4FB69

Maximize your VoIP environment by integrating FoIP technology to 
increase ROI and streamline processes.
   http://list.windowsitpro.com/t?ctl=2E772:4FB69

Attend Black Hat 2006 in Las Vegas July 29 - August 3; 2,500+ 
international security experts, 10 tracks, no vendor sales pitches.
   http://list.windowsitpro.com/t?ctl=2E78A:4FB69

Pop Quiz! Can you pass the Windows Server High Availability Challenge? 
Find out, and you could win a Video iPod.
   http://list.windowsitpro.com/t?ctl=2E784:4FB69 

How will compliance regulations affect your IT infrastructure? Help 
design your retention and retrieval, privacy, and security policies to 
make sure that your organization is compliant. Download the full ebook 
today!
   http://list.windowsitpro.com/t?ctl=2E770:4FB69

Attend TechDays 2006--two days of technical training for IT 
Professionals on Microsoft and Cisco Technologies, Fri. 6/23 and Sat. 
6/24 from 9am-4pm (both days). Located at Diablo Valley College, 
Pleasant Hill, CA. Price is $1299. Your cost is $299 and includes 
lunch, drink, snacks and all the information your mind can hold! Enter 
code PENTON when you register at
   http://list.windowsitpro.com/t?ctl=2E783:4FB69

====================

==== Featured White Paper ====

Extend Windows Rights Management Services (RMS) to support enterprise 
requirements for protecting information, including proprietary business 
data.
   http://list.windowsitpro.com/t?ctl=2E76F:4FB69
   Bonus: When you download any white paper from Windows IT Pro before 
June 30, you'll be entered to win Bose Triport Headphones. See the full 
selection today at http://list.windowsitpro.com/t?ctl=2E785:4FB69

====================

==== Hot Spot ====

Spending too much time monitoring security alerts?
   New Activeworx Security Center v3 collects event logs from all of 
your various security devices (Firewalls, AV, IDS, etc) to provide a 
single dashboard view. ASC includes real-time correlation and analysis, 
alerts, built-in compliance reports and deep forensics. Free white 
paper, webinar and evals available. 
   http://list.windowsitpro.com/t?ctl=2E76E:4FB69

====================

==== 3. Security Toolkit ==== 

Security Matters Blog: Windows Genuine Advantage, Phone Home
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2E782:4FB69

We should have known: Microsoft's Windows Genuine Advantage tool phones 
home daily, and that fact isn't disclosed in the End User License 
Agreement (EULA). Find out more in this blog article on our Web site.
   http://list.windowsitpro.com/t?ctl=2E780:4FB69

FAQ
   by John Savill, http://list.windowsitpro.com/t?ctl=2E781:4FB69 

Q: How do I enable logging of file screen violations?

Find the answer at http://list.windowsitpro.com/t?ctl=2E77D:4FB69

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's 
Reader to Reader column. Email your contributions to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

====================

==== Announcements ====
   (from Windows IT Pro and its partners)

Summer Special--Save 58% off Windows IT Pro
   Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12 
issues, you'll get FREE access to the entire Windows IT Pro online 
article archive, which houses more than 9,000 helpful articles. This is 
a limited-time offer, so order now:
   http://list.windowsitpro.com/t?ctl=2E777:4FB69

June Special--Save $80 off the Windows IT Security newsletter
   Get endless solutions for building and maintaining a secure 
enterprise. Subscribe to the Windows IT Security newsletter today and 
save $80:
   http://list.windowsitpro.com/t?ctl=2E778:4FB69

====================

==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Host-Based IPS Monitors Application Behavior
   S.N. Safe & Software recently released the Safe'n'Sec host-based 
intrusion prevention system (IPS). Safe'n'Sec intercepts application 
calls at the OS level, granting or denying system access to an app 
based on a variety of criteria, such as the app's hard disk location, 
the existence of a digital signature for the app, and whether the app 
is on a list of core "safe" applications. Safe'n'Sec vets periodic 
updates to core apps, and Safe'n'Sec users can define policies to 
govern the behavior of apps. The version for small to midsized 
businesses (SMBs), Safe'n'Sec Business, offers antivirus and 
antispyware protection and centralized remote and corporate network 
administration. For more information, go to 
   http://list.windowsitpro.com/t?ctl=2E789:4FB69

Tell Us About a Hot Product and Get a Best Buy Gift Card!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a Best Buy Gift Card if we write about the product in a 
Windows IT Pro What's Hot column. Send your product suggestion with 
information about how the product has helped you to 
whatshot at windowsitpro.com. 

====================

==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2E788:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com

====================

This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.
   http://list.windowsitpro.com/t?ctl=2E779:4FB69

View the Windows IT Pro privacy policy at
   http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.




From isn at c4i.org  Thu Jun 15 02:25:42 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:25:42 -0500 (CDT)
Subject: [ISN] Hacker disrupts state disaster site
Message-ID: <Pine.LNX.4.44.0606150125320.14026-100000@idle.curiosity.org>

http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060614/NEWS01/606140312

By Stephen D. Price 
CAPITOL BUREAU 
June 14, 2006

As Tropical Storm Alberto barreled toward Florida, a computer hacker
disrupted public access to the state's emergency Web site for about 20
minutes Tuesday morning, but the glitch did not affect emergency
workers, officials said.

The Web site, www.floridadisaster.org, is set up by the Division of
Emergency Management and allows Floridians to access information about
emergency situations.
  
The problem delayed a briefing by emergency workers.

"Someone intentionally did this," said Carla Boyce, plans chief for
the Division of Services Management. "Loopholes get discovered and
hackers take advantage of them."

The Florida Department of Law Enforcement is investigating the
incident.

At 7:30 Tuesday morning, emergency workers noticed the site showed
error messages, said David Halstead, State Emergency Response Team
chief. He said a similar problem happened a week ago.

"It takes someone with good computer skills to do this," Halstead
said.

Boyce said workers are reviewing logs and network tools for clues to
learn who did the hacking and from where. The problem was fixed, and
extra precautions are being taken so it doesn't happen again, she
said.




From isn at c4i.org  Thu Jun 15 02:26:09 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:26:09 -0500 (CDT)
Subject: [ISN] VA IT security gaps extend to contractors
Message-ID: <Pine.LNX.4.44.0606150125530.14026-100000@idle.curiosity.org>

http://www.gcn.com/online/vol1_no1/41035-1.html

By Mary Mosquera
GCN Staff
06/14/06 

The Veterans Affairs Department said today that it has been
investigating allegations that an offshore medical transcription
subcontractor last year threatened to expose 30,000 veterans'
electronic health records on the Internet in a payment dispute with a
VA contractor.

The VA assistant inspector general referred to the investigation
during questioning in a congressional hearing on VA's data security
environment in the wake of the theft of sensitive data of 26.5 million
veterans, active duty military and reserves officers.

The medical transcription incident highlights how gaps in information
security also extend to contractors, said Michael Staley, VA's
assistant inspector general for auditing. Some VA medical
transcription contractors have used offshore subcontractors in India
and Pakistan without VA's approval and without adequate controls to
ensure veterans' health information was secure under the Health
Insurance Portability and Accountability Act, according to an audit
released today.

"Contracts do not specify criteria for how to protect information,"  
Staley told the House Veterans Affairs Committee.

Staley enumerated audits of information management security under the
Federal Information Security Management Act, the Consolidated
Financial Statement and Combined Assessment Program that revealed
significant vulnerabilities. These include VA not controlling and
monitoring employee access, not restricting users to only the data
they need and not terminating accounts of departing employees in a
timely manner.

In last year's FISMA review, the IG provided 16 recommendations,
including addressing security vulnerabilities of unauthorized access
and misuse of sensitive information and data throughout VA
demonstrated during its field testing. All 16 recommendations remain
open, he said.

Audits also found instances where out-based employees send veterans'
medical information to the VA regional office through unencrypted
e-mail; monitoring remote network access and usage does not routinely
occur; and off-duty users' access to VA computer systems and sensitive
information is not restricted.

"VA has implemented some recommendations for specific locations
identified but has not made corrections VA-wide," he said.

 From fiscal years 2000 to 2005, the IG identified IT and security
deficiencies in 141, or 78 percent, of 181 Veterans Health
Administration facilities reviewed, and 37, or 67 percent, of the 55
Veterans Benefits Administration facilities reviewed.

"We recommended that VA pursue a more centralized approach, apply
appropriate resources and establish a clear chain of command and
accountability structure to implement and enforce IT internal
controls," Staley said.

The underlying situation is the VA's department CIO does not have
authority to enforce compliance with data security and information
management and recommendations from GAO, said Veterans Affairs
Committee chairman Steve Buyer (R-Ind.).

Buyer traced problems in security enforcement to a memo dated April
2004 from the general counsel that said the department CIO did not
have enforcement authority.

The CIO, undersecretaries who lead VA's benefits, health and burial
administrations, and the VA secretary share responsibility for
enforcement, said Gregory Wilshusen, director of information security
issues for the Government Accountability Office.

"Information security is a governmentwide problem, and we have talked
with OMB about that," said Linda Koontz, director of GAO's information
management issues.

Buyer expressed frustration that there are no consequences for
"recalcitrant" agencies that do not correct problems that GAO has
repeatedly highlighted. He cited the Privacy Act, which has been
strengthened with consequences.

"If you have a bureaucracy so strong in the department that the
secretary or political bodies are unable to act, don't you think the
president or vice president or OMB needs to know that because there
are monetary consequences behind that inaction? I'm bothered that GAO
doesn't have the higher authority to which they can turn," Buyer said
after the hearing.

After several more hearings this month, Buyer and his committee will
make recommendations or craft legislation. He suggested that Congress
consider looking at strengthening FISMA.

"We can even come up with that in our language, but we're not going to
have jurisdiction over that. We'll have to work with Mr. Davis [House
Government Reform Committee chairman Tom Davis (R-Va.)] and his
committee. I'd be more than happy to do that," he said.




From isn at c4i.org  Thu Jun 15 02:26:36 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:26:36 -0500 (CDT)
Subject: [ISN] FBI loses 400 pieces of equipment
Message-ID: <Pine.LNX.4.44.0606150126280.14026-100000@idle.curiosity.org>

http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060614-024108-3918r

6/14/2006

WASHINGTON, June 14 (UPI) -- The U.S. FBI may have lost 400 pieces of
equipment, National Journal's Technology Daily reported Monday.

The Federal Bureau of Investigation still has not told the Government
Accountability Office what has happened to hundreds of pieces of
equipment that were supposed to be part of a failed department-wide
case-management system.

"The FBI also has not provided any additional explanation for the
remaining roughly 400 missing assets," Linda Calbom, the GAO's
director of financial management and assurance wrote in a letter.

The letter, dated Friday, was addressed to Senate Judiciary Committee
Chairman Arlen Specter, R-Pa., and addressed many of the follow-up
questions that the committee had for GAO. The GAO released a report in
May detailing the flaws in the FBI's Trilogy system, Technology Daily
said.

It reported that the FBI could not locate more than 1,200 pieces of
equipment, valued at about $7.6 million. The FBI responded by saying
that it had accounted for 800 of those items, but GAO could not verify
that claim, Calbom wrote, the report said.

? Copyright 2006 United Press International, Inc. All Rights Reserved




From isn at c4i.org  Thu Jun 15 02:27:08 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:27:08 -0500 (CDT)
Subject: [ISN] Money lost to cybercrime down--again
Message-ID: <Pine.LNX.4.44.0606150126570.14026-100000@idle.curiosity.org>

http://news.com.com/2100-7349_3-6083860.html

By Joris Evers 
Staff Writer, CNET News.com
June 14, 2006

SCOTTSDALE, Ariz.--While many headlines spell doom and gloom when it
comes to computer-related misdeeds, the average losses at businesses
due to cybercrime continue to drop, according to a new survey.

For the fourth straight year, the financial losses incurred by
businesses due to incidents such as computer break-ins have fallen,
according to the 2006 annual survey by the Computer Security Institute
and the FBI. Robert Richardson, editorial director at the CSI,
discussed the survey's findings in a presentation at the CSI NetSec
conference here Wednesday.

Respondents in the 2005 survey reported an average of $204,000 in
cybercrime losses, Richardson said. This year, that's down to
$168,000, about an 18 percent drop, he added. Compared with 2004, the
average loss is down 68 percent.

"How do you go about reconciling the sense of things getting worse
with the respondents who are saying they are losing less money?"  
Richardson asked. The 2006 survey, a final version of which is slated
to be released next month, could provide some answers.

Most important, perhaps, the 615 U.S. CSI members who responded to
this year's survey reported fewer security incidents. Viruses, laptop
theft and insider abuse of Net access are still the most reported
threats, but all have decreased compared with last year.

"The danger of insiders may be somewhat overstated, according to the
survey group," Richardson said. About a third of respondents said they
had no losses at all due to insider threats, another 29 percent said
less than one-fifth of overall losses came from insider threats.

Consistent use of security technology may also contribute to the
improvements, with essentially all of the respondents stating that
they use firewall and antivirus software, not much of a change from
last year. This year, eight out of 10 said they also use spyware
protection, a category not listed a year ago.

"Overall, you have a picture that is pretty good in many ways,"  
Richardson said. "We're seeing fewer of some of the attacks that have
been such a plague for us in many years, and respondents are using
less and less money."

That "less money" may be good for companies, but not for security
vendors. It refers to the percentage of IT budgets spent on security.  
In the 2006 survey, nearly half of the respondents said less than 2
percent of the budget is spent on security. Last year that percentage
was 35 percent.

When it comes to cybercrime losses, consumers might be bearing the
brunt of them, and they are not covered by the survey, Richardson
suggested. "Consumers are the low-hanging fruit," he said. Costs
related to identity theft, for example, fall largely back onto the
consumer, he added, even if it did start with a data breach at an
enterprise.

Copyright ?1995-2006 CNET Networks, Inc. All rights reserved.




From isn at c4i.org  Thu Jun 15 02:27:36 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:27:36 -0500 (CDT)
Subject: [ISN] Exploits for Microsoft flaws circulating
Message-ID: <Pine.LNX.4.44.0606150127240.14026-100000@idle.curiosity.org>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001182

By Jaikumar Vijayan
Computerworld
June 14, 2006

Security firms are warning about the availability of attack code
targeting some of the flaws for which Microsoft Corp. released patches
yesterday (see "Microsoft releases fixes for 21 vulnerabilities" [1]).

Most of the exploits target flaws that were previously known but for
which patches became available only as part of Microsoft's June
monthly security update. But at least two publicly available exploits
are directed at newly disclosed flaws in the company's products.

"Exploit code had already existed for three of the vulnerabilities
prior to yesterday, as they were already public issues," said Michael
Sutton, director of VeriSign Inc.'s iDefense Labs. "Beyond that, we're
seeing public exploit code emerge for some of the new vulnerabilities
and are hearing rumors of private code existing for others."

The availability of such exploits heightens the risk for companies
that have not yet been able to patch their systems and are important
factors to consider when deciding which systems to patch first, he
said.

"We believe that it is far more beneficial to withhold
proof-of-concept code for an amount of time so that customers can get
the vulnerabilities patched," said Stephen Toulouse, security program
manager at Microsoft's security response center. "The public
broadcasting of code so quickly after a bulletin release, we believe,
tends to help attackers."

Microsoft is telling its cusomers to pay special attention to three
key updates -- MS06-021, MS06-022 and MS06-023 -- because they could
be particularly easy to exploit using Internet Explorer. "There are
methods by which if you just browse to a Web site, there could be code
execution," Toulouse said.

According to iDefense, some form of exploit code is publicly available
against the cross-domain information disclosure vulnerability
described in bulletins MS06-021, the address bar spoofing flaw in
MS06-021 and the Word malformed object pointer vulnerability described
in MS06-027.

All three were previously known flaws and were given a severity rating
of "critical" by Microsoft.

In addition, exploits have also become publicly available for both of
the newly disclosed server message block vulnerabilities in MS06-030,
according to iDefense.

The SANS Internet Storm Center this morning posted a note also listing
exploits released by penetration-testing vendors to customers. One of
the exploits was directed against the Windows Media Player flaw in
MS06-024, while the other was targeted at the routing and
remote-access vulnerability in MS06-025.

Denial-of-service attack codes are also privately available for a
TCP/IP flaw in MS06-032, according to SANS.

Outside of the Word malware, which began circulating last month,
Microsoft has not yet seen any of these exploits used by attackers,
Toulouse said.

The availability of exploit code once again shows that there is no
longer any "patching window" for companies, said Johannes Ullrich,
chief research officer at the Internet Storm Center.

"Companies don't have the luxury of sitting back and waiting," Ullrich
said. "They have to expect that public exploits will become available
the day after vulnerabilities are disclosed, and they have to expedite
the patching process," despite the challenges involved, he said.

Robert McMillan of the IDG News service contributed to this report.

[1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001163




From isn at c4i.org  Fri Jun 16 04:28:56 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:28:56 -0500 (CDT)
Subject: [ISN] NBA investigates security breach
Message-ID: <Pine.LNX.4.44.0606160328470.29999-100000@idle.curiosity.org>

http://www.palmbeachpost.com/heat/content/sports/epaper/2006/06/15/a8c_mavsnotes_0615.html

By Tom D'Angelo
Palm Beach Post Staff Writer
June 15, 2006

MIAMI - NBA security continues to investigate a breach that allowed
two women who were unauthorized to enter the Dallas Mavericks' locker
room following Miami's Game 3 victory and wander into the showers.

Dallas forward Josh Howard chased the women out of the showers. They
then were escorted out of the building. No arrests were made.

"We're continuing to review the situation but we will certainly have
enhanced security for the remaining games of the series," NBA
spokesperson Tim Frank said.

Some Mavericks players believe the women took pictures with camera
phones before the phones were confiscated. The NBA would not comment
on the possibility that pictures were taken.

"There have been situations in the NBA where things happen, but that
might be the wildest situation that I have ever seen," Mavericks guard
Darrell Armstrong said. "I have never seen that before."

[...]




From isn at c4i.org  Fri Jun 16 04:29:12 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:29:12 -0500 (CDT)
Subject: [ISN] ...and now a word from one of our sponsors II
Message-ID: <Pine.LNX.4.44.0606160329010.29999-100000@idle.curiosity.org>

http://attrition.org/news/content/06-06-15.001.html

After a frustrating day at the coke web site (mycokerewards.com which 
leads to another server/domain), I finally got all the FAQs and rules 
to load. Frustrating because the site is poorly written, the pages 
randomly 404, inputing codez or entering the daily contests error out 
frequently. Add to that the codes are not always 100% legible on the 
bottles and boxes.

Anyway, after a little math, I see that this loyalty reward program is 
a complete scam! Here are a few key rules:

http://mcr.us.icoke.com/rules.do

   1. The Program begins at 12:00 p.m. Eastern Time (ET) on February
   27, 2006 and is scheduled to end at 12:00 p.m. ET on January 15, 2007

   The Website will indicate whether there is an active Double Points
   period in effect.

   3. Codes can only be used 1 time. Limit: 10 valid codes per
   Account, per day (12:00 p.m. ET through 11:59 a.m. ET). However,
   if an Enrollee enters 20 invalid codes before entering 10 valid
   codes, Enrollee will be unable to enter any more codes for that day.

   Enrollees may not combine codes obtained by others for deposit into
   a single Enrollees account, nor transfer, sell, or otherwise
   dispose of codes in any manner in violation or attempted subversion
   of these Terms and Conditions. Any attempt to combine or transfer
   codes or points will result in disqualification from the Program
   and forfeiture of all points in any Enrollees Account.

   9. Enrollees must save the bottle cap, product packaging, and/or
   promotional item with official code for at least 90 days after the
   date Enrollee redeems an item online, as it may be necessary to
   submit it later for verification.

   3. The Program is provided to individuals only. Corporations,
   associations or other groups may not participate in the Program.

Cliff notes: You alone, not a group/company/assocation must enter the
contest. You have 322 days to input codes, but only 10 codes a day.  
That is 100 points a day max, for 32,220 points total. So the 20,000
point TV and the rewards for 24,000+ seem feasible. Until you see that
you can't combine codes from other people, and must keep the physical
cap/box with the code for 90 days after prize redemption.

In short, they think that a single person can purchase and presumably
consume *2,000* cases of coke in 322 days? If you can drink 74.5 cans
of coke per day, every day, for the entire duration of the contest,
then you have a chance of getting that prize.

Does Coca-cola realize it has implemented a loyalty program that baits
people into participating, but won't actually give out the rewards
because it isn't possible as outlined in the rules? Is this a cheap
gimmick or corporate oversight? I'd like to find out. I'm still aiming
to get codes from the masses.. but now, instead of a nice TV as a
generous reward for eight years of indentured servitude, it is likely
going to be a chance to write a scathing article about corporate lies
and the reality of such loyalty reward programs. If I get 20,000
points (which is only now possible if they carry through with the
'double point' days), will they actually part with said TV? Let's find
out.




From isn at c4i.org  Fri Jun 16 04:29:32 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:29:32 -0500 (CDT)
Subject: [ISN] Microsoft Has a Big Date Set with 'Black Hat ' Hackers
Message-ID: <Pine.LNX.4.44.0606160329210.29999-100000@idle.curiosity.org>

http://www.eweek.com/article2/0,1759,1976171,00.asp

By Ryan Naraine 
June 13, 2006 

Microsoft's Windows Vista has a date with some of the world's smartest
hackers.

The software maker will use the spotlight of the Black Hat security
conference in August to show off some of the key security features and
functionality being fitted into Vista.

Microsoft's appearance on the Black Hat stage is a first on many
fronts. Microsoft will be the first software vendor to present an
entire Black Hat Briefing track on a pre-release product. It is also
the first time a representative from Redmond Wash., will make an
official presentation at the controversial hacker confab.

According to Microsoft program manager Stephen Toulouse, the idea is
to provide "deeply technical presentations" on Vista security to the
hacking community. "We submitted several presentations to the Black
Hat event organizers and, based on the technical merit and interest to
the audience, they were accepted," Toulouse said.

In total, the day-long track will include five presentations from
Microsoft security engineers and Toulouse said researchers and
architects from Redmond will also be actively participating in the
event. "We want to make sure we're gathering as much feedback as we
can, so that Windows Vista succeeds as the most secure version of
Windows ever released," he added.

The sessions will include a talk by John Lambert, group manager in
Microsoft's Security Engineering and Communications Group on the
security engineering process behind Windows Vista.

Lambert is expected to hold up Vista as the first end-to-end major
operating system release in the Trustworthy Computing era from
Microsoft. His talk will cover how the Vista engineering process is
different from Windows XP and details from what is described as the
"largest-commercial-pentest-in-the-world."

Lambert plans to give Black Hat researchers a sneak peek at some of
the new mitigations in Vista that combat memory overwrite
vulnerabilities.

Wi-Fi in Vista will also come under the microscope when Noel Anderson,
group manager in Microsoft's wireless networking group, talks about
the way the operating system will handle support for 802.11 wireless
technologies.

Anderson is expected to outline the new UI experience and updated
Wi-Fi default behaviors in Vista and information on a new software
stack that is designed to be more secure, more open and extensible. He
is expected to describe the various components of the stack and show
developers how to create code to modify and extend the client.

Anderson will also outline the different ways Microsoft tests Wi-Fi in
the new operating system.

Also on the Black Hat agenda is a talk by Abolade Gbadegesin, an
architect in Microsoft's Windows Networking and Device Technologies
Division, on the way Microsoft rearchitected and rewrote the TCP/IP
stack in Vista.

Adrian Marinescu, a lead developer in the Windows Kernel group will
outline the enhancements made in Vista's heap manager to show how the
OS has been hardened to thwart certain types of heap usage attacks.

Microsoft previously fitted technology into Windows Server 2003 and
Windows XP SP2 to reduce the reliability of heap usage attacks, but
Marinescu plans to talk about how the heap manager in Vista pushes the
innovation much further in that area. His talk will describe the
challenges the company faced and the technical details of the changes
coming in Vista.
 
Microsoft's oft-criticized Internet Explorer browser will also get
Black Hat billing this year when IE program manager Tony Chor
discusses the security engineering methodology that is being applied
to the new IE 7. Chor is expected to detail key vulnerabilities and
attacks this methodology revealed, as well as how the new version of
IE will mitigate those threats.

Also on tap is a talk by Andrew Cushman, director of Microsoft's
Security Response, Engineering and Outreach Team, on the way the
company has changed its internal processes to deal with the changing
security landscape.

Microsoft won't be alone shining the spotlight on Vista's security.  
Joanna Rutkowska, a renowned researcher specializing in rootkits,
plans to talk about the stealthy malware threats can still be inserted
into the latest Vista Beta 2 kernel (x64 edition).

Rutkowska is expected to show how to bypass the Vista policy for
allowing only digitally signed code to be loaded into the kernel.




From isn at c4i.org  Fri Jun 16 04:29:53 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:29:53 -0500 (CDT)
Subject: [ISN] Online threats outpacing law crackdowns
Message-ID: <Pine.LNX.4.44.0606160329370.29999-100000@idle.curiosity.org>

http://news.com.com/Online+threats+outpacing+law+crackdowns/2100-7349_3-6084317.html

By Joris Evers 
Staff Writer, CNET News.com
June 15, 2006

SCOTTSDALE, Ariz.--Authorities are cracking down on phishing and
botnets, but the threats are advancing instead of diminishing, two law
enforcement officials said.

Cybercrooks are organizing better and moving to more sophisticated
tactics to get their hands on confidential data and turn PCs of
unwitting users into bots, representatives from the U.S. Department of
Justice and the U.S. Air Force Office of Special Investigations said
in separate presentations here at the Computer Security Institute's
NetSec event this week.

Law enforcement has had increased successes in catching, prosecuting
and convicting phishers and bot herders over the past couple of years.  
However, catching the bad guys is getting tougher as the criminals
become more professional, the representatives said.

"We're seeing increasingly sophisticated groups online that are more
indicative of crime groups," Jonathan Rusch, special counsel for fraud
prevention at the Justice Department, said in a presentation. The
criminals who have been caught range from teenagers to retirees, he
said.

Rusch spoke about phishing, a prevalent type of online attack that
combines e-mail spam and fraudulent Web sites made to look like
trusted sites, which are aimed at tricking a user into giving up
sensitive information such as a credit card or Social Security number.  
Almost 17,500 phishing Web sites were reported to the Anti-Phishing
Working Group in April.

A top phishing concern is the increased use of malicious software,
Rusch said. Increasingly, phishers use Trojan horses that pack
backdoors, screen grabbers or keystroke loggers to capture log-in
names, passwords and other information, he said. In April, there were
180 unique examples of such malicious code, he said.

Backdoor software gives attackers remote access to an infected PC,
which could let them piggyback onto a user's Internet connection and
conduct online transactions from the victim's PC while masquerading as
the person, Rusch said.

Screen grabbers and keystroke loggers can be programmed to capture
very specific information and are even designed to wait until a user
logs on to a certain banking Web site and send that information to the
attacker.

Malicious software is where phishers intersect with bot herders, those
who run networks of compromised machines, called a bot net. Computers
typically become compromised and turned into a bot, also popularly
called a zombie, after visiting a malicious Web site or opening an
infected e-mail message or attachment. The bot software often nestles
itself on a PC unbeknownst to the user by exploiting an unpatched
security flaw on the system.

Law enforcement has been catching up to bot herders, and there have
been some high-profile convictions. But here, too, the battle is
getting harder, Wendi Whitmore, a special agent with the Air Force
Office of Special Investigations, said in a presentation on botnets.

"Botnets are one of the greatest facilitators of cybercrime these
days. Really the cybercrime arena is wrapped around botnets," she
said.

With ubiquitous broadband connections and exploits for security flaws
in software out before patches, the Internet environment is ideal for
bots or zombies to proliferate, she said. That assertion is backed by
a recent analysis by Microsoft. The software maker found that bots
were the most common Windows threat, with more than 60 percent of
compromised computers running bot code.

A zombie PC can be used by miscreants to store illegal content, such
as child pornography, or in a botnet to relay spam and launch
cyberattacks. Additionally, hackers often steal the victim's data and
install spyware and adware on PCs, to earn a kickback from the spyware
or adware maker.


Practice makes perfect

Meanwhile, bot masters are getting smarter about hiding. Today, most
botnets are controlled using Internet Relay Chat, or IRC, servers and
channels. Soon that could become instant messaging, peer-to-peer
technology or protocols used by Internet phone services such as Skype
or Vonage, Whitmore said.

"That is something that we're worried about because those protocols
are proprietary," she said. "They don't publish routing protocols; it
would be very difficult to catch that kind of crime."

Also, Whitmore expects cybercrooks to maintain smaller botnets with
the hope of staying under the radar. People being caught today operate
networks of as many as 1 million PCs. "There is a greater chance that
you're going to get caught, if you do that much activity and command
and control that many computers," she said.

Cybercriminals are often after data they can turn into cash, such as
credit card numbers or even trade secrets. "If you have a smaller
botnet and you combine that with targeted, really sophisticated social
engineering tactics, you're going to be potentially a lot more
successful," Whitmore said.

The military has seen a rise in such attacks over the last couple of
years, Whitmore said. The attackers know what organizations work
together, which generals would be involved and what issues they would
talk about, she said. It's "incredibly disturbing, because those are
the kinds of things that should be kept somewhat secret," she said.

Law enforcement alone cannot solve the phishing and botnet problems,
Rusch and Whitmore said. The technology industry and consumers have
key parts to play, they said.

"Part of the problem is the way we design the online environment for
users," Rusch said. It should be easier for people to see whether a
site can be trusted or not, he said. Some of that is happening today
with increased security coming in new Web browsers, for example.

A stronger effort to take down phishing Web sites is also welcome, he
said. The average phishing Web site was up for five days in April, and
that's too long, Rusch said.

In fighting bots, Whitmore sees benefits in Internet service providers
delivering security software to their users. "The long-term benefit of
ISPs becoming more involved would be an overall reduction of malicious
code on the Internet, and most of us believe that's a good thing," she
said.




From isn at c4i.org  Fri Jun 16 04:30:15 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:30:15 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-24
Message-ID: <Pine.LNX.4.44.0606160330040.29999-100000@idle.curiosity.org>

========================================================================

                  The Secunia Weekly Advisory Summary                  
                        2006-06-08 - 2006-06-15                        

                       This week: 149 advisories                       

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single 
vulnerability report is being validated and verified before a Secunia
advisory is written.

Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.

As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.

Secunia Online Vulnerability Database:
http://secunia.com/

========================================================================
2) This Week in Brief:

Tuesday Microsoft issued a total of 12 bulletins.

One of the bulletins addressed the Extremely Critical Word
vulnerability which already has been exploited by malicious malware.

Another addressed the Internet Explorer vulnerability which was
discovered by Secunia Security Researcher Andreas Sandblad while
researching the crash bug reported by Michal Zalewski.

References:
http://secunia.com/SA20153
http://secunia.com/SA19762

 --

VIRUS ALERTS:

During the past week Secunia collected 297 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1.  [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
2.  [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities
3.  [SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow
4.  [SA19762] Internet Explorer Exception Handling Memory Corruption
              Vulnerability
5.  [SA20442] Firefox File Upload Form Keystroke Event Cancel
              Vulnerability
6.  [SA19521] Internet Explorer Window Loading Race Condition
              Vulnerability
7.  [SA20543] FilZip Multiple Archive Directory Traversal Vulnerability
8.  [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
              Sensitive Information
9.  [SA20626] Windows Media Player PNG Processing Buffer Overflow
10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA20631] Microsoft Windows Graphics Rendering Engine Vulnerability
[SA20626] Windows Media Player PNG Processing Buffer Overflow
[SA20620] Microsoft JScript Memory Corruption Vulnerability
[SA20605] Microsoft Windows ART Image Handling Buffer Overflow
[SA20595] Microsoft Internet Explorer Multiple Vulnerabilities
[SA20575] WinSCP Protocol Handler Command Line Switch Injection
[SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow
[SA20634] Microsoft Exchange Server Outlook Web Access Script
Insertion
[SA20609] ePhotos Multiple SQL Injection Vulnerabilities
[SA20574] CesarFTP MKD Command Buffer Overflow Vulnerability
[SA20556] MailEnable Enterprise Multiple WebMail Vulnerabilities
[SA20554] My Photo Scrapbook SQL Injection and Cross-Site Scripting
[SA20545] OfficeFlow Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA20517] ASP ListPics Cross-Site Scripting and Script Insertion
[SA20637] Microsoft Windows RPC Mutual Authentication Vulnerability
[SA20630] Microsoft Windows Routing and Remote Access Vulnerabilities
[SA20617] fipsCMS "index.asp" Cross-Site Scripting Vulnerabilities
[SA20614] ClickGallery Cross-Site Scripting Vulnerabilities
[SA20610] i-Gallery Cross-Site Scripting Vulnerabilities
[SA20606] Uphotogallery thumbnails.asp Cross-Site Scripting
[SA20604] Xtreme ASP Photo Gallery Cross-Site Scripting
Vulnerabilities
[SA20603] DwZone Shopping Cart "ProductDetailsForm.asp" Cross-Site
Scripting
[SA20583] Cabacos Web CMS "suchtext" Parameter Cross-Site Scripting
[SA20582] CFXe CMS "voltext_suche" Parameter Cross-Site Scripting
[SA20578] LogiSphere Cross-Site Scripting Vulnerability
[SA20559] fipsGallery "path" Parameter Cross-Site Scripting
Vulnerability
[SA20553] EZGallery Multiple Cross-Site Scripting Vulnerabilities
[SA20544] VanillaSoft Helpdesk "username" Cross-Site Scripting
[SA20543] FilZip Multiple Archive Directory Traversal Vulnerability
[SA20537] WS-Album "FullPhoto.asp" Cross-Site Scripting
Vulnerabilities
[SA20527] ClickCart "cat" Parameter Cross-Site Scripting Vulnerability
[SA20635] Windows SMB Denial of Service and Privilege Escalation
[SA20629] Kaspersky Anti-Virus "klif.sys" Denial of Service
Vulnerability

UNIX/Linux:
[SA20669] Gentoo update for DokuWiki
[SA20592] Zeroboard ".htaccess" File Upload Vulnerability
[SA20569] free QBoard "qb_path" Parameter File Inclusion Vulnerability
[SA20561] Gentoo update for firefox
[SA20689] Ubuntu update for wv2
[SA20683] Slackware update for sendmail
[SA20675] IBM AIX update for Sendmail
[SA20673] SGI IRIX update for sendmail
[SA20671] Debian update for kernel-source-2.4.27
[SA20667] Avaya Products LibTIFF Multiple Vulnerabilities
[SA20665] wvWare wv2 Library Integer Overflow Vulnerability
[SA20654] SUSE update for sendmail
[SA20653] Avaya Products PostgreSQL Multiple Vulnerabilities
[SA20651] FreeBSD update for sendmail
[SA20650] Solaris update for sendmail
[SA20641] Red Hat update for sendmail
[SA20638] Mandriva update for freetype2
[SA20625] Red Hat update for mysql
[SA20624] Red Hat update for mailman
[SA20608] Gentoo update for wordpress
[SA20591] Debian update for freetype
[SA20564] Gentoo update for cscope
[SA20562] Gentoo update for mysql
[SA20555] SUSE update for postgresql
[SA20551] 0verkill Denial of Service Vulnerability
[SA20550] Ubuntu update for binutils
[SA20548] Ubuntu update for courier-mta
[SA20542] Debian update for webcalendar
[SA20541] Debian update for mysql-dfsg-4.1
[SA20531] Trustix updates for binutils / mysql / spamassassin
[SA20525] Ubuntu update for libfreetype6
[SA20520] Debian update for tiff
[SA20519] Courier Mail Server Username Encoding Denial of Service
[SA20658] Gentoo update for asterisk
[SA20566] Gentoo update for Spamassassin
[SA20676] SUSE update for php4 / php5
[SA20672] Debian update for horde3
[SA20627] SUSE Updates for Multiple Packages
[SA20622] Debian update for gforge
[SA20601] P.A.I.D "read" Parameter Cross-Site Scripting Vulnerability
[SA20571] Ubuntu update for libgd2
[SA20563] Gentoo update for jpeg
[SA20677] aRts "artswrapper" Helper Application setuid Security Issue
[SA20674] Ubuntu update for kdm
[SA20660] Red Hat update for kdebase
[SA20636] Gentoo update for gdm
[SA20616] Gentoo update for vixie-cron
[SA20602] KDE KDM Arbitrary File Reading Vulnerability
[SA20587] Mandriva update for gdm
[SA20552] Ubuntu update for gdm
[SA20532] GNOME Display Manager Configuration GUI Access Vulnerability
[SA20549] Ubuntu update for xine-lib
[SA20666] Avaya Products vixie-cron Exposure of Arbitrary Cron Files

Other:
[SA20618] FAST360 Appliance DNS Analysis Denial of Service
[SA20570] FAST360 Appliance HTTP Analysis Bypass Vulnerability
[SA20644] Cisco WebVPN Cross-Site Scripting Vulnerability
[SA20647] Symantec Security Information Manager Authentication Bypass

Cross Platform:
[SA20656] PictureDis Products "lang" Parameter File Inclusion
Vulnerability
[SA20633] Microsoft PowerPoint Malformed Record Vulnerability
[SA20632] Flipper Poll "root_path" File Inclusion Vulnerability
[SA20588] aePartner "dir[data]" File Inclusion Vulnerability
[SA20573] phpCMS "PHPCMS_INCLUDEPATH" File Inclusion Vulnerabilities
[SA20568] webprojectdb "INCDIR" Parameter File Inclusion
Vulnerabilities
[SA20558] AWF CMS "spaw_root" Parameter File Inclusion Vulnerability
[SA20557] Content*Builder File Inclusion Vulnerabilities
[SA20536] Minerva "phpbb_root_path" File Inclusion Vulnerability
[SA20522] Enterprise Payroll Systems "absolutepath" File Inclusion
[SA20687] phpBannerExchange "email" Parameter SQL Injection
[SA20648] TikiWiki Unspecified Cross-Site Scripting and SQL Injection
[SA20646] blur6ex "ID" Parameter SQL Injection Vulnerability
[SA20642] PhpMyFactures Multiple Vulnerabilities
[SA20613] Five Star Review Script Multiple Vulnerabilities
[SA20611] Mobile Space Community Multiple Vulnerabilities
[SA20607] tinyMuw "comment" Script Insertion Vulnerability
[SA20599] MyScrapbook Script Insertion Vulnerabilities
[SA20598] ST AdManager Lite Article Submission Script Insertion
Vulnerability
[SA20597] Coppermine Photo Gallery "add_hit()" SQL Injection
[SA20581] Fast Menu Restaurant Ordering Multiple Vulnerabilities
[SA20576] Adobe Reader Unspecified Vulnerabilities
[SA20547] i.List Cross-Site Scripting and Script Insertion
Vulnerabilities
[SA20535] E-Dating System Multiple Vulnerabilities
[SA20534] CS-Forum Multiple Vulnerabilities
[SA20529] Mafia Moblog "img" Parameter SQL Injection Vulnerability
[SA20526] PBL Guestbook Script Insertion Vulnerabilities
[SA20523] NPDS Local File Inclusion and Cross-Site Scripting
Vulnerabilities
[SA20521] KAPhotoservice Cross-Site Scripting and Script Insertion
[SA20623] iaxComm iaxclient Buffer Overflow Vulnerability
[SA20567] Kiax iaxclient Buffer Overflow Vulnerability
[SA20560] IDE FISK iaxclient Buffer Overflow Vulnerability
[SA20661] Horde Cross-Site Scripting Vulnerabilities
[SA20652] 35mm Slide Gallery Multiple Cross-Site Scripting
Vulnerabilities
[SA20640] Event Registration Multiple Cross-Site Scripting
Vulnerabilities
[SA20621] OkMall "search.php" Cross-Site Scripting Vulnerabilities
[SA20619] iFoto "file" Cross-Site Scripting Vulnerability
[SA20612] Mole Group Ticket Booking Script Cross-Site Scripting
[SA20594] QuickLinks "q" Cross-Site Scripting Vulnerability
[SA20593] OkArticles "q" Cross-Site Scripting Vulnerability
[SA20590] Ringlink "ringid" Cross-Site Scripting Vulnerabilities
[SA20586] Realty Room Rent "sel_menu" Cross-Site Scripting
Vulnerability
[SA20585] ZMS "raw" Parameter Cross-Site Scripting Vulnerability
[SA20584] Realty Home Rent "sel_menu" Cross-Site Scripting
Vulnerability
[SA20580] SubText MultiBlog Admin Logon Security Issue
[SA20577] Sylpheed URI Check Bypass Security Issue
[SA20572] myPHP Guestbook "lang" Cross-Site Scripting
[SA20565] Car Classifieds "make_id" Cross-Site Scripting Vulnerability
[SA20546] EvGenius Counter "page" Parameter Cross-Site Scripting
[SA20540] Chemical Directory Search Functionality Cross-Site Scripting
[SA20539] Easy Ad-Manager "mbid" Parameter Cross-Site Scripting
[SA20538] ViArt Shop Free Cross-Site Scripting Vulnerabilities
[SA20533] vSCAL / vsREAL Cross-Site Scripting Vulnerabilities
[SA20530] Ez Ringtone Manager Cross-Site Scripting Vulnerabilities
[SA20528] IntegraMOD "STYLE_URL" Parameter Cross-Site Scripting
[SA20524] SHOUTcast Server DJ Script Insertion Vulnerabilities
[SA20579] DB2 Universal Database Multiple Denial of Service
Vulnerabilities
[SA20518] Sun Grid Engine CSP Mode Authentication Security Issue

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA20631] Microsoft Windows Graphics Rendering Engine Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-13

Symantec has reported a vulnerability in certain old versions of
Windows, which can be exploited by malicious people to compromise a
user's system.

Full Advisory:
http://secunia.com/advisories/20631/

 --

[SA20626] Windows Media Player PNG Processing Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-13

iDefense Labs has reported a vulnerability in Windows Media Player,
which can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/20626/

 --

[SA20620] Microsoft JScript Memory Corruption Vulnerability

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-13

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20620/

 --

[SA20605] Microsoft Windows ART Image Handling Buffer Overflow

Critical:    Highly critical
Where:       From remote
Impact:      System access
Released:    2006-06-13

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20605/

 --

[SA20595] Microsoft Internet Explorer Multiple Vulnerabilities

Critical:    Highly critical
Where:       From remote
Impact:      Spoofing, System access
Released:    2006-06-13

Some vulnerabilities have been reported in Internet Explorer, which can
be exploited by malicious people to conduct phishing attacks and
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/20595/

 --

[SA20575] WinSCP Protocol Handler Command Line Switch Injection

Critical:    Highly critical
Where:       From remote
Impact:      Manipulation of data, System access
Released:    2006-06-12

Jelmer Kuperus has discovered a vulnerability in WinSCP, which can be
exploited by malicious people to manipulate certain files on a user's
system and potentially to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20575/

 --

[SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-13

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20639/

 --

[SA20634] Microsoft Exchange Server Outlook Web Access Script
Insertion

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-13

SEC Consult has reported a vulnerability in Microsoft Exchange Server,
which can be exploited by malicious people to conduct script insertion
attacks.

Full Advisory:
http://secunia.com/advisories/20634/

 --

[SA20609] ePhotos Multiple SQL Injection Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Manipulation of data
Released:    2006-06-13

r0t has reported some vulnerabilities in ePhotos, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20609/

 --

[SA20574] CesarFTP MKD Command Buffer Overflow Vulnerability

Critical:    Moderately critical
Where:       From remote
Impact:      DoS, System access
Released:    2006-06-12

h07 has discovered a vulnerability in CesarFTP, which can be exploited
by malicious users to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/20574/

 --

[SA20556] MailEnable Enterprise Multiple WebMail Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Security Bypass, Privilege escalation
Released:    2006-06-12

Soroush Dalili has discovered some vulnerabilities in MailEnable
Enterprise, which potentially can be exploited by malicious users to
gain escalated privileges, and by malicious people and users to bypass
certain security restrictions.

Full Advisory:
http://secunia.com/advisories/20556/

 --

[SA20554] My Photo Scrapbook SQL Injection and Cross-Site Scripting

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-09

r0t has reported some vulnerabilities in My Photo Scrapbook, which can
be exploited by malicious people to conduct cross-site scripting and
SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/20554/

 --

[SA20545] OfficeFlow Cross-Site Scripting and SQL Injection
Vulnerabilities

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting, Manipulation of data
Released:    2006-06-09

r0t has reported two vulnerabilities in OfficeFlow, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.

Full Advisory:
http://secunia.com/advisories/20545/

 --

[SA20517] ASP ListPics Cross-Site Scripting and Script Insertion

Critical:    Moderately critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-09

Two vulnerabilities have been reported in ASP ListPics, which can be
exploited by malicious people to conduct cross-site scripting and
script insertion attacks.

Full Advisory:
http://secunia.com/advisories/20517/

 --

[SA20637] Microsoft Windows RPC Mutual Authentication Vulnerability

Critical:    Moderately critical
Where:       From local network
Impact:      Spoofing
Released:    2006-06-13

A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to spoof a valid RPC server.

Full Advisory:
http://secunia.com/advisories/20637/

 --

[SA20630] Microsoft Windows Routing and Remote Access Vulnerabilities

Critical:    Moderately critical
Where:       From local network
Impact:      System access
Released:    2006-06-13

Two vulnerabilities have been reported in Microsoft Windows, which can
be exploited by malicious people or users to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/20630/

 --

[SA20617] fipsCMS "index.asp" Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

r0t has reported some vulnerabilities in fipsCMS, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20617/

 --

[SA20614] ClickGallery Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-13

r0t has reported two vulnerabilities in ClickGallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20614/

 --

[SA20610] i-Gallery Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-13

r0t has reported some vulnerabilities in i-Gallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20610/

 --

[SA20606] Uphotogallery thumbnails.asp Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-13

r0t has reported a vulnerability in Uphotogallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20606/

 --

[SA20604] Xtreme ASP Photo Gallery Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-13

r0t has discovered some vulnerabilities in Xtreme ASP Photo Gallery,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20604/

 --

[SA20603] DwZone Shopping Cart "ProductDetailsForm.asp" Cross-Site
Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-13

r0t has reported two vulnerabilities in DwZone Shopping Cart, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Full Advisory:
http://secunia.com/advisories/20603/

 --

[SA20583] Cabacos Web CMS "suchtext" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

David "Aesthetico" Vieira-Kurz has reported a vulnerability in Cabacos
Web CMS, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20583/

 --

[SA20582] CFXe CMS "voltext_suche" Parameter Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

David "Aesthetico" Vieira-Kurz has reported a vulnerability in CFXe
CMS, which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/20582/

 --

[SA20578] LogiSphere Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

Ziv Kamir has discovered a vulnerability in LogiSphere, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20578/

 --

[SA20559] fipsGallery "path" Parameter Cross-Site Scripting
Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

r0t has reported a vulnerability in fipsGallery, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20559/

 --

[SA20553] EZGallery Multiple Cross-Site Scripting Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

r0t has reported some vulnerabilities in EZGallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20553/

 --

[SA20544] VanillaSoft Helpdesk "username" Cross-Site Scripting

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-09

r0t has reported a vulnerability in VanillaSoft Helpdesk, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20544/

 --

[SA20543] FilZip Multiple Archive Directory Traversal Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      System access
Released:    2006-06-09

Claus Berghamer has discovered a vulnerability in FilZip, which
potentially can be exploited by malicious people to compromise a user's
system.

Full Advisory:
http://secunia.com/advisories/20543/

 --

[SA20537] WS-Album "FullPhoto.asp" Cross-Site Scripting
Vulnerabilities

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

r0t has discovered some vulnerabilities in WS-Album, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/20537/

 --

[SA20527] ClickCart "cat" Parameter Cross-Site Scripting Vulnerability

Critical:    Less critical
Where:       From remote
Impact:      Cross Site Scripting
Released:    2006-06-12

r0t has reported a vulnerability in ClickCart,