From isn at c4i.org Mon May 1 01:41:00 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:00 -0500 (CDT) Subject: [ISN] Linux Advisory Watch - April 28th 2006 Message-ID: +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 28th, 2006 Volume 7, Number 18n | | | | Editorial Team: Dave Wreski dave at linuxsecurity.com | | Benjamin D. Thomas ben at linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for zgv, xzgv, blender, gdm, abc2ps, SASL, abcmidi, Mozilla, OpenVPN, kernel, gnome-pilot, qt, tzdata, procps, procinfo, beagle, jwhois, cscope, ethereal, system-config-data, pygtk, crossfire, fbida, dia, xine-ui, php, mozilla-firefox, ruby, module-init-tools, thunderbird, and ipsec-tools. The distributors include Debian, Fedora, Gentoo, Fedora, Mandriva, Red Hat, SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Introduction: Buffer Overflow Vulnerabilities In exploiting the buffer overflow vulnerability, the main objective is to overwrite some control information in order to change the flow of control in the program. The usual way of taking advantage of this is to modify the control information to give authority to code provided by the attacker to take control. According to Shaneck, "The most widespread type of exploit is called 'Smashing the Stack' and involves overwriting the return address stored on the stack to transfer control to code placed either in the buffer, or past the end of the buffer." (Shaneck, 2003) The stack is a section of memory used for temporary storage of information. In a stack-based buffer overflow attack, the attacker adds more data than expected to the stack, overwriting data. Farrow explains this in an example, "Let's say that a program is executing and reaches the stage where it expects to use a postal code or zip code, which it gets from a Web-based form that customers filled out." (Farrow, 2002) The longest postal code is fewer than twelve characters, but on the web form, the attacker typed in the letter "A" 256 times, followed by some other commands. The data overflows the buffer allotted for the zip code and the attacker's commands fall into the stack. After a function is called, the address of the instruction following the function call is pushed onto the stack to be saved so that the function knows where to return control when it is finished. A buffer overflow allows the attacker to change the return address of a function to a point in memory where they have already inserted executable code. Then control can be transferred to the malicious attack code contained with the buffer, called the payload (Peikari and Chuvakin, 2004). The payload is normally a command to allow remote access or some other command that would get the attacker closer to having control of the system. As Holden explains, "a computer is flooded with more information than it can handle, and some of it may contain instructions that could damage files on the computer or disclose information that is normally protected- or give the hacker root access to the system." (Holden, 2004) The best defense against any of these attacks is to have perfect programs. In ideal circumstances, every input in every program would do bounds checks to allow only a given number of characters. Therefore, the best way to deal with buffer overflow problems is to not allow them to occur in the first place. Unfortunately, not all programs are perfect and some have bugs that permit the attacks discussed in this paper. As described by Farrow, "because programs are not perfect, programmers have come up with schemes to defend against buffer overflow attacks." (Farrow, 2002) One technique entails enforcing the computer to use the stack and the heap for data only and to never to execute any instructions found there. This approach can work for UNIX systems, but it can't be used on Windows systems. Farrow describes another scheme using a canary to protect against buffer overflows, but only the kind that overwrite the stack. (Farrow, 2002) The stack canary protects the stack by being put in sensitive locations in memory like the return address (that tells the computer where to find the next commands to execute after it completes its current function). As described by Farrow, "before return addresses get used, the program checks to see if the canary is okay." (Farrow, 2002) If the canary has been hit, the program then quits because it knows that something has gone wrong. As a user of the programs, the best countermeasure is to make sure your systems are fully patched in order to protect yourself from exploits targeting vulnerabilities. Read Full Article: http://www.linuxsecurity.com/content/view/118881/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zgv packages fix arbitrary code execution 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122512 * Debian: New xzgv packages fix arbitrary code execution 22nd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122518 * Debian: New blender packages fix several vulnerabilities 24th, April, 2006 Several vulnerabilities have been discoverd in in blender, a very fast and versatile 3D modeller/renderer. The Common Vulnerability and Exposures Project identifies the following problems: CVE-2005-3302, CVE-2005-4470 http://www.linuxsecurity.com/content/view/122526 * Debian: New gdm packages fix local root exploit 24th, April, 2006 A vulnerability has been identified in gdm, a display manager for X, that could allow a local attacker to gain elevated privileges by exploiting a race condition in the handling of the .ICEauthority file. http://www.linuxsecurity.com/content/view/122527 * Debian: New abc2ps packages fix arbitrary code execution 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122544 * Debian: New Cyrus SASL packages fix denial of service 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122564 * Debian: New abcmidi packages fix arbitrary code execution 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122571 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 Several security related problems have been discovered in Mozilla Firefox. http://www.linuxsecurity.com/content/view/122578 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 http://www.linuxsecurity.com/content/view/122581 * Debian: New OpenVPN packages fix arbitrary code execution 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122591 * Debian: New Mozilla packages fix several vulnerabilities 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122592 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122490 * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122491 * Fedora Core 5 Update: gnome-pilot-2.0.13-7.fc5.6 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122492 * Fedora Core 4 Update: gnome-pilot-2.0.13-5.fc4.2 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122493 * Fedora Core 4 Update: qt-3.3.4-15.5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122494 * Fedora Core 5 Update: tzdata-2006d-1.fc5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122495 * Fedora Core 4 Update: tzdata-2006d-1.fc4 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122496 * Fedora Core 5 Update: procps-3.2.6-3.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122506 * Fedora Core 5 Update: procinfo-18-18.2.2 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122507 * Fedora Core 5 Update: gnome-user-share-0.9-4 21st, April, 2006 Fixes login when using password. http://www.linuxsecurity.com/content/view/122508 * Fedora Core 5 Update: beagle-0.2.5-1.fc5.1 21st, April, 2006 This upgrade to 0.2.5 fixes various bugs, including making the firefox extension work again. It also contains fixes for a minor security issue where you could inject command line argument into the indexer helpers. http://www.linuxsecurity.com/content/view/122509 * Fedora Core 4 Update: jwhois-3.2.3-3.3.fc4.1 21st, April, 2006 Updates jwhois to 3.2.3 and updates the default configuration. http://www.linuxsecurity.com/content/view/122510 * Fedora Core 5 Update: cscope-15.5-13.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122513 * Fedora Core 5 Update: ethereal-0.99.0-fc5.1 25th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122561 * Fedora Core 4 Update: ethereal-0.99.0-fc4.1 26th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122574 * Fedora Core 4 Update: system-config-date-1.8.3-0.fc4.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122586 * Fedora Core 5 Update: system-config-date-1.8.3-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122587 * Fedora Core 5 Update: pygtk2-2.8.6-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122588 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Cyrus-SASL DIGEST-MD5 Pre-Authentication Denial of Service 21st, April, 2006 Cyrus-SASL contains a vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. http://www.linuxsecurity.com/content/view/122498 * Gentoo: zgv, xzgv Heap overflow 21st, April, 2006 xzgv and zgv attempt to decode JPEG images within the CMYK/YCCK colour space incorrectly, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122499 * Gentoo: Crossfire server Denial of Service and potential 22nd, April, 2006 The Crossfire game server is vulnerable to a Denial of Service and potentially to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122519 * Gentoo: Mozilla Firefox Multiple vulnerabilities 23rd, April, 2006 Several vulnerabilities in Mozilla Firefox allow attacks ranging from execution of script code with elevated privileges to information leaks. http://www.linuxsecurity.com/content/view/122520 * Gentoo: fbida Insecure temporary file creation 23rd, April, 2006 fbida is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/122521 * Gentoo: Dia Arbitrary code execution through XFig import 23rd, April, 2006 Buffer overflows in Dia's XFig import could allow remote attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/122522 * Gentoo: xine-ui Format string vulnerabilities 26th, April, 2006 Format string vulnerabilities in xine-ui may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122579 * Gentoo: xine-lib Buffer overflow vulnerability 26th, April, 2006 xine-lib contains a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122580 * Gentoo: Ethereal Multiple vulnerabilities in protocol dissectors 27th, April, 2006 Ethereal is vulnerable to numerous vulnerabilities, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122590 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated cyrus-sasl packages addresses vulnerability 24th, April, 2006 A vulnerability in the CMU Cyrus Simple Authentication and Security Layer (SASL) library < 2.1.21, has an unknown impact and remote unauthenticated attack vectors, related to DIGEST-MD5 negotiation. http://www.linuxsecurity.com/content/view/122541 * Mandriva: Updated php packages address multiple vulnerabilities. 24th, April, 2006 A cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP <= 5.1.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. http://www.linuxsecurity.com/content/view/122542 * Mandriva: Updated mozilla-firefox packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Firefox browser that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122543 * Mandriva: Updated mozilla packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Suite that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122565 * Mandriva: Updated ethereal packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Ethereal network analyzer. These issues have been corrected in Ethereal version 0.99.0 which is provided with this update. http://www.linuxsecurity.com/content/view/122566 * Mandriva: Updated mozilla-thunderbird packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Thunderbird email client that could allow a remote attacker to craft malicious web emails that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, or other nformation. http://www.linuxsecurity.com/content/view/122567 * Mandriva: Updated ruby packages fix vulnerability 25th, April, 2006 A vulnerability in how ruby's HTTP module uses blocking sockets was reported by Yukihiro Matsumoto. By sending large amounts of data to a server application using this module, a remote attacker could exploit it to render the application unusable and not respond to other client requests. http://www.linuxsecurity.com/content/view/122570 * Mandriva: Updated module-init-tools packages fix CUPS-related bug 27th, April, 2006 The default configuration of module-init-tools was to send a HUP signal to the CUPS daemon whenever the "usblp" kernel module is loaded, for example when a USB printer is plugged in. Due to udev also sending a HUP signal to the CUPS daemon on pluggin in a USB printer there were two HUPs one shortly after the other which often makes the CUPS daemon crashing. http://www.linuxsecurity.com/content/view/122589 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: thunderbird security update 21st, April, 2006 An updated thunderbird package that fixes various bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122511 * RedHat: Moderate: ipsec-tools security update 25th, April, 2006 Updated ipsec-tools packages that fix a bug in racoon are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122550 * RedHat: Moderate: php security update 25th, April, 2006 Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122551 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Mozilla Firefox, Mozilla Suite 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122489 * SuSE: MozillaThunderbird various problems 25th, April, 2006 Multiple vulnerabilities fixed. http://www.linuxsecurity.com/content/view/122549 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request at linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ From isn at c4i.org Mon May 1 01:41:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:15 -0500 (CDT) Subject: [ISN] Pentagon Hacker Compromises Personal Data Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/28/AR2006042801540.html By ROBERT BURNS The Associated Press April 28, 2006 WASHINGTON -- An intruder gained access to a Defense Department computer server and compromised confidential health care insurance information for more than 14,000 people, the department said Friday. William Winkenwerder Jr., the assistant defense secretary for health affairs, said the affected individuals have been advised by letter that the compromise of personal information could put them at risk for identity theft. "Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve," he said in a brief statement. The Pentagon established a toll-free telephone number (1-800-600-9332) for affected people to call if they have questions. The computer server is for people insured under the Pentagon's TRICARE health care system. The type of information that was compromised was not disclosed in the Pentagon announcement, but Winkenwerder said it varied and investigators do not know the intent of the crime or if the compromised information will be misused. A spokesman for Winkenwerder, who asked not to be identified, said the information included names, Social Security numbers, credit card numbers and some personal health information. Routine monitoring of one of the health care insurance system's public servers detected unusual activity, and an investigation led to the discovery on April 5 that an intrusion had occurred and information was compromised. As a result, additional monitoring tools were installed to improve security of existing networks and data files, Winkenwerder said. ? 2006 The Associated Press From isn at c4i.org Mon May 1 01:41:38 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:38 -0500 (CDT) Subject: [ISN] Your computer is not secure. Message-ID: http://hartfordadvocate.com/gbase/News/content?oid=oid:153106 By Meir Rinde April 27, 2006 When agents from the federal Bureau of Alcohol, Tobacco and Firearms arrested convicted felon Michael Crooker on a charge of illegally shipping a firearm across state lines, they searched his apartment in the Feeding Hills neighborhood of Agawam, Mass. and found substances that gave them pause. They called in military and civilian hazardous material units, and a bomb squad, and police closed off all areas within 1,000 feet. A story spread that investigators found the poison ricin in the apartment; in reality, they found castor beans, which have commercial uses but do contain ricin. They also found lye, which is used in ricin production, and rosary peas, which contain a toxin called abrin. In Crooker?s car they found powerful homemade fireworks, and they conducted a controlled explosion of at least one device. That was almost two years ago. He?s now locked up at the state correctional facility in Suffield Connecticut, awaiting trial on a single charge of trying to ship an air-gun silencer to a man in Ohio. The 52-year-old ex-con fills his time studying his case and writing letters to the judge, as well as filing lawsuits against the government and other parties, as he has done all his life. Among the entities he has targeted is the computer maker Hewlett Packard. In his suit, Crooker traces back the history of his Compaq Presario notebook computer, which the ATF seized when he was arrested. He bought it in September 2002, expressly because it had a feature called DriveLock, which freezes up the hard drive if you don?t have the proper password. The computer?s manual claims that ?if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq?s headquarters staff,? Crooker wrote in the suit. Crooker has a copy of an ATF search warrant for files on the computer, which includes a handwritten notation: ?Computer lock not able to be broken/disabled. Computer forwarded to FBI lab.? Crooker says he refused to give investigators the password, and was told the computer would be broken into ?through a backdoor provided by Compaq,? which is now part of HP. It?s unclear what was done with the laptop, but Crooker says a subsequent search warrant for his e-mail account, issued in January 2005, showed investigators had somehow gained access to his 40 gigabyte hard drive. The FBI had broken through DriveLock and accessed his e-mails (both deleted and not) as well as lists of websites he?d visited and other information. The only files they couldn?t read were ones he?d encrypted using Wexcrypt, a software program freely available on the Internet. Despite the exposure of his e-mails, Crooker isn?t in prison on a chemicals or explosives charge. Rather, he?s been detained for two years on a single firearms charge because the judge thinks he?s too dangerous to let out on bail. A six-page rap sheet included in his firearms charge file lists arrests going back to March 1970, when he was 16 and committed an armed robbery while wearing a ski mask, according to the Springfield Republican. In 1977, he was accused of threatening to kill President Gerald Ford; he was cleared, but convicted of mailing death threats to the police chief of Southwick, Mass., where he grew up, and to a probation officer. In 1986, he was charged with rape and attempted murder; the charges stemmed from a phone argument with his wife, he says, and were dropped. In 1993, he plead guilty to a conspiracy to possess guns, witness tampering -- he admits he blew up a witness?s car -- and IRS fraud. He and an accomplice had filed about 70 false tax returns and pocketed the refunds. The judge who ordered him to remain incarcerated described Crooker as ?a real threat to the community at large, if not particular individuals as well.? The judge wrote that prosecutors believe Crooker has made ricin in the past; that he is accused of keeping three hundred rounds of ammunition at his parents? house; that in letters he refers to Timothy McVeigh as a ?martyr? and ?expresses admiration for Osama bin Laden?s brilliance.? If the government agrees Crooker is so dangerous he can?t stay at home while he awaits trial, should he be allowed to use purportedly unbreakable computer security systems to hide potentially criminal activity? Because of cases like Crooker?s, some might argue the government should have access to security backdoors to discourage criminals or at least catch them more easily, much as the technology in the movie Minority Report allows police to prevent crime by arresting criminals before they act. Of course, Crooker does not agree. Sitting in a low-ceilinged prison visiting room last week, his bright yellow prison jumpsuit hanging loosely on his narrow six-foot frame, Crooker rifled through stacks of legal documents and criticized what he described as HP?s deception in not admitting up front that DriveLock was flawed, and in selling him out to the feds. ?Even if it?s the CIA and the NSA, it?s wrong for HP to say, ?we can?t help you if you lose your password?,? he said. ?It?s causing people to hide things on their computers, and they?re not secure.? Crooker argues that by providing the FBI with a way to circumvent DriveLock, and claiming the system was impenetrable when there was actually a backdoor, HP committed a breach of contract. We left a message for HP?s lawyer, Thomas W. Evans of Cohen & Fierman in Boston, and got a call back from Ryan Donovan, a company spokesman in Palo Alto, Calif. ?We don?t comment on pending litigation,? he said. In a legal response sent to Crooker but not yet available in court, Evans says HP didn?t help the FBI, and argues it was unreasonable for Crooker to expect that data he entered on the laptop would remain inaccessible to others. Crooker?s goal is primarily to get money from HP. He?s demanded $350,000, and would probably accept much less. But he has also stepped into a much larger debate over computer security: whether HP and other companies are providing their customers with sufficiently strong protection and whether the government should allow anyone access to security systems so strong that even federal law enforcement agents have a hard time breaking through them. Crooker has spent many years in prison, but he?s had some success with the law as well. In 1984, when he faced a charge of having an unregistered machine gun, a federal District Court panel reviewed his claims that he should have access to certain ATF documents. Although he ultimately didn?t get everything he wanted, the judges ruled ATF hadn?t given a specific enough reason for withholding the documents, and Crooker v. BATF became an important footnote to discussions of Freedom of Information law. In his current criminal case, he argues that although the silencer would fit on an actual firearm, it was only intended for use on the air gun it was attached to. ?You wouldn?t believe the hearings and motions we?ve filed on this,? he said. He knows firearms law inside and out. He?s published a pamphlet called A Felon?s Guide to Legal Firearms Ownership , which you can buy online for $4.95. But his lawsuit against HP may be a long shot. Crooker appears to face strong counterarguments to his claim that HP is guilty of breach of contract, especially if the FBI made the company provide a backdoor. ?If they had a warrant, then I don?t see how his case has any merit at all,? said Steven Certilman, a Stamford attorney who heads the Technology Law section of the Connecticut Bar Association. ?Whatever means they used, if it?s covered by the warrant, it?s legitimate.? If HP claimed DriveLock was unbreakable when the company knew it was not, that might be a kind of false advertising. But while documents on HP?s web site do claim that without the correct passwords, a DriveLock?ed hard drive is ?permanently unusable,? such warnings may not constitute actual legal guarantees. According to Certilman and other computer security experts, hardware and software makers are careful not to make themselves liable for the performance of their products. ?I haven?t heard of manufacturers, at least for the consumer market, making a promise of computer security. Usually you buy naked hardware and you?re on your own,? Certilman said. In general, computer warrantees are ?limited only to replacement and repair of the component, and not to incidental consequential damages such as the exposure of the underlying data to snooping third parties,? he said. ?So I would be quite surprised if there were a gaping hole in their warranty that would allow that kind of claim.? That point meets with agreement from the noted computer security skeptic Bruce Schneier, the chief technology officer at Counterpane Internet Security in Mountain View, Calif. ?I mean, the computer industry promises nothing,? he said last week. ?Did you ever read a shrink-wrapped license agreement? You should read one. It basically says, if this product deliberately kills your children, and we knew it would, and we decided not to tell you because it might harm sales, we?re not liable. I mean, it says stuff like that. They?re absurd documents. You have no rights.? Schneier entered the field of computer security as a cryptographer. He invented an algorithm called Blowfish, which is used in many software programs including Wexcrypt, which Crooker used on some of his files, and which the FBI has apparently been unable to crack. In recent years Schneier has been a prominent critic of most computer security schemes, saying that they?re not reliable in part because companies aren?t financially liable for failures. He described Crooker?s lawsuit as ?kind of funny.? ?Part of me says, ?Well, go get them,?? Schneier said. ?Because the industry, for years, makes all of these false promises. So here?s someone who?s saying, ?Look, goddammit, I believed them, and I got arrested,? or something. So that?s kind of neat, actually.? Online, self-declared computer geeks have discussed at length how to unlock DriveLock?ed hard drives. The general consensus is that, unlike many computer password systems, DriveLock is a hard-drive-only system, a technology added to the drive, rather than a routine in the computer software. Only a chip on the hard drive knows where the password is stored, and the chip simply will not allow the drive to spin if the password is not provided. Putting the drive in a different computer, or tinkering with computer system files, doesn?t help. Encryption isn?t the problem, either: your files may just be sitting there, in readable form, but the drive refuses to work. The computer geeks seem to throw up their hands at devising a home-office method of getting around DriveLock. However, in a ?clean room? laboratory setting it should be possible to take apart a hard drive and scan the platters where magnetic information is stored. A few companies advertise password removal services for a fee, such as Nortek Computers Limited, in North Bay, Ontario, Canada. For $85, the company will simply erase your hard drive, which removes the password and at least makes the drive useable again. For $285, the company will copy your information off the drive, wipe the drive, and put the information back on, sans the password, said Chris Boyer, a support specialist at Nortek. He wouldn?t describe how it?s done, except to say that some computer drives can be penetrated using ?non-invasive? methods, while others are more difficult. ?There?s quite a bit involved, engineering-wise and facility-wise,? Boyer said. The company is alert to suspicious clients who seem to be trying to break into someone else?s computer, and keeps records of device serial numbers, he said. It has removed passwords for law enforcement agencies in the U.S., Canada, England, Denmark and other countries. The availability of commercial password removal suggests HP may be sincere when it says it didn?t help the FBI. But Crooker said that?s no obstacle to his lawsuit. ?Why are HP and Compaq still advertising this DriveLock system when they have to know about the Canadian operation for $285?? he asked. ?They?re lulling us into this sense of security, when for $285 it can be exposed? It ain?t right.? In the recent past the federal government has attempted to build in backdoors to certain computer systems: In the early 1990s, the National Security Agency tried to require the installation of a chip in phone transmission systems, so agents could eavesdrop on encrypted conversations. The Electronic Frontier Foundation and other civil liberties groups attacked the proposal, which eventually died (although recently AT&T reportedly allowed the NSA to monitor millions of phone calls without warrants, using specially installed supercomputers). So while DriveLock may not be wholly secure, software that uses Blowfish and other encryption methods remains widely available. To civil liberty advocates, that?s good news, even if it means individuals like Michael Crooker can hide their secrets from law enforcement. ?Encryption software is becoming a very ordinary thing. That?s a very positive development in terms of limiting the erosion of privacy in certain ways,? said Seth Schoen, a staff technologist at the Electronic Frontier Foundation. Crooker said he understands the argument for allowing the government to penetrate computer security systems. ?I can see both sides of it,? he said. But that doesn?t mean he?s letting HP off the hook for pretending DriveLock was really secure. That?s a point security experts would agree with: undisclosed flaws are the Achilles? heel of any security scheme, because then the user of the system doesn?t even know what kind of incursions to watch out for. For Bruce Schneier, the key to preventing such flaws is the kind of legal liability that Michael Crooker is trying to create, forcing companies to pay though the nose until they develop security that really works. ?Unfortunately, this probably isn?t a great case,? Schneier said. ?Here?s a man who?s not going to get much sympathy. You want a defendant who bought the Compaq computer, and then, you know, his competitor, or a rogue employee, or someone who broke into his office, got the data. That?s a much more sympathetic defendant.? Copyright ? 1995-2006 New Mass Media. All rights reserved From isn at c4i.org Mon May 1 01:40:25 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:40:25 -0500 (CDT) Subject: [ISN] Ag firm employee charged with hacking into county data base Message-ID: http://www.lititzrecord.com/pages/news/local/4/22302 By Michael Yoder - Record Express Staff Lititz Record Express Apr 27, 2006 LITITZ, PA - A Lancaster man has been charged with illegally logging into the county's web-based computer assisted dispatch program while working at a local agricultural firm. Duane Kline, of Lancaster, was charged on April 20 with the unlawful use of a computer and other computer crimes by using the East Hempfield Township Police Department's login and password to access the Lancaster County-Wide Communications World Wide Web based Computer Assisted Dispatch site. Kline, who is an employee of Northeast Agri Systems, 139A W. Airport Rd., Lititz, is accused of logging into the computer system on 161 separate occasions between June 27 and Nov. 7, 2005. He is accused of gaining information on restricted police intelligence and investigative information he did not have access to see and also disseminating portions of the information verbally. According to the affidavit filed in Manheim Township, Lancaster County Detective Peter J. Savage Jr. investigated an anonymous tip received in February that Kline was logging into the computer system on his computer at Northeast Agri Systems and sharing privileged information with friends. Savage was able to determine that Kline did access the computer system though Northeast's Internet protocol address and was logging into the system using the East Hempfield Township Police Department password. Kline is a lieutenant with the West Hempfield Fire and Rescue Company. On March 15 Savage interviewed Kline and asked him about accessing the site. According to the affidavit, Kline admitted logging into the restricted site. He said initially he would log in for curiosity, but later he admitted running names in the system to look for background information. Kline admitted running the name in the system of an ex-employee at Northeast Agri Systems after the individual was fired from the company. From isn at c4i.org Mon May 1 01:41:52 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:41:52 -0500 (CDT) Subject: [ISN] Schools scramble to safeguard computer systems Message-ID: http://www.boston.com/news/local/massachusetts/articles/2006/04/29/schools_scramble_to_safeguard_computer_systems/ By Maria Sacchetti Globe Staff April 29, 2006 Private industry long ago adopted safeguards against hacking, but public schools, which just began putting student records online in recent years, are only starting to recognize their vulnerability. The allegations that a student gained access to a teacher's computer at Boston Latin School and saw tests and student records apparently took officials by surprise. Boston Public Schools had begun to talk about improving computer security at all schools before the alleged incident, but immediately tightened security afterward. ''For lack of a better term, this is sort of a test case to figure out where security breaches might be," said Jonathan Palumbo, a school system spokesman. Lexington High officials are debating whether to e-mail report cards to parents, weighing the convenience against the security risks. Brookline High forced teachers to make their passwords tougher to guess this year after students broke into the computer system to change grades. ''You can't assume that you're smarter than the kids about computers," said Michael Frantz, assistant headmaster at Brookline High. ''It certainly is a wake-up call. . . . This kind of thing can really happen to us." Decades ago, public schools were untroubled with computer security. But now 95 percent of the state's classrooms are wired for the Internet, according to the state Department of Education. Teachers store grades on the Internet. Clerks track student absences and tardiness online. Some even share that with parents: letting them check online to make sure their child went to school or to monitor their grades. A year ago, Lexington High investigated a student on allegations that he altered his attendance records, which had been posted online. The school now wants to e-mail report cards, but officials said they are not sure whether the school has protected itself well enough against hackers. ''I really worry about that. We're certainly behind," said Bill Cole, a dean at the school. ''We definitely have a population here that would see it as a challenge here and break in." This school year, Brookline High officials suspended the two students it caught breaking into the computer system and changing grades. ''You can't make a guarantee that it wouldn't happen again," Frantz said. ''We're more careful, and things are tighter than they were. I think it would be a lot more difficult for it to happen." Charlie Lyons, superintendent and director at Shawsheen Valley Technical High School, in Billerica, said he spends $50,000 a year on computer updates and security. He also hired a director of computer services because the school has nearly 700 computers. ''There's no system that's unbreakable. There's going to be some kid from MIT that's probably going to . . . be able to break into any system in the world," Lyons said. Francis Cahill, who taught Latin at Boston Latin School for 33 years before retiring in June 2005, said more teachers who used to keep grades on paper and tests in files are relying on computers. Students are ''a lot more sophisticated than a lot of the teachers," said Cahill, who had never heard of a student breaking into the school's computer system during his time at Latin. ''Kids are always looking for a leg up no matter what school they're in. It doesn't surprise me at all. ''I would guess that in any kind of school where kids are trying to get into college, the same kind of thing could happen." Tracy Jan of the Globe staff contributed to this report. ? Copyright 2005 The New York Times Company From isn at c4i.org Mon May 1 01:42:04 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:42:04 -0500 (CDT) Subject: [ISN] Pentagon Halts Contractor Clearances Message-ID: http://www.washingtonpost.com/wp-dyn//content/article/2006/04/28/AR2006042801878.html By Renae Merle Washington Post Staff Writer April 29, 2006 The Pentagon stopped processing security clearances for government contractors this week, potentially exacerbating a shortage of employees authorized to work on the government's most secret programs. The Defense Security Service blamed overwhelming demand and a budget shortfall for the halt, which caught the government contracting community by surprise. Already, 3,000 applications have been put on hold, said Cindy McGovern, a DSS spokeswoman. "We're holding them [the applications] now to see if we can resolve the issue. The more drastic step would be not accepting them" at all, McGovern said, a step the agency considered but dropped for now. The demand for security clearances among private companies has grown dramatically since the Sept. 11, 2001, terrorist attacks as the government increasingly relies on contractors to do intelligence gathering and work on classified programs. There has been growing frustration with the wait time, which some companies have described as up to a year, to obtain clearances for new employees. Some firms have reverted to gimmicks and large bonuses to attract employees with pre-existing clearances, and industry officials worry that this week's action will increase competition and salary demands. The move affects not only defense contractors, but also those who work on projects for more than 20 other agencies, including NASA and the Department of Homeland Security. "We have companies right now that have positions that are funded that they can't find people for," said Stan Soloway, president of the Professional Services Council. "This could completely shut the system down." The Defense Security Service blames, in part, the sheer volume of requests. Between October and March, more than 100,000 security-clearance applications were submitted. The service is also struggling with a budget shortfall, McGovern said, noting that its funding was cut by $20 million this year. McGovern said she did not know how much of a shortfall the agency faces. Last year, the Office of Personnel Management took over the job of conducting background investigations. But the Defense Security Service picks up the tab, which can be as much as $3,700 for a top-secret clearance. The Office of Personnel Management can also charge a premium of 19 to 25 percent for the work, which was not factored into the DSS budget, said David Marin, staff director for the House Government Reform Committee. Marin estimates the agency's shortfall at between $75 million and $100 million. The agency's efforts to cut costs began earlier this month when it alerted contractors that it would no longer offer a more expensive expedited application process. On Tuesday, the agency stopped forwarding new applications to the OPM altogether. The decision is "both baffling and disturbing," Rep. Thomas M. Davis III (R-Va.), chairman of the Government Reform Committee, said in a letter to the agency yesterday. Davis expects to hold a hearing on the issue, according to his office. "It sure could get to be a real problem really fast," said John Douglas, president of the Aerospace Industries Association, a lobby group that represents companies including Lockheed Martin Corp. and Boeing Co., the Pentagon's largest contractors. "There doesn't seem to be any exceptions, and you would think that if you were working on a classified project to stop IEDs [improvised explosive devices], there would be." ? 2006 The Washington Post Company From isn at c4i.org Mon May 1 01:42:15 2006 From: isn at c4i.org (InfoSec News) Date: Mon, 1 May 2006 00:42:15 -0500 (CDT) Subject: [ISN] NIST releases standards for security logs Message-ID: http://www.fcw.com/article94229-04-28-06-Web By Wade-Hahn Chan Apr. 28, 2006 The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs. The guidelines cover log generation, transmission, storage, analysis and disposal. The guidelines, NIST Special Publication 800-92: Guide to Computer Security Log Management [1], include suggestions for creating a log management policy, prioritizing log files and creating a centralized log management infrastructure to include all hardware, software, networks and media. The 64-page document notes that agencies must deal with larger quantities, volumes and varieties of security logs. They also must comply with a growing number of legislative requirements such as the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act. [1] http://csrc.ncsl.nist.gov/publications/drafts/DRAFT-SP800-92.pdf From isn at c4i.org Tue May 2 04:42:33 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:42:33 -0500 (CDT) Subject: [ISN] Iridium trumpets latest satellite phones for emergency response Message-ID: http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,111058,00.html By Todd R. Weiss MAY 01, 2006 COMPUTERWORLD Just a month before the official U.S. hurricane season begins on June 1, Iridium Satellite LLC today unveiled satellite telephone communications equipment that will interoperate with existing UHF and VHF radio systems already used by police, rescue agencies, firefighters and other first responders. In an announcement today, the Bethesda, Md.-based vendor said the equipment can prevent much of the widespread communications troubles that plagued the Southeast U.S. after Hurricanes Katrina and Rita pummeled the area last year. In the wake of the storms, land-line and cellular telephone systems were largely devastated in Louisiana, Mississippi and parts of other nearby states due to downed lines, destroyed towers and other communications infrastructure failures. Emergency workers had to use radios, satellite telephones and other means to communicate until telephone service was restored. The Iridium systems offer interoperable voice and data communications, will work anywhere and are portable, according to the company. The data services include integration of radio frequency identification tags to help track vehicles, supplies and personnel wirelessly during emergencies so that response efforts can be monitored, the company said. Iridium services are already being used in some states, including Florida, Georgia, Louisiana, Mississippi, Missouri, South Carolina and Texas. The Iridium systems can interoperate with other communications systems, including VHF and UHF radios, making them flexible in times of emergency, Greg Ewert, executive vice president for Iridium, said in a statement. "Many states that could be affected by hurricanes this season are still far from being prepared from a communications perspective," he said. The Iridium systems also offer quick setup and do not use a land-based infrastructure that can be damaged in a disaster, according to the company. "Iridium may typically be thought of as a satellite phone in the hands of a first responder," Ewert said. "Increasingly, government customers are seeking Iridium for tracking and redirecting of important assets in an emergency, including critical supplies, vehicles and even personnel. This is done through communications systems based on our data-only transceiver. Many first responders [during Hurricanes Katrina and Rita] were left vulnerable when it came to asset tracking. Supplies sat by the side of the road because communications were hampered with a lack of deployed mobile satellite services. They were unable to redirect supplies as needed. With our solution, they can stay in touch and stay in control." Ted O'Brien, vice president of market development at Iridium, said today that the systems can be expanded as needed. Satellite telephone handsets are priced at about $1,500 each, while a fixed base station that can be used in a rescue facility costs about $3,000, including an external antenna. The interoperability system that allows satellite telephone users to communicate with VHF and UHF radio users -- as well as more than two-dozen other systems -- costs about $10,000. Small mobile wireless modems that can be attached to vehicles and supply containers for wireless tracking cost about $500 each if tracking capabilities are to be deployed. The equipment can be used with solar chargers so it can be recharged when power is out, or vehicle battery charger adapters can be used. "First responders using Iridium tell us time and again that we're often the only line of communications they have, particularly during and right after a disaster strikes," Ewert said in a statement. "When communications infrastructure goes down, they need to get to the disaster scene and connect back to headquarters to coordinate their rescue and relief mission. ... It usually takes several days for first responders to set up more permanent, fixed communications services in a disaster scene. They use Iridium to keep in touch and to coordinate their rescue mission as it unfolds." Iridium provides global satellite voice and data communications using 66 cross-linked satellites, according to the company. Since revamping its operations five years ago following the bankruptcy of its predecessor (see "Iridium Refocuses on B2B" [1]), the new Iridium Satellite LLC has positioned itself as a business and government satellite communications provider for fail-safe communications. The original Iridium LLC was about to decommission its satellite network in 2001 when it was purchased by a consortium of buyers for $25 million. The satellite system cost $5 billion when it was built in 1998 by Schaumburg, Ill.-based Motorola Inc. and others. [1] http://www.computerworld.com/industrytopics/defense/story/0,10801,59152,00.html From isn at c4i.org Tue May 2 04:43:31 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:43:31 -0500 (CDT) Subject: [ISN] Hacker turns Canadian PM into baby eater Message-ID: http://www.theinquirer.net/?article=31390 By Nick Farrell 02 May 2006 COMMUTERS ON ONE of Canada's busiest trade routes were amused when the LED message board announced that Prime Minister Stephen Harper eats babies. Instead of announcing the next stop, the LED board on the GO trains, seemed to feel that it was very important that the world knew about Harper's dining habits. Alas, no one seems to have snapped a picture of the phenomenon, but the story has been confirmed by the people running the possessed LED board, Exclusive Advertising. The outfit said that its LED board had been hacked and the message had not been authorised by it, or GO trains. Exclusive Advertising said that it was sprucing up on its security after the incident. However, the press release, here [1], seems more interested in catching the hacker than apologising to Harper. It also repeats the LED comments in big bold letters in case you were left wondering what the Hacker claimed. ? [1] http://www.c4i.org/StephenHarperBabies.jpg From isn at c4i.org Tue May 2 04:43:45 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:43:45 -0500 (CDT) Subject: [ISN] SANS Institute updates list of 'Top 20 Internet Security Vulnerabilities' Message-ID: http://www.networkworld.com/news/2006/050106-sans-top-20.html By Ellen Messmer NetworkWorld.com 05/01/06 SANS Institute Monday updated its list of "Top 20" vulnerabilities discovered in products or types of exploits and attacks that threaten users on the Internet. The SANS "Spring Update" of its Top 20 Internet Security Vulnerabilities cites a growth in critical vulnerabilities discovered in the Mac OS/X operating systems, as well as vulnerabilities associated with the Mozilla Firefox open-source Web browsers that had to be patched. Rohit Dhamankar, editor of the SANS Top 20 and manager of security research at 3Com's TippingPoint division, said the good news is that software patches for the Mozilla Firefox open-source browsers are usually more quickly issued compared with Microsoft's patch process for its Internet Explorer. "The [Mozilla Firefox] patches arrive much faster, typically within a week," said Dhamankar, adding that Microsoft generally waits for its scheduled second Tuesday of the month to issue software patches. He added that so many zero-day exploits have been discovered recently in association with Microsoft Explorer, the browser's name should be changed to "Internet Exploiter." Other trends cited by SANS Institute include SQL injection vulnerabilities and attacks against databases, as well as the "scourge" of successful "spear phishing" attacks, especially against U.S. defense and nuclear-energy sites. In spear phishing, an attacker sends e-mail pretending to be a trusted source to a targeted victim who turns over sensitive information to the attacker. While SANS Director of Research Alan Paller declined to reveal the names of specific agencies that had been the target of spear phishing, this type of attack has caused so much concern in the U.S. government, he said, that there's been a new word coined for such an attack: "exfiltration." A play on the word "infiltration," the word "exfiltration" is "being used a lot around Washington these days," because of a number of successful spear-phishing attacks, says Paller. From isn at c4i.org Tue May 2 04:44:00 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:00 -0500 (CDT) Subject: [ISN] NCSoft to Appeal Ruling on Data Theft Case Message-ID: http://times.hankooki.com/lpage/200604/kt2006043016491310160.htm By Kim Tae-gyu Staff Reporter 04-30-2006 NCSoft, Korea??s biggest online game developer, is likely to appeal last week??s verdict that mandated it to pay 500,000 won ($530) to five holders of hacked accounts for cyber game ``Lineage II.???? ``We cannot accept the ruling because there was no report of actual damage from the case, which involves just the potential risk of information leakage,???? NCSoft spokeswoman Lee Hwa-su said. Last Friday, the Seoul District Court ordered NCSoft, the maker of the famous role-playing game Lineage II, to pay out 500,000 won to five plaintiffs, who lodged a civil complaint last autumn. NCSoft is expected to receive the notice of the ruling this week or next. It may at least indirectly affect two similar cases filed by about 8,500 subscribers to Lineage I, the precedent for Lineage II, and by 414 against Kookmin Bank, the nation??s biggest lender. In its ruling, the court said that NCSoft managed personal information in a manner that made it vulnerable to leakage. While conducting a regular game upgrade in May 2005, NCSoft failed to encrypt a database log file that contained usernames and passwords, the court observed. As a result, the account data of numerous Lineage II subscribers, who logged onto the online game during May 11 to May 16 last year, were available at a computer used for the game. Five subscribers filed a lawsuit last autumn, seeking 5 million won each in compensation and could partially win the case in a half-year litigation last Friday. But NCSoft still denies its responsibility for the plaintiffs, who the company claims have failed to prove any practical damages from the data leakage. ``The account data in question were kept in a computer file, where even an expert would struggle to find out, for very short period of time or six days at longest,???? Lee said. ``There is little likelihood that the data was leaked outside and we have yet to receive any damage report from it. We think this is a different case compared to other identity theft,???? she said. Observers also point out NCSoft would not comply with the verdict, which might cause the company to collapse due to resultant court actions. ``Should NCSoft obey the compensation ruling, other Lineage II users would try to gain windfalls by taking the firm to the court. How can the outfit take such a risk????? asked Han Ik-hee, an analyst at Prudential Securities. Indeed, subscribers who pay a monthly fee of 29,600 won for the Lineage II membership amount to 1 million, the potential beneficiary of the compensation verdict. The legal battle marks back-to-back bad news for NCSoft, which already suffered from setbacks due to the identity theft case related to Lineage I, which caught the nation off guard early this year, and triggered lawsuits by roughly 8,500. Complaints piled up in February that hackers were stealing private data from millions of Korean people. The stolen data is believed to be have been collected mostly by Chinese crackers, who used it to sign up for Lineage I. From isn at c4i.org Tue May 2 04:42:17 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:42:17 -0500 (CDT) Subject: [ISN] 'Second Life' fending off denial-of-service attacks Message-ID: http://news.com.com/Second+Life+fending+off+denial-of-service+attacks/2100-1043_3-6067003.html By Daniel Terdiman Staff Writer, CNET News.com May 1, 2006 The popular virtual world "Second Life" was shut down twice over the weekend as its publisher, Linden Lab, fended off denial-of-service attacks. The attacks took the form of someone creating self-replicating objects in the world that began to crash servers and forced San Francisco-based Linden Lab to temporarily close down the entire "Second Life" grid. This is not the first time "Second Life" has been hit by denial-of-service attacks. Last fall, it was hit with similar assaults. Shortly thereafter Philip Rosedale, the company's CEO, told "Second Life" members that the company planned to turn the responsible parties in to the FBI. "Second Life" is an open-ended virtual world that allows its users to create, buy and sell nearly any kind of avatars, vehicles, attire and buildings they can imagine. Users can play for free, and Linden Lab makes money through the sale of virtual "land" and subsequent land-maintenance fees. "Second Life" is not the only virtual world to suffer recent server problems. Over the past month, Blizzard Entertainment's "World of Warcraft" has been dealing with a variety of ongoing server problems that prevented users from getting into the game, kicked some out with no warning and deactivated their accounts due to billing problems. Those issues, however, are not related to any kind of outside attack. This weekend's attacks took advantage of the fact that any "Second Life" member can create nearly any kind of objects in the virtual world that they like. "What happened is people create an object that then replicates itself, and then of course, it's like cell division," said Robin Harper, vice president of community development and support. First there's "two and then four, and pretty soon you've got objects sprouting and they go across boundaries and they crash servers." Harper said that Linden Lab had been able to contain the object replication, and indeed, a check by CNET News.com Monday morning showed that "Second Life" was up and running normally. Still, she said that the attacks are serious business and that Linden Lab is once again getting federal authorities involved. "It's certainly a very important issue because it disrupts commerce," said Harper. "It disrupts events. People have weddings planned or a party or something, and it gets in the way. It's (also) costing our customers money, and that's what makes it something we can discuss with the federal authorities, because it's a significant economic disruption." Ginsu Yoon, Linden Lab's general counsel, said that he expects federal authorities to take action, but isn't sure when that will happen. He said law enforcement action on the previous attacks is forthcoming as well, and that the perpetrators shouldn't take heart in any delay in prosecution. "People who are thinking that they're off free because there's been grid attacks before and nothing happened--they will be surprised," said Yoon. "It's just a matter of time." And while Linden Lab won't say who the perpetrators are, citing the ongoing investigation and the company's policy not to give out the names of its customers, it hinted that it knows. "We have very specific information about the identities of individuals involved in the attacks," Yoon wrote to CNET News.com on Monday in an e-mail originally drafted in January. "There are people who think that bringing down our grid is fun, and that it's not breaking the law. I'd encourage those people to read the federal code" about denial-of-service attacks. From isn at c4i.org Tue May 2 04:44:13 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:13 -0500 (CDT) Subject: [ISN] Ohio U. alumni at risk for identity theft Message-ID: http://www.cantonrep.com/index.php?ID=283728 By Melissa Griffy Seeton REPOSITORY EDUCATION WRITER May 2, 2006 Bob Tscholl has contributed to Ohio University in many respects: He's a Bobcat as are his three children. A recent security breach may mean he'll give a little more. But the Canton attorney has faith the university will do all it can to prevent that. "It kind of goes with the territory," Tscholl said. "Anytime you belong to an organization nowadays, you have to be aware there is some risk ... . I'm not too concerned." Ohio University President Roderick McDavis announced at a press conference Monday that he, too, is among the more than 300,000 alumni and friends of Ohio University - not current students - whose personal information may have been compromised when unauthorized access was gained to a computer system supporting alumni relations. "We are doing everything in our power to reduce the impact of this data theft," Ohio University Associate Provost for Information Technology and Chief Information Officer Bill Sams said in a press release. "At this point, we have no evidence of illegal use of the breached information." The breached computer system contained biographical information on more than 300,000 individuals and organizations, including the Social Security numbers of more than 137,000 people, according to university officials. The files did not contain credit-card or bank information. The security violation was discovered on April 24 when, according to Sams, "The university immediately began assessing the situation to determine its extent. Once it became clear that personal information was involved, we began the process of notifying the affected individuals." University officials were unable to confirm Monday how many Ohio University alumni are from the Stark County area. A search of recent college graduates revealed 12 local residents graduated from the school in December and eight received diplomas last May. The FBI is investigating the incident, and university officials said the college will hire an outside consultant to conduct a risk assessment of its computer information systems. A separate security breach occurred at the college on April 21, when office files were compromised at its Technology Transfer Department. The files included e-mails, patent and intellectual property files. Ohio University is at least the third college that has announced in recent months unauthorized access was gained to confidential information. In September, two computers were stolen from Kent State University offices. The computers contained the names and Social Security numbers of practically every student and instructor since 2002, and every graduate since 1988. And, in August, Web site security was breached at Stark State College of Technology. Students couldn't access their own personal information - such as their grades or student loans - instead the personal information of another student was shown, including Social Security numbers. College officials said the incident was not the result of a hacker, but a computer software glitch. Reach Repository writer Melissa Griffy Seeton at (330) 580-8318 or e-mail: melissa.griffy @ cantonrep.com -=- COULD I BE AFFECTED? Ohio University is sending e-mails and letters to people who may have been affected by the security breach. As a precaution, the university will not request personal information electronically as part of this notification. The university cautions people to not disclose personal information if they receive an e-mail - even if it appears to come from the university. The university has established a Web page at www.ohiou.edu/datatheft to provide detailed information, and a toll-free hotline at (800) 901-2303. Source: Ohio University -=- PROTECT YOURSELF FROM IDENTITY THEFT Ohio University recommends that alumni protect themselves from the security breech by: -- Obtaining a free credit report from Equifax (800) 525-6285, Experian (888) 397-3742 and TransUnion (800) 680-7289. -- Calling these three credit reporting agencies to place fraud alerts lasting 90 days on credit inquiries. -- Monitoring credit accounts for any unusual activity during the next several months. Source: Ohio University ?2006 The Repository From isn at c4i.org Tue May 2 04:44:28 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 2 May 2006 03:44:28 -0500 (CDT) Subject: [ISN] InfoSec News List Information Message-ID: http://www.infosecnews.org InfoSec News is a privately run, medium traffic list that caters to the distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. To subscribe to InfoSec News, Click here [1]. The subject line will always contain the title of the article, so that you may quickly and efficiently filter past the articles of no interest. This list will contain: Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. Information on where to obtain articles in current magazines. Security Book reviews and information. Security conference/seminar information. New security product information. And anything else that comes to mind... Feedback is encouraged. The list maintainers would like to hear what you think of the list, What could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Anonymous feedback is always welcome. Please DO NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as 75+ returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). This is not a whim! Other moderators have begun to do the same. Special thanks to the following for continued contribution: William Knowles, Brian Martin, Jay Dyson, Emerson Tan, Nicholas Brawn, Felix von Leitner, Robert G. Ferrell, eric wolbrom, Matthew Patton, Marjorie Simmons, Richard Forno Darren Reed, Robert Slade, Attrition.org, Curiosity.org and several other contributors. InfoSec News Archives: http://www.landfield.com/isn http://lists.jammed.com/ISN/ http://lists.insecure.org/isn/ http://www.attrition.org/pipermail/isn http://online.securityfocus.com/archive/12 http://marc.theaimsgroup.com/?l=isn&r=1&w=2 InfoSec News is Moderated by William Knowles wk (at) c4i.org. ISN is a private list. Moderation of topics, member subscription, & everything else about the list is solely at his discretion. The InfoSec News membership list is NOT available for sale or disclosure. InfoSec News is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. [1] http://www.infosecnews.org From isn at c4i.org Wed May 3 02:37:52 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:37:52 -0500 (CDT) Subject: [ISN] Iron Mountain loses more backup tapes Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=5915 By Chris Mellor Techworld 02 May 2006 Accident-prone Iron Mountain has mislaid more backup tapes containing personal information. On April 6th, a driver reported that backup tapes belonging to the Long Island Rail Road (LIRR) and another customer had gone missing. The LIRR tapes contained personal information about 17,000 past and current employees - virtually everyone who has every worked for the concern. The second customer's tapes did not contain personal information. So far no evidence of theft has been found; the tapes have apparently just been mislaid. The LIRR is providing a paid-for one year account with a credit check and identity theft monitoring service - a costly exercise for 17,000 people. Iron Mountain has previously lost backup tapes belonging to Times Warner in March, 2005. These covered 600,000 current and past employees. From isn at c4i.org Wed May 3 02:27:30 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:27:30 -0500 (CDT) Subject: [ISN] Oracle keeps many users waiting on April patches Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,111098,00.html By Robert McMillan IDG NEWS SERVICE MAY 02, 2006 Testing problems are forcing some Oracle Corp. users to wait a little longer than usual for the company's latest round of security patches, the first of which were released last month. Though Oracle offered patches for a number of its most popular products as part of its April 18 Critical Patch Update, it had said that updates for many other versions of the products would not become available until May 1. Now, the database vendor is saying that many of those critical updates may not be available until as late as May 15. Oracle typically releases about 150 patches for a variety of different operating systems in its Critical Patch Updates, which ship every three months. The problem with the April update is that some of the patches have not yet passed the comprehensive suites of tests that Oracle uses to ensure that they will not disrupt customer's applications, said Darius Wiles, manager of Oracle Security Alerts. "There were some [updates] that failed out of the test suite, so we needed some more time to test them," Wiles said. Oracle is particularly eager to complete testing and release updates for some of the more widely used versions of its database, including version 8.1.7.4 and 10.1.0.4. But the company first needs to ensure that the new software will not disrupt customers, Wiles said. Oracle users can find more information on the estimated delivery date of Oracle's patches by checking the pre-installation notes Oracle has published for each of its products. These can be found on Oracle's MetaLink online support service by searching for document: 360464.1 Security researcher and Oracle critic David Litchfield believes that by waiting so long to update some versions of its products, Oracle is undermining the value of its regular patch release cycle, which is designed to provide customers with regular, predictable software updates. In an interview, Litchfield criticized both the lateness of the updates and their quality. "The whole point of a regular patch cycle is that people can plan ahead and install once," said Litchfield, managing director of Next Generation Security Software Ltd., in Sutton, England. "But if you are having to install it nine times, where's the benefit of that?" Litchfield estimates that two-thirds of Oracle's supported products are now unpatched, leaving many users vulnerable. But Wiles countered that the problem appears to be worse than it is. Because updates for some applications, such as Oracle's application server, are dependent on the database fixes, there has been a bottleneck effect with the updates. "Once we get the database stuff cleared, there are going to be a whole bunch of products that are going to be patched." Though some security researchers such as Litchfield are critical of Oracle's delays, most customers prefer that the software vendor deliver a tested and reliable product, said David Kennedy, a senior risk analyst with Cybertrust Inc., in Herndon, Virginia. "I'm sympathetic with Oracle," he said. "They get barbecued for not coming up with patches fast enough." "On the other hand," he said, "They could be just slow and lazy." From isn at c4i.org Wed May 3 02:39:10 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:39:10 -0500 (CDT) Subject: [ISN] Retaliation for Antispam Success? Message-ID: http://www.wired.com/news/technology/internet/0,70798-0.html By Joanna Glasner May, 02, 2006 An unusual spam war has erupted on the net, pitting an apparently irate spammer against an Israeli antispam firm that claims it's making junk e-mailers think twice about bugging its customers. Blue Security's controversial method uses reverse spam, if you will, returning massive quantities of opt-out messages to companies it identifies as spammers. Apparently the companies on the receiving end don't like it one bit. In an escalation of hostilities this week, Blue Security customers began receiving thousands of messages demanding that members either drop the company's service or continue to receive an avalanche of unwanted e-mails. In addition, U.S. internet users were unable to access Blue Security's website Tuesday. The company said it is still investigating the cause, which may have been a distributed denial of service attack. "We have devised a method to retrieve your address from their database," one message states. "So by signing up and remaining a Blue Security user not only are you opening yourself up for this, you are also potentially verifying your e-mail address through them to even more spammers." Blue Security's founder and CEO, Eran Reshef, called the spammer's allegations of a security hole a baseless scare tactic. Bulk e-mailers, he said, want to stifle the spread of Blue Frog, a tool that customers install on their computers that automatically floods spammers with opt-out messages. "The best way to combat this is to continue running the Blue Frog," Reshef said. The spammer's counteroffensive comes as Blue Security, a 2-year-old firm based in Israel, claims to be making dramatic progress in stopping spam. Three weeks ago, Blue Security said, the world's top junk mailer, responsible for about 9 percent of all spam, stopped sending messages to inboxes of its half-million registered users. On Monday, the company said, the second-largest spammer started contacting its affiliates and advising them not to contact Blue Frog users. Blue Security's controversial spam-fighting approach is modeled as a sort of e-mail version of the Federal Communications Commission's national Do Not Call registry. Through its "Do Not Intrude Registry," users send automated messages opting out of future mailings from spammers, a right spelled out in the Can-Spam Act. Not everyone is sold on the concept. Critics of Blue Security's methodology say that by maintaining a list of people who don't want spam, the company makes users vulnerable to the kind of attack that occurred this week. "The bad guys will be able to figure out who's on the list, and they'll be able to play games like this," said John Levine, a board member of the Coalition Against Unsolicited Commercial Email. "It's the obvious counterattack of an annoyed spammer." From isn at c4i.org Wed May 3 02:38:57 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 3 May 2006 01:38:57 -0500 (CDT) Subject: [ISN] Aetna Loses Laptop Containing Customer Data Message-ID: http://www.consumeraffairs.com/news04/2006/05/aetna_laptop.html By Martin H. Bosworth ConsumerAffairs.Com May 1, 2006 An employee of health insurance giant Aetna lost a laptop containing data on 38,000 customers, the company said. The information included names, addresses, and Social Security numbers, but no financial information. The individuals were employees of companies who bought group health coverage from Aetna. The companies asked not to be identified. Aetna spokesperson Cynthia Michener declined to verify where the theft took place, or if any of the information had been used. In a subsequent statement, Aetna CEO Ronald Michener claimed the laptop had been secured with "strong password protection," and that the employee responsible "did not follow corporate policies." "We have offered to pay for credit monitoring services for our affected members to help prevent any potential misuse of the information, and we are contacting each affected individual directly with information on how to access this service," Michener said. The Aetna CEO also claimed that the company would be augmenting its data security structure to ensure all their employees followed proper procedure in the future. Michener also said that Aetna was contacting all affected individuals, and would be offering them free credit monitoring for an unspecified period of time, to ensure they were protected from possible fraud or identity theft. The theft or loss of laptops has been the latest trend in data breaches, with over 500,000 individuals potentially affected as a result of laptops being stolen or misplaced in the last six months. Companies affected have included Hewlett-Packard, Verizon, Ameriprise, and Ford. The common thread in virtually all of these incidents is an employee or employees downloading confidential data onto laptops, and either leaving them physically vulnerable or failing to encrypt them. Stealing laptops from vehicles in order to resell them has often led to customers' information being exposed. Companies typically offer free credit monitoring to employees or consumers affected by data breaches, but many affected individuals often fail to utilize the service. Some don't follow the procedures necessary to sign up for it, while others are suspicious of providing more personal information to companies that have already jeopardized their customers' financial privacy. Copyright ? 2003-2005 ConsumerAffairs.Com Inc From isn at c4i.org Thu May 4 04:15:20 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:20 -0500 (CDT) Subject: [ISN] Three rules for safer Wi-Fi away from home Message-ID: http://software.newsforge.com/software/06/04/20/2032257.shtml By Joe Barr May 02, 2006 Almost everyone has heard about wardriving, the geek sport in which you drive around and see what wireless access points (WAP) you can find and access. Because of the ink wardriving has received over the years, many home and business users have wised up and added security to their WAPs. But how about the busy traveler, the exec at Marriott, or the slacker at Starbucks? Do they take that same level of care with wireless security while they're on the road and seduced by the easy availability of Wi-Fi hotspots? Probably not, but they should. Here are three simple assumptions you should make before taking your wireless laptop on the road. Memorize these rules, understand what they mean, and learn what to do to protect yourself. When you can do that, you can begin to protect your private, confidential, and corporate data from inquisitive eyes. * Always assume someone is trying to see you enter a user ID or password. * Always assume that someone is reading every packet you send and receive by Wi-Fi. * Always assume that an "evil twin" is lurking near every Wi-Fi access point. In following the first rule, don't worry about appearing to be rude or paranoid by moving the laptop screen position to block the view of your fingers as you're typing a password or user ID. Do the same thing to prevent those sitting to your right, left, or behind you on the plane, in the airport, or anywhere else from getting an eyeful of corporate secrets. Act as if it is the most normal thing in the world to expect a little privacy, because it is, just as it is when you're entering your PIN at an ATM. Better than the above is not to do any of those things when you are close enough to others that they can see what you're trying to protect, even inadvertently. While we're talking about physical security at the keyboard, password protect your laptop and set the timeout on your screensaver to a low number. Leaving your laptop behind in the hotel room while you go out for dinner or a meeting? Fine. Disconnect it from the network, power it down, and lock it. The Wall of Shame So much for point one -- on to point two. At Defcon each year, a group of attendees sniffs every packet sent and received via the wireless access points, looking for user IDs and passwords. Each time they find one, they unceremoniously add it to The Wall of Shame in public view. Just about the only thing easier than using a Wi-Fi network these days is intercepting the packets on it. Avoid ending up on your own personal wall of shame by using only secure, encrypted connections to access your email, corporate accounts, financial data, and anything else of value. If your business or ISP provides Web mail, use it instead of unencrypted connections to POP or IMAP mail servers. A virtual private network between your laptop and headquarters or your home office is even more secure. The bad guys will still be able to intercept every packet, but if they are protected by encryption, you're way ahead of the game. Most script kiddies stand about as much chance of cracking a recent WEP or WPA encryption scheme as they do of winning the Lotto. But there are others who will only be slowed down. The evil twin Finally, what about that intriguingly named evil twin? That's what security pros are calling a phishing scheme where the bad guys spoof a legitimate WAP's service set identifier (SSID), the name that differentiates one access point from another. Evil twins disrupt traffic to the authentic WAP and those associated with it lose their connection, then automatically re-associate with the device with the spoofed SSID. You can avoid falling victim to this deception by not automatically attaching to a WAP and by not running your wireless connection in ad hoc mode. Know the SSID of the network you want to attach to, and learn what security options, if any, are available for it. Always use WEP or WPA instead of unprotected connectivity if you have that choice. If you can't, don't access sensitive data over the wireless connection, period. And finally, running a firewall -- the default behavior on most modern Linux distributions -- is a very good idea. Your common sense is your best protection against losing confidential or personal data. Always behave as if the bad guys are really there, and that they really want all of your data. Acting on these assumptions is not a guarantee of wireless security, but following them will make you a lot safer than you would be otherwise. From isn at c4i.org Thu May 4 04:15:36 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:36 -0500 (CDT) Subject: [ISN] Apple online store hacked Message-ID: http://networks.silicon.com/webwatch/0,39024667,39158606,00.htm By Dan Ilett 3 May 2006 Apple's Korean online store has been defaced by a hacker. The attack, carried out by someone working under the name 'Dinam', who claimed in his post to be Turkish, was brought to the attention of silicon.com last Thursday. The defacement was removed from Apple's website shortly after silicon.com alerted the company. Apple has subsequently refused to comment on the matter. Jason Hart, CEO of security company Whitehat UK, told silicon.com: "The defacer has managed to get administrator access to the web server." Although Hart suspected the hacker was after little more than "self-gratification" through vandalising the site, he said Apple should communicate what happened to its customers to end speculation. Hart said: "The worst thing Apple can do is not tell customers what has happened. It's like all the big companies though - they're constantly having to defend themselves as they're being probed all the time." The defacement - which took the form of a dozen lines of code posted to the apple.co.kr homepage - was documented on hackers' forum zone-h.org, which said Dinam attacked a Mac OSX server running Apache. Richard Starnes, president of the Information Systems Security Association UK, said: "Defacements are not that big a deal provided the customer data has not been disclosed or they have suffered an economic impact. "Defacements just tend to be embarrassing. But we know Apple is a good company and takes defacements seriously." From isn at c4i.org Thu May 4 04:15:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:15:03 -0500 (CDT) Subject: [ISN] Vietnam hacker to face the long arm of the law Message-ID: http://www.thanhniennews.com/education/?catid=4&newsid=15117 Translated by Thanh Tuan Vietnamnet May 4, 2006 The Ministry of Public Security decided Wednesday to go ahead with the prosecution of hacker Nguyen Thanh Cong for alleged links with a gang forging fake ATM cards. The initial investigation reported that Cong had misappropriated hundreds of millions dong (US$1 is equal to around VND15,950) from ATM machines, although his exact role in the ring has yet to be determined. Cong, aka with moniker "DantruongX" from "Be Yeu (Lovely babe)'s hacker group, was arrested last week for waging a month of Denial of Service (DoS) attacks on a commercial website, causing devastating loss to its owner, Viet Co Ltd. Viet Co normally has 40 technicians to keep the website up, and nearly went broke paying them during the idle month it was under the DoS attacks initiated by Cong, according to local media. A denial of service attack is an attack on a computer system or network that causes a loss of service to users, typically by overloading the victimized system, rendering website access impossible. Cong's arrest came as little surprise to those in the IT community given the devastating loses to Viet Co, and is currently out on bail. From isn at c4i.org Thu May 4 04:16:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:18 -0500 (CDT) Subject: [ISN] IE 7.0 and Attractive Alternatives Message-ID: ==================== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Thawte http://list.windowsitpro.com/t?ctl=28F05:4FB69 Symantec http://list.windowsitpro.com/t?ctl=28EFF:4FB69 IronPort http://list.windowsitpro.com/t?ctl=28F01:4FB69 ==================== 1. In Focus: IE 7.0 and Attractive Alternatives 2. Security News and Features - Recent Security Vulnerabilities - Oracle Database Vault and Secure Backup Lock Down Access to Data - AttachmateWRQ To Acquire NetIQ - Name That Computer! 3. Security Toolkit - Security Matters Blog - FAQ - Instant Poll - Share Your Security Tips 4. New and Improved - Put Endpoints to the Security Test ==================== ==== Sponsor: Thawte ==== Learn all you need to know about code signing technology, including the goals and benefits of code signing, how code signing works and the underlying cryptographic and security concepts and building blocks. http://list.windowsitpro.com/t?ctl=28F05:4FB69 ==================== ==== 1. In Focus: IE 7.0 and Attractive Alternatives ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Microsoft recently released Internet Explorer (IE) 7.0 Beta 2 for public download (first URL below). Even with the security and other improvements in IE 7.0, some people still think IE is substandard or that using IE is the equivalent of painting a target on your forehead. Still others have more scathing comments about IE: Industry luminary John Dvorak recently called IE a "dead albatross" in a column published on PC Magazine's Web site (second URL below). http://list.windowsitpro.com/t?ctl=28F11:4FB69 http://list.windowsitpro.com/t?ctl=28F1D:4FB69 Dvorak thinks that trying to integrate the browser tightly with the OS was one of Microsoft's worst moves ever. That argument makes some sense given the number of security vulnerabilities that continue to be discovered in the browser. Dvorak thinks Microsoft should ditch IE and instead invest in Opera Software and make a large donation to Mozilla Foundation to help boost development of their respective browsers. Such a move by Microsoft isn't likely. In fact, Microsoft is driving forward with IE tool proliferation. If you have a copy of IE 7.0, head over to Microsoft's "Add-Ons for Internet Explorer Web site at the URL below, where you'll find at least 63 third-party security-related tools arranged in four categories: Online Protection tools help guard against spyware and malware; Pop-Up Blockers are probably self-explanatory; Privacy tools help protect against exposure of your private information and guard against spyware and malware; and Parental Controls control online activity and help protect your children against a range of risks. Although the site claims to be for IE add-ons, you'll find many standalone tools, such as Microsoft Windows Defender and Lavasoft's Ad- Aware. http://list.windowsitpro.com/t?ctl=28F18:4FB69 If IE 7.0 won't run on your particular platforms, then undoubtedly you know about Firefox ( http://list.windowsitpro.com/t?ctl=28F17:4FB69 ) and Opera ( http://list.windowsitpro.com/t?ctl=28F1C:4FB69 ), and might opt to use those browsers instead. But do you know about Maxthon Browser, Tablane, and Avant Browser? Maxthon Browser, by Maxthon International, is designed on top of the IE engine and introduces a ton of new functionality not available in Microsoft's versions of IE. For example, Maxthon offers tabbed browsing, enhanced pop-up blocking, a quick way to delete private information that might be stored by the browser, enhanced drag-and-drop features, support for extensions and plug-ins, support for skins, support for many languages, and a whole lot more. In short, Maxthon (at the URL below) is what IE should have been years ago. http://list.windowsitpro.com/t?ctl=28F1A:4FB69 Two other browsers, which are also based on the IE engine and which, you might look into further are Tablane by Tablane Technology (at the first URL below) and Avant Browser, by Avant Force (at the second URL below). Tablane has some nice features, such as "lanes," which are a way of displaying multiple Web pages in a single view. Other features include support for Really Simple Syndication (RSS) feeds and a unique function that lets you use multiple search engines at once. http://list.windowsitpro.com/t?ctl=28F1B:4FB69 http://list.windowsitpro.com/t?ctl=28F16:4FB69 Avant Browser claims to be "the fastest browser on Earth" and has many interesting features, some of which are similar to those found in Maxthon, such as enhanced pop-up blocking and privacy controls. However, Avant doesn't use the common tabbed interface--instead it displays many resizable windows inside the browser's single window interface. Look at the screen capture on the browser's home page to see what I mean. Avant Force also says that Avant has "no security holes," which is an extraordinary claim. I'm sure security researchers will eventually put that claim to many tests. So even if you can't use the new IE 7.0 for some reason, several alternatives can enhance the functionality and security of your current installation of IE. Do some research and testing to see if any of the alternatives might fit your needs. ==================== ==== Sponsor: Symantec ==== A multi-tier approach to email security prevents unauthorized access and can stop spam, viruses, and phishing attacks. Learn to implement one today, and protect your network security and business systems! http://list.windowsitpro.com/t?ctl=28EFF:4FB69 ==================== ==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=28F04:4FB69 Oracle Database Vault and Secure Backup Lock Down Access to Data Oracle's new Database Vault provides more granular control over access privileges in Oracle Database. Oracle also announced the availability of its new Secure Backup, which encrypts data written to tape and works with Oracle Database and various file systems on various platforms. http://list.windowsitpro.com/t?ctl=28F0B:4FB69 AttachmateWRQ To Acquire NetIQ AttachmateWRQ announced that it will acquire security solutions provider NetIQ for approximately $495 million in cash, which equates to about $12.20 per share of stock. NetIQ, founded in 1995, will no longer be publicly traded. Instead the company will become a business unit of AttachmateWRQ. The transaction is expected to close within 90 days. http://list.windowsitpro.com/t?ctl=28F0E:4FB69 Name That Computer! Jeff Fellinge takes a look at how naming conventions and IP standards can help you quickly identify systems and compares the approaches that two everyday Windows tools take to resolve IP addresses to names. http://list.windowsitpro.com/t?ctl=28F0D:4FB69 ==================== ==== Resources and Events ==== Learn the essentials about how consolidation and selected technology updates build an infrastructure that can handle change effectively. http://list.windowsitpro.com/t?ctl=28F00:4FB69 Use virtual server technology to consolidate your production environment using only a fraction of the server hardware in the data center. Live Event: Thursday, May 18 http://list.windowsitpro.com/t?ctl=28EFE:4FB69 Design effective policies to protect your company's assets and data. Don't accidentally damage what you mean to protect! View this on-demand seminar today. http://list.windowsitpro.com/t?ctl=28F02:4FB69 Learn to differentiate alternative solutions to disaster recovery for your Windows-based applications to determine what works for you and ensure seamless recovery of your key systems--whether a disaster strikes just one server or the whole site. Live event: Thursday, May 11 http://list.windowsitpro.com/t?ctl=28F09:4FB69 Increase administration efficiency, build flexible yet inexpensive file-server environments, and maximize potential through consolidation of your SQL Server environment. Make the most of your resources today! http://list.windowsitpro.com/t?ctl=28F03:4FB69 ==================== ==== Featured White Paper ==== Learn how to address challenges such as making email truly available 24x7x365, securing against viruses, comprehensively backing up email data, and more. http://list.windowsitpro.com/t?ctl=28EFD:4FB69 ==================== ==== Hot Spot: IronPort ==== Learn the best ways to manage your email security (and fight spam) using a variety of solutions and tips. http://list.windowsitpro.com/t?ctl=28F01:4FB69 ==================== ==== 3. Security Toolkit ==== Security Matters Blog: Use the Command Line, Luke by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=28F12:4FB69 If Luke Skywalker were a security administrator, his most powerful tools might be command-line tools. If you think you can figure out how to terminate a bunch of processes, some of which spawn new processes when they're terminated, you might want to take the hacking challenge "Star Hacks, Episode V: The Empire Hacks Back" described in this blog article. http://list.windowsitpro.com/t?ctl=28F0C:4FB69 FAQ by John Savill, http://list.windowsitpro.com/t?ctl=28F10:4FB69 Q: How can I verify whether a domain controller (DC) is in a certain site? Find the answer at http://list.windowsitpro.com/t?ctl=28F0F:4FB69 Instant Poll What are your vacation plans for this summer? - Taking 1 week - Taking 2 weeks - Taking 3 weeks - Not taking any time off - Taking my work to the beach Go to the Windows IT Pro home page and submit your vote http://list.windowsitpro.com/t?ctl=28F13:4FB69 Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to r2rwinitsec at windowsitpro.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. ==================== ==== Announcements ==== (from Windows IT Pro and its partners) Windows IT Pro Master CD--SAVE 50%! Subscribe today and get portable, high-speed access to the entire Windows IT Pro article database on CD: a searchable library that includes every Windows IT Pro issue ever published. The newest issue also includes BONUS Windows IT Tips. Order now and save: http://list.windowsitpro.com/t?ctl=28F06:4FB69 May Exclusive--Save $100 off the Exchange & Outlook Newsletter For a limited time, order the Exchange & Outlook Administrator newsletter and SAVE up to $100! You'll get 12 helpful issues loaded with solutions you won't find anywhere else and FREE access to the entire Exchange & Outlook online article database. Subscribe now: http://list.windowsitpro.com/t?ctl=28F08:4FB69 ==================== ==== 4. New and Improved ==== by Renee Munshi, products at windowsitpro.com Put Endpoints to the Security Test Senforce Technologies launched Senforce intelligent Network Access Control. iNAC compares the security state of an endpoint device that's attempting to connect to a network to a policy that defines security conditions that must be met to allow network access. IT administrators can create access policies that define which applications and services are permitted and that specify actions to take when endpoints don't comply. Pricing starts at $65 per user and quantity discounts are available. For more information, visit http://list.windowsitpro.com/t?ctl=28F19:4FB69 Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to whatshot at windowsitpro.com. ==================== ==== Contact Us ==== About the newsletter -- letters at windowsitpro.com About technical questions -- http://list.windowsitpro.com/t?ctl=28F14:4FB69 About product news -- products at windowsitpro.com About your subscription -- windowsitproupdate at windowsitpro.com About sponsoring Security UPDATE -- salesopps at windowsitpro.com ==================== This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today. http://list.windowsitpro.com/t?ctl=28F0A:4FB69 View the Windows IT Pro privacy policy at http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2006, Penton Media, Inc. All rights reserved. From isn at c4i.org Thu May 4 04:16:31 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:31 -0500 (CDT) Subject: [ISN] Trojan Snags World Of Warcraft Passwords To Cash Out Accounts Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=187002835 By Gregg Keizer TechWeb.com May 2, 2006 A new password-stealing Trojan targeting players of the popular online game "World of Warcraft" hopes to make money off secondary sales of gamer goods, a security company warned Tuesday. MicroWorld, an Indian-based anti-virus and security software maker with offices in the U.S., Germany, and Malaysia, said that the PWS.Win32.WOW.x Trojan horse was spreading fast, and attacking World of Warcraft players. If the attacker managed to hijack a password, he could transfer in-game goods -- personal items, including weapons -- that the player had accumulated to his own account, then later sell them for real-world cash on "gray market" Web sites. Unlike some rival multiplayer online games, Warcraft's publisher, Blizzard Entertainment, bans the practice of trading virtual items for real cash. "Win32.WOW is a clear indication that malware writers are targeting anything that involves money," said MicroWorld chief executive Govind Rammurthy in a statement. "Bucks may be smaller compared to a Trojan that steals bank accounts or credit card numbers...[but] cyber criminals are not complaining as long as the target is soft and numbers are high." The Trojan spreads via traditional vectors, such as e-mail and peer-to-peer file sharing, added Rammurthy, but it has also been watched while it installs in a drive-by download from gaming sites' pop-up ads. The surreptitious installation is accomplished by exploiting various vulnerabilities in Microsoft's Internet Explorer Web browser. Identity thieves have aimed at Warcraft previously. Just over a year ago, players were warned about a campaign that collected passwords from a bogus log-in site. From isn at c4i.org Thu May 4 04:16:44 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:44 -0500 (CDT) Subject: [ISN] Cyberattack knocks millions of blogs offline Message-ID: http://news.zdnet.com/2100-1009_22-6068344.html By Joris Evers CNET News.com Published on ZDNet News May 3, 2006 About 10 million LiveJournal and TypePad blogs were offline or barely reachable for several hours Tuesday as the result of a massive denial-of-service attack. The attack started around 4 p.m. PDT, targeting the popular blogging services and the corporate Web site of their provider Six Apart, company vice president Anil Dash said in an interview Wednesday. Service was back to normal at midnight, according to Six Apart's Web site. "Any large service tends to have a pretty constant level of attacks, but this was on a scale that I don't think anybody could have anticipated," Dash said. "I think it is of a scale that would have impacted any large site on the Web." In a distributed denial-of-service, or DDoS, attack the target is overloaded with requests for information. The requests come from a large number of hosts, typically compromised computers. As a result, legitimate users can no longer access the site. Six Apart intends report the attack to the authorities, such as the FBI, but hasn't done so yet, Dash said. "We have not yet had the time to think about the next steps yet," he said. The San Francisco company has some theories on the origin and motivation of the attack, but Dash declined to speculate. Unlike large online businesses, Six Apart isn't typically the object of large-scale onslaughts, Dash said. If it does face an attack, often the problem is related to the content posted on one of the blogs it hosts, he said. Six Apart's main hosting facility is in a large data center located at 365 Main in San Francisco. The attack morphed as the blog company tried to respond, making it more challenging to deal with. "They were changing pretty rapidly," Dash said. "We have learned enough that if it does happen again, we know what to do." Six Apart plans to make amends to its customers, but has not yet decided how. Late last year, when it had some performance issues, it let its users decide how they wanted to be compensated, Dash said. "We will definitely do whatever makes things right for them," he said. From isn at c4i.org Thu May 4 04:16:56 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 4 May 2006 03:16:56 -0500 (CDT) Subject: [ISN] Info. assurance a matter of survival Message-ID: http://www.gcn.com/online/vol1_no1/40663-1.html By Patience Wait GCN Staff 05/03/06 SALT LAKE CITY - Information management, and information assurance in particular, may be more mundane than other software topics but it is part of the foundation of all systems, according to Kelly Miller, chief systems engineer of the National Security Agency. "I can't say [IA] has been ignored, but it has been under-emphasized," he said. Miller, speaking to software engineers at the 18th annual Joint Services Systems and Software Technology Conference, adapted a saying of Charles Darwin to make his point. Where Darwin once said the creature that survives is not the smartest or the strongest but the one most adaptable to change, Miller said, "In the Information Age we're faced with, the survivors will be those who have the most assured information." It takes the same skill set to defend networks as to exploit them, he said. But the emphasis is not equal - it only takes one vulnerability to exploit a system, but to protect a system all the vulnerabilities have to be guarded. The global network is a "national interest item," he said. The size of the problem is breathtaking, with 20 million e-mails a minute zipping around the globe and 40 million voicemails left each hour. And supervisory control and data acquisition networks, used throughout the chemical and utilities industries, were developed years before the Internet and never designed to include computer security. The biggest threat is spyware - "the new spam," Miller called it. A recent survey found that 87 percent of business PCs and 88 percent of consumers' computers are infected. With a dearth of skilled professionals to address the challenge, Miller said a national strategy for IA needs to be created and executed. "Our operations, organizations, laws and policies have not kept pace with this changing technology," Miller said. "The current defense is not effective... Not only are we not keeping pace, we're taking a step backwards." From isn at c4i.org Fri May 5 01:26:23 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:23 -0500 (CDT) Subject: [ISN] Blue Security offloads DoS attack onto blogs Message-ID: http://www.channelregister.co.uk/2006/05/04/blue_security_dos_flak/ By John Leyden 4 May 2006 A denial of service attack against Blue Security, distributors of a controversial anti-spam system, has taken the firm's site offline. Mistakes in the firm's response to the attack are been linked to a traffic flood that took numerous blogs offline too. Blue Security has established a 'Do Not Intrude Registry' (akin to the Do Not Call Registry for telemarketing) with around 450,000 members. Participants download a small tool, called Blue Frog, which systematically flood the websites of spammers with opt-out messages. Depending on your point of view, this initiative can either be viewed as community action or vigilantism. Earlier this week members of the Blue community received aggressive spam messages from an unknown group in an attempt to intimidate users into dropping out of Blue Security's network. Ordinary punters who had nothing to do with Blue Security also received the same messages proving, if proof were needed, that the belligerent junk mail campaign was a scatter-shot affair. This campaign of intimidation was followed by a denial of service attack against Blue Security's website on Wednesday. Posts in the North American Network Operators Group mailing list report that during the ongoing attack traffic heading for bluesecurity.com was offloaded to the firm's TypePad-hosted weblog, bluesecurity.blogs.com. This configuration change is blamed for taking the website of blogging outfit Six Apart, which runs TypePad and Live Journal, offline too leaving the information superhighway temporarily bereft of the outpourings of numerous bloggers. Six Apart, rather gallantly, has been careful not to blame Blue Security but others have criticised the latter firm for redirecting the flood it was receiving. Six Apart restored services to normal early on Thursday morning while Blue Security's website was still unavailable by tapas time on Thursday. A spokeswoman for Blue Security confirmed that its site was under attack. She added that the firm regretted making configuration changes, since amended, that hit Six Apart's services. ? From isn at c4i.org Fri May 5 01:26:38 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:38 -0500 (CDT) Subject: [ISN] Idaho utility hard drives -- and data -- turn up on eBay Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,111148,00.html By Sharon Fisher MAY 04, 2006 COMPUTERWORLD Anybody with five bucks and a little patience may be able to score sensitive corporate or customer data on eBay. If your organization has engaged in the common practice of disk drive recycling -- selling unneeded disk drives directly or through a service -- company data might wind up for sale on eBay Inc.'s auction site, even if the drives have been wiped first. Idaho Power Co. discovered that possibility last week as it scrambled to track down company disk drives that had been sold on eBay without having been scrubbed first. The Boise, Idaho-based utility serves approximately 460,000 customers in the southern part of Idaho and in eastern Oregon. Data on the drives, which had been used in servers, contained proprietary company information such as memos, correspondence with some customers and confidential employee information, the company said. Idaho Power had recycled approximately 230 SCSI drives -- a year's worth of updates -- through a single salvage vendor, Grant Korth, which then sold 84 of the drives to 12 parties through eBay. The company recovered 146 of the drives from the vendor. It also got assurances from 10 of the 12 parties that bought them on eBay that the drives would be returned or the data on them would not be saved or distributed. The other two drives are still being tracked down; an Idaho Power spokesman did not know what information was on them. Nampa, Idaho-based Grant Korth refused to comment. In the meantime, Idaho Power has launched an independent investigation through Blank Law & Technology PS in Seattle into why its policy on scrubbing drives was not followed. Typically, Idaho Power was to have either physically destroyed the drives or scrubbed them to U.S. Department of Defense standards -- which involves degaussing them or overwriting the data with a minimum of three specified patterns -- and the salvage vendor was to have done the same, the Idaho Power spokesman said. The company's probe could take several months, depending on what data was on the drives, he said. Similarly, Idaho Power will not know what regulatory penalties might apply until its investigation is completed. Idaho Power is not alone, said Frances O'Brien, a research vice president for asset management at Gartner Inc. "It happens all the time," she said. Typically, a user either doesn't know to clean the drives or doesn't do it correctly, she said. According to a Gartner survey, organizations use outside companies to dispose of PCs 29% of the time and to get rid of servers 31% of the time. Other methods included donating hardware, putting it in storage, selling it to employees, returning it to the vendor and selling it to third parties. Aside from the financial concerns with losing data, organizations that improperly recycle disk drives can run afoul of a number of regulations, depending on their industry: the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley for the banking industry, the Family Educational Rights and Privacy Act for educational institutions and the Fair and Accurate Credit Transactions Act. In addition, several states, including California and New York, have broad-based privacy regulations, said Robert Houghton, president of Redemtech Inc., a Columbus, Ohio-based outsourcer. The problem is widespread. Gartner estimates that through 2009, consumers and businesses will replace more than 800 million PCs worldwide and dispose of an estimated 512 million. What's more, a company can get a bad reputation for not taking proper care of personal data, O'Brien said. When companies hire an outsourcer -- which is a practice that Gartner recommends -- it needs to be careful of what the salvage company will do and how they will prove it. "If everyone else is charging $20, and someone says they'll do it for $2, you've got to wonder why," she said. Simson Garfinkel, a postdoctorate fellow at Harvard University's Center for Research on Computation and Society, researched the issue by buying more than 1,000 hard drives on eBay to see what sort of data could be gleaned from them. He found disk drives that held information from an automated teller machine, a drive from a medical center that held 31,000 credit card numbers, a supermarket credit card processor and a travel agency that had discarded data on travel plans, credit card numbers and ticket numbers. "One of the drives had consumer credit applications on it -- names, work histories, Social Security numbers -- all the information you need to apply for credit." Even though drives may have been wiped of data, someone with the know-how and patience could still retrieve information, Garfinkel said. Standard tools such as Format and Delete simply remove the reference to the files -- the data is still there. Garfinkel himself has written a number of tools to retrieve information such as e-mail addresses and credit card numbers on wiped disks. Despite his findings, Garfinkel said companies seem to be doing a better job protecting data, and he pointed to the Fair and Accurate Credit Transactions Act as a possible reason. "The percentage of drives out there that have usable data is going down, so companies are more aware of the issue," he said. Similarly, when Houghton's company has done an audit on clients' supposedly wiped disk drives, 25% to 30% of them still had readable data, he said. Idaho Power said that in the future, it will destroy drives rather than sell them for salvage -- a policy Garfinkel backs. "The resale value of a hard drive is really minuscule, and it's easy to verify it's been destroyed," he said. "These things are worth $5 to $20 each. I don't think anyone's buying them on the secondary market for extortion, but you never know." From isn at c4i.org Fri May 5 01:18:42 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:18:42 -0500 (CDT) Subject: [ISN] Q. What could a boarding pass tell an identity fraudster about you? A. Way too much Message-ID: http://www.guardian.co.uk/idcards/story/0,,1766266,00.html The Guardian May 3, 2006 This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing gum wrappers and baggage tags, cast off by some weary traveller, when I first laid eyes on it just over a month ago. The traveller's name was Mark Broer. I know this because the paper - actually a flimsy piece of card - was a discarded British Airways boarding-pass stub, the small section of the pass displaying your name and seat number. The stub you probably throw away as soon as you leave your flight. It said Broer had flown from Brussels to London on March 15 at 7.10am on BA flight 389 in seat 03C. It also told me he was a "Gold" standard passenger and gave me his frequent-flyer number. I picked up the stub, mindful of a conversation I had had with a computer security expert two months earlier, and put it in my pocket. If the expert was right, this stub would enable me to access Broer's personal information, including his passport number, date of birth and nationality. It would provide the building blocks for stealing his identity, ruining his future travel plans - and even allow me to fake his passport. It would also serve as the perfect tool for demonstrating the chaotic collection, storage and security of personal information gathered as a result of America's near-fanatical desire to collect data on travellers flying to the US - and raise serious questions about the sort of problems we can expect when ID cards are introduced in 2008. To understand why the piece of paper I found on the Heathrow Express is important, it is necessary to go back not, as you might expect, to 9/11, but to 1996 and the crash of TWA Flight 800 over Long Island Sound, 12 minutes out of New York, with the loss of 230 lives. Initially, crash investigators suspected a terrorist bomb might have brought down the aircraft. This was later ruled out, but already the Clinton administration had decided it was time to devise a security system that would weed out potential terrorists before they boarded a flight. This was called Capps, the Computer Assisted Passenger Pre-screening System. It was a prosaic, relatively unambitious idea at first. For example, in highly simplistic terms, if someone bought a one-way ticket, paid in cash and checked in no baggage, they would be flagged up as an individual who had no intention of arriving or of going home. A bomber, perhaps. After 9/11, the ambitions for such screening grew exponentially and the newly founded Department of Homeland Security began inviting computer companies to develop intelligent systems that could "mine" data on individuals, whizzing round state, private and public databases to establish what kind of person was buying the ticket. In 2003, one of the pioneers of the system, speaking anonymously, told me that the project, by now called Capps II, was being designed to designate travellers as green, amber or red risks. Green would be an individual with no criminal record - a US citizen, perhaps, who had a steady job and a settled home, was a frequent flyer and so on. Amber would be someone who had not provided enough information to confirm all of this and who might be stopped at US Immigration and asked to provide clearer proof of ID. Red would be someone who might be linked to an ever-growing list of suspected terrorists - or someone whose name matched such a suspect. "If you are an American who has volunteered lots of details proving that you are who you say you are, that you have a stable home, live in a community, aren't a criminal, [Capps II] will flag you up as green and you will be automatically allowed on to your flight," the pioneer told me. "The problem is that if the system doesn't have a lot of information on you, or you have ordered a halal meal, or have a name similar to a known terrorist, or even if you are a foreigner, you'll most likely be flagged amber and held back to be asked for further details. If you are European and the US government is short of information on you - or, as is likely, has incorrect information on you - you can reckon on delay after delay unless you agree to let them delve into your private details. "That is inconvenient enough but, as we tested the system, it became clear that information was going to be used to build a complete picture of you from lots of private databases - your credit record, your travel history, your criminal record, whether you had the remotest dubious links with anyone at your college who became a terrorist. I began to feel more and more uncomfortable about it." Eventually, he quit the programme. All of this was on my mind as I sat down with my computer expert, Adam Laurie, one of the founders of a company called the Bunker Secure Hosting, to examine Broer's boarding-pass stub. Laurie is known in cyber-circles as something of a white knight, a computer wizard who not only advises companies on how to make their systems secure, but also cares about civil rights and privacy. He and his brother Ben are renowned among web designers as the men who developed Apache SSL - the software that makes most of the world's web pages secure - and then gave it away for free. We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information. Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.) Laurie was anything but smug. "This is terrible," he said. "It just shows what happens when governments begin demanding more and more of our personal information and then entrust it to companies simply not geared up for collecting or securing it as it gets shared around more and more people. It doesn't enhance our security; it undermines it." Just over $100m had been spent on Capps II before it was scrapped in July 2004. Campaigners in the US had objected to it on grounds of privacy, and airlines such as JetBlue and American faced boycotts when it emerged that they were involved in trials - handing over passenger information - with the Department of Homeland Security's Transportation Security Administration. Even worse, JetBlue admitted it had given the private records of 5 million passengers to a commercial company for analysis - and some of this was posted on the internet. But the problems did not end with the demise of Capps II. Earlier that month, after 18 months of acrimonious negotiation, the EU caved in to American demands that European airlines, too, should hand over passenger information to the United States Bureau of Customs and Border Protection, BCBP, before their aircraft would be allowed to land on US soil. The BCBP wanted up to 60 pieces of information routinely gathered by booking agencies and stored as a Passenger Name Record, PNR. This included not only your flight details, name, address and so on, but also your travel itinerary, where you were staying, with whom you travelled, whether you booked a hire car in the US, whether you booked a smoking room in your hotel, even if you ordered a halal or kosher meal. And the US authorities wanted to keep it all for 50 years. At first, the European Commission argued that surrendering such information would be in breach of European data protection law. Eventually, however, in the face of huge fines for airlines and cancelled landing slots, it agreed that 34 items from PNRs could be handed over and kept by the US for three and a half years. Capps II was superseded by a new system called Secure Flight in August 2004. Later, in October last year, the BCBP demanded that airlines travelling to, or through, the US should forward "advance passenger information", including passport number and date of birth, before passengers would be allowed to travel. It called this the advance passenger information system, or APIS. This is the information that Laurie and I had accessed through the BA website. "The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return," says Laurie. "Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors. "You can imagine the case where a businessman's trip gets delayed because his passport details were incorrectly entered and he was mistaken for a terrorist. Since BA didn't enter the data - frequent flyers are asked to do it themselves - they can't be held responsible and can't be sued for his lost business." By the time I found the ticket stub and went to Laurie, he had already reported his suspicions about a potential security lapse to BA (on January 20) by email. He received no response, so followed up with a telephone call asking for the airline's security officer. He was told there wasn't one, so he explained the lapse to an employee. Nothing was done and he still has not been contacted. Three months ago, after further objections in the US, but before our investigation, Secure Flight was suspended after costing the US taxpayer $144m. At the time, Kip Hawley, transportation security administrator, said: "While the Secure Flight regulation is being developed, this is the time to ensure that the Secure Flight security, operational and privacy foundation is solid." The TSA said it would continue its passenger pre-screening programme in yet another guise after it had been audited and added that it had plans to introduce more security, privacy and redress for errors - confirming critics' suspicions that no such systems were yet in place. To the consternation of privacy activists in Europe, the TSA also spelled out plans for its desire for various US government departments to share information, including yours and mine. Dr Gus Hosein, a visiting fellow specialising in privacy and terrorism at the London School of Economics, is concerned about where the whole project will go next. "They want to extend the advance passenger information system [APIS] to include data on where passengers are going and where they are staying because of concerns over plagues," he says. "For example, if bird flu breaks out, they want to know where all the foreign travellers are. The airlines hate this. It is a security nightmare. Soon the US will demand biometric information [fingerprints, retina scans etc] and they will share that around. "But what the BA lapse shows is that companies cannot be trusted to gather this information without it getting out to criminals who would abuse it. The potential for identity theft is huge, but the number of agencies among which it will be shared is just growing and growing." And that is where concern comes in over the UK's proposed ID cards, which may one day be needed to travel to the US. According to the Home Office, the identity cards bill currently going through Parliament allows for up to 40 pieces of personal information to be held on the proposed ID card, with digital biometric details of all of your fingerprints, both your irises and your face, all of which can be transmitted to electronic readers. The cards will contain a microchip the size of a grain of sand linked to a tiny embedded antenna that transmits all the information when contacted by an electronic reader. This readable system, known as Radio Frequency Identification, or RFID, has recently been installed in new British passports. The Home Office says the information can be transmitted across a distance of only a couple of centimetres because the chips have no power of their own - they simply bounce back a response to a weak signal sent from passport readers at immigration points. However, the suspicion is that the distance over which the signal can be read relates only to the weakness of the signal sent out by the readers. What if the readers sent out much stronger signals? Potentially, then, criminals with powerful readers could suck out your information as you passed by. The Government denies that this scenario is viable, but, in January, Dutch security specialists Riscure successfully read and de-encrypted information from its country's new biometric passports from a distance of about 30ft in just two hours. "The Home Office says British passport information is encrypted, but it's a pretty basic form of encryption," says Hosein. "Everyone expects the ID cards to be equally insecure. If the government insists they won't be cracked, read or copied, they're kidding themselves and us." BA has now closed its security loophole after being contacted by the Guardian in March, but that particular lapse is beside the point. Because of the pressure being applied to airlines by the US, breaches will happen again elsewhere as our personal data whizzes around the globe, often without our knowledge or consent. Meanwhile, accountability remains lamentable. Several calls to the US Transportation Security Administration were not returned. Perhaps the last word should go to Mark Broer, the man whose boarding pass stub started off this virtual paper chase. He is aged 41 and is a successful executive with a pharmaceutical recruitment company. When I told him what we had done with his boarding pass stub, he was appalled. "I travel regularly and, because I go to the US, I submitted my personal information and passport number - it is required if you are a frequent flyer and want to check yourself in," he says. "Experienced travellers today know that they have to give up information for ease of travel and to fight terrorism. It is an exchange of information in return for convenience. But as far as I'm concerned, having that information leaked out to people who could steal my identity wasn't part of the deal." From isn at c4i.org Fri May 5 01:26:07 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:07 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-18 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-04-27 - 2006-05-04 This week: 90 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia Survey Secunia would like to invite you to participate in an electronic survey evolving the usefulness of our mailing lists. To value your effort Secunia will offer you free access to the Secunia Security Manager for three months as well as have a price draw for an iPod nano. We hope that you will give us a few minutes of your time, as your response will help us provide you with better services in the future. The questionnaire contains 19 questions and it takes approximately 5 minutes to answer the questionnaire. https://ca.secunia.com/survey/?survey_url=kei933wBid2 The survey is being conducted in accordance with the general Secunia Security Policy and your answers will of course be kept strictly confidential. Best regards, Niels Henrik Rasmussen CEO Secunia ======================================================================== 2) This Week in Brief: A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Additional information and a solution is available in the referenced Secunia advisory. Reference: http://secunia.com/SA19880 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 2. [SA19802] Firefox "contentWindow.focus()" Deleted Object Reference Vulnerability 3. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 4. [SA19631] Firefox Multiple Vulnerabilities 5. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 6. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 7. [SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability 8. [SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability 9. [SA19860] Oracle Database "DBMS_EXPORT_EXTENSION" Package SQL Injection 10. [SA19861] Invision Power Board "from_contact" SQL Injection Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA19942] BankTown BtCxCtl20Com ActiveX Control Buffer Overflow [SA19934] Argosoft FTP Server "RNTO" Command Buffer Overflow [SA19889] CyberBuild Multiple Vulnerabilities [SA19875] Kerio MailServer Attachment Filter Bypass Vulnerability [SA19965] Gene6 FTP Server MKD/XMKD Denial of Service Vulnerability [SA19917] Golden FTP Server Pro NLST/APPE Command Denial of Service [SA19864] Magic ISO Maker ISO File Extraction Directory Traversal UNIX/Linux: [SA19962] Debian update for ethereal [SA19958] Red Hat update for ethereal [SA19950] Ubuntu update for thunderbird [SA19941] Debian update for mozilla-thunderbird [SA19902] Gentoo update for mozilla [SA19963] Debian update for clamav [SA19960] Red Hat update for squirrelmail [SA19959] Red Hat update for dia [SA19949] Ubuntu update for libtiff4 [SA19936] Mandriva update for libtiff [SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability [SA19920] Rsync "xattrs.diff" Patch Integer Overflow Vulnerability [SA19919] Gentoo update for mplayer [SA19914] Gentoo update for phpwebsite [SA19912] Gentoo update for clamav [SA19897] SUSE Updates for Multiple Packages [SA19880] ClamAV Freshclam HTTP Header Buffer Overflow Vulnerability [SA19874] Mandriva update for clamav [SA19872] Debian update for asterisk [SA19951] Ubuntu update for xserver-xorg [SA19943] Mandriva update for xorg-x11 [SA19921] SUSE update for xorg-x11-server [SA19916] OpenBSD update for x.org [SA19915] Gentoo update for xorg-x11 [SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability [SA19955] Ubuntu update for kernel [SA19906] NeoMail "sessionid" Cross-Site Scripting Vulnerability [SA19885] DirectAdmin "domain" Cross-Site Scripting Vulnerability [SA19879] CPS "pos" Cross-Site Scripting Vulnerability [SA19966] Hostapd EAPoL Frame Handling Denial of Service [SA19910] Quagga RIPd RIPv1 Request Handling Security Issue [SA19928] ejabberd Insecure Temporary File Creation Vulnerability [SA19903] TrueCrypt External Command Execution Vulnerability [SA19898] Debian update for resmgr [SA19887] Resource Manager resmgrd USB Device Granting Security Issue [SA19869] Linux Kernel SMBFS chroot Directory Traversal Vulnerability [SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability Other: [SA19894] Fujitsu NetShelter/FW DNS Handling Denial of Service [SA19881] Cisco Unity Express Expired Password Change Vulnerability [SA19953] CA Resource Initialization Manager Privilege Escalation Cross Platform: [SA19952] Albinator File Inclusion and Cross-Site Scripting Vulnerabilities [SA19944] phpBB phpbb-Auction Module "phpbb_root_path" File Inclusion [SA19923] FtrainSoft Fast Click "path" File Inclusion Vulnerability [SA19918] DMCounter "rootdir" File Inclusion Vulnerability [SA19911] Aardvark Topsites PHP "CONFIG[path]" File Inclusion Vulnerability [SA19907] Artmedic Event "page" File Inclusion Vulnerability [SA19905] phpBB Advanced GuestBook "phpbb_root_path" File Inclusion [SA19893] OpenPHPNuke master.php File Inclusion Vulnerability [SA19892] phpBB Knowledge Base Mod File Inclusion Vulnerability [SA19891] WEBInsta Limbo sql.php File Inclusion Vulnerability [SA19886] X7 Chat "help_file" Directory Traversal Vulnerability [SA19884] phpBB TopList "phpbb_root_path" File Inclusion Vulnerability [SA19866] phpwcms Multiple Vulnerabilities [SA19948] Invision Gallery "album" SQL Injection Vulnerability [SA19933] CMScout Multiple Script Insertion Vulnerabilities [SA19930] Russcom.Loginphp Script Insertion and Open Mail Relay [SA19927] PHP Multiple Unspecified Vulnerabilities [SA19925] PHP Linkliste "linkliste.php" Script Insertion Vulnerability [SA19924] 321soft Php-Gallery Multiple Vulnerabilities [SA19922] CGI:IRC client.c Buffer Overflow Vulnerability [SA19908] 4images "sessionid" SQL Injection Vulnerability [SA19904] PHP Newsfeed SQL Injection Vulnerabilities [SA19899] Advanced Poll "User-Agent" SQL Injection Vulnerability [SA19896] HB-NS Multiple Vulnerabilities [SA19895] Ruperts News Script "username" SQL Injection [SA19888] AZNEWS "ID" Parameter SQL Injection Vulnerability [SA19883] TextFileBB BBcode Script Insertion Vulnerability [SA19882] PHP Pro Publish SQL Injection Vulnerabilities [SA19876] MaxTrade "categori" SQL Injection Vulnerability [SA19870] Trac Wiki Macro Script Insertion Vulnerability [SA19867] Leadhound SQL Injection and Cross-Site Scripting Vulnerabilities [SA19940] VHCS "server_day_stats.php" Cross-Site Scripting Vulnerabilities [SA19937] JSBoard "table" Cross-Site Scripting Vulnerability [SA19935] MyNews Cross-Site Scripting Vulnerabilities [SA19932] SF-Users "register.php" Script Insertion Vulnerability [SA19913] phpkb Knowledge Base "searchkeyword" Cross-Site Scripting [SA19909] Thyme "searchfor" Cross-Site Scripting Vulnerability [SA19901] Invision Power Board Topic Deletion SQL Injection [SA19878] Pinnacle Cart "setbackurl" Cross-Site Scripting Vulnerability [SA19877] OrbitHYIP Multiple Cross-Site Scripting Vulnerabilities [SA19871] SunShop Shopping Cart Cross-Site Scripting Vulnerabilities [SA19865] MyBB Multiple SQL Injection Vulnerabilities [SA19929] MySQL Information Disclosure and Buffer Overflow Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA19942] BankTown BtCxCtl20Com ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-03 Park Gyu Tae has discovered a vulnerability in BankTown BtCxCtl20Com ActiveX Control, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19942/ -- [SA19934] Argosoft FTP Server "RNTO" Command Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-03 Infigo Information Security has discovered a vulnerability in Argosoft FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19934/ -- [SA19889] CyberBuild Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-03 r0t has reported some vulnerabilities in CyberBuild, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/19889/ -- [SA19875] Kerio MailServer Attachment Filter Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-02 A vulnerability has been reported in Kerio MailServer, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19875/ -- [SA19965] Gene6 FTP Server MKD/XMKD Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-05-04 Alexey Biznya has discovered a vulnerability in Gene6 FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19965/ -- [SA19917] Golden FTP Server Pro NLST/APPE Command Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-05-03 A vulnerability has been discovered in Golden FTP Server Pro, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19917/ -- [SA19864] Magic ISO Maker ISO File Extraction Directory Traversal Critical: Less critical Where: From remote Impact: System access Released: 2006-04-28 Sowhat has discovered a vulnerability in Magic ISO Maker, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19864/ UNIX/Linux:-- [SA19962] Debian update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Debian has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19962/ -- [SA19958] Red Hat update for ethereal Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Red Hat has issued an update for ethereal. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19958/ -- [SA19950] Ubuntu update for thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-05-03 Ubuntu has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19950/ -- [SA19941] Debian update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-05-04 Debian has issued an update for mozilla-thunderbird. This fixes some vulnerabilities and a weakness, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and phishing attacks, potentially disclose sensitive information, cause a DoS (Denial of Service), and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19941/ -- [SA19902] Gentoo update for mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2006-05-01 Gentoo has issued an update for mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, cause a DoS (Denial of Service), disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19902/ -- [SA19963] Debian update for clamav Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Debian has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19963/ -- [SA19960] Red Hat update for squirrelmail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-04 Red Hat has issued an update for squirrelmail. This fixes some vulnerabilities, which can be exploited by malicious users to manipulate certain information, and by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/19960/ -- [SA19959] Red Hat update for dia Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-04 Red Hat has issued an update for dia. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19959/ -- [SA19949] Ubuntu update for libtiff4 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Ubuntu has issued an update for libtiff4. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19949/ -- [SA19936] Mandriva update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-04 Mandriva has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19936/ -- [SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-04 A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19926/ -- [SA19920] Rsync "xattrs.diff" Patch Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 A vulnerability has been reported in rsync, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19920/ -- [SA19919] Gentoo update for mplayer Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 Gentoo has issued an update for mplayer. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/19919/ -- [SA19914] Gentoo update for phpwebsite Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-05-03 Gentoo has issued an update for phpwebsite. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19914/ -- [SA19912] Gentoo update for clamav Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-03 Gentoo has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19912/ -- [SA19897] SUSE Updates for Multiple Packages Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access Released: 2006-05-01 SUSE has issued updates for multiple packages. These fix some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to disclose sensitive information, conduct cross-site scripting attacks, execute arbitrary SQL code, cause a DoS (Denial of Service), and to compromise a user's system. Full Advisory: http://secunia.com/advisories/19897/ -- [SA19880] ClamAV Freshclam HTTP Header Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-01 A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19880/ -- [SA19874] Mandriva update for clamav Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 Mandriva has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19874/ -- [SA19872] Debian update for asterisk Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2006-05-01 Debian has issued an update for asterisk. This fixes some vulnerabilities, which can be exploited by malicious users to disclose sensitive information, and by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19872/ -- [SA19951] Ubuntu update for xserver-xorg Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-04 Ubuntu has issued an update for xserver-xorg. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19951/ -- [SA19943] Mandriva update for xorg-x11 Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 Mandriva has issued an update for xorg-x11. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19943/ -- [SA19921] SUSE update for xorg-x11-server Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 SUSE has issued an update for xorg-x11-server. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19921/ -- [SA19916] OpenBSD update for x.org Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 OpenBSD has issued an update for xorg-x11. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19916/ -- [SA19915] Gentoo update for xorg-x11 Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 Gentoo has issued an update for xorg-x11. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19915/ -- [SA19900] X.Org X11 Render Extension Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-03 A vulnerability has been reported in X11, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19900/ -- [SA19955] Ubuntu update for kernel Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS Released: 2006-05-04 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities and weaknesses, which can be exploited by malicious, local users to disclose potentially sensitive information, bypass certain security restrictions and cause a DoS (Denial of Service), or by malicious people to disclose certain system information and potentially bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19955/ -- [SA19906] NeoMail "sessionid" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 O.u.t.l.a.w has discovered a vulnerability in NeoMail, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19906/ -- [SA19885] DirectAdmin "domain" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 O.U.T.L.A.W has reported a vulnerability in DirectAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19885/ -- [SA19879] CPS "pos" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0t has reported a vulnerability in CPS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19879/ -- [SA19966] Hostapd EAPoL Frame Handling Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2006-05-04 Matteo Rosi has reported a vulnerability in Hostapd, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19966/ -- [SA19910] Quagga RIPd RIPv1 Request Handling Security Issue Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of system information Released: 2006-05-03 Konstantin V. Gavrilenko has reported two security issues in Quagga, which can be exploited by malicious people to bypass certain security restrictions and to disclose system information. Full Advisory: http://secunia.com/advisories/19910/ -- [SA19928] ejabberd Insecure Temporary File Creation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-03 Julien L. has discovered a vulnerability in ejabberd, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/19928/ -- [SA19903] TrueCrypt External Command Execution Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-01 Julien Tinnes has reported a vulnerability in Truecrypt, which potentially can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19903/ -- [SA19898] Debian update for resmgr Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-05-01 Debian has issued an update for resmgr. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19898/ -- [SA19887] Resource Manager resmgrd USB Device Granting Security Issue Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-05-01 A security issue has been reported in Resource Manager, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19887/ -- [SA19869] Linux Kernel SMBFS chroot Directory Traversal Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-28 Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19869/ -- [SA19868] Linux Kernel CIFS chroot Directory Traversal Vulnerability Critical: Less critical Where: Local system Impact: Security Bypass Released: 2006-04-28 Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19868/ Other:-- [SA19894] Fujitsu NetShelter/FW DNS Handling Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-02 A vulnerability has been reported in Fujitsu NetShelter/FW, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19894/ -- [SA19881] Cisco Unity Express Expired Password Change Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass, Manipulation of data Released: 2006-05-02 A vulnerability has been reported in Cisco Unity Express (CUE), which can be exploited by malicious users to manipulate certain information. Full Advisory: http://secunia.com/advisories/19881/ -- [SA19953] CA Resource Initialization Manager Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-04 A vulnerability has been reported in CA Resource Initialization Manager (CAIRIM), which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/19953/ Cross Platform:-- [SA19952] Albinator File Inclusion and Cross-Site Scripting Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-04 Pridels Sec Crew has reported some vulnerabilities in Albinator, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19952/ -- [SA19944] phpBB phpbb-Auction Module "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-03 VietMafia has discovered a vulnerability in the phpbb-Auction module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19944/ -- [SA19923] FtrainSoft Fast Click "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-03 R at 1D3N has discovered a vulnerability in FtrainSoft Fast Click, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19923/ -- [SA19918] DMCounter "rootdir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-02 beford has discovered a vulnerability in the DMCounter, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19918/ -- [SA19911] Aardvark Topsites PHP "CONFIG[path]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 cijfer has discovered a vulnerability in Aardvark Topsites PHP, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19911/ -- [SA19907] Artmedic Event "page" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 A vulnerability been reported in Artmedic Event, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19907/ -- [SA19905] phpBB Advanced GuestBook "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-02 [Oo] has discovered a vulnerability in the Advanced Guestbook module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19905/ -- [SA19893] OpenPHPNuke master.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 [Oo] has reported a vulnerability in OpenPHPNuke, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19893/ -- [SA19892] phpBB Knowledge Base Mod File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 [Oo] has discovered a vulnerability Knowledge Base Mod for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19892/ -- [SA19891] WEBInsta Limbo sql.php File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-01 [Oo] has discovered a vulnerability in Limbo, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19891/ -- [SA19886] X7 Chat "help_file" Directory Traversal Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2006-05-02 rgod has discovered a vulnerability in X7 Chat, which can be exploited by malicious people to disclose sensitive information and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19886/ -- [SA19884] phpBB TopList "phpbb_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-02 [Oo] has discovered a vulnerability in the TopList module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19884/ -- [SA19866] phpwcms Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2006-05-01 bugreporter has reported some vulnerabilities in phpwcms, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19866/ -- [SA19948] Invision Gallery "album" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-04 Devil-00 has reported a vulnerability in Invision Gallery, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19948/ -- [SA19933] CMScout Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-04 Nomenumbra has discovered some vulnerabilities in CMScout, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19933/ -- [SA19930] Russcom.Loginphp Script Insertion and Open Mail Relay Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2006-05-03 Nomenumbra has discovered two vulnerabilities in Russcom.Loginphp, which can be exploited by malicious people to use it as an open mail relay and conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19930/ -- [SA19927] PHP Multiple Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-05-04 Some unspecified vulnerabilities with unknown impacts have been reported in PHP. Full Advisory: http://secunia.com/advisories/19927/ -- [SA19925] PHP Linkliste "linkliste.php" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 d4igoro has discovered a vulnerability in PHP Linkliste, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19925/ -- [SA19924] 321soft Php-Gallery Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2006-05-03 d4igoro has discovered some vulnerabilities in 321soft Php-Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/19924/ -- [SA19922] CGI:IRC client.c Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-02 A vulnerability has been reported in CGI:IRC, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19922/ -- [SA19908] 4images "sessionid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-02 CrAzY CrAcKeR has discovered a vulnerability in 4images, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19908/ -- [SA19904] PHP Newsfeed SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported some vulnerabilities in PHP Newsfeed, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19904/ -- [SA19899] Advanced Poll "User-Agent" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-02 Aliaksandr Hartsuyeu has reported a vulnerability in Advanced Poll, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19899/ -- [SA19896] HB-NS Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported some vulnerabilities in HB-NS, which can be exploited by malicious people to conduct script insertion or SQL injection attacks. Full Advisory: http://secunia.com/advisories/19896/ -- [SA19895] Ruperts News Script "username" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported a vulnerability in Ruperts News Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19895/ -- [SA19888] AZNEWS "ID" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has reported a vulnerability in AZNEWS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19888/ -- [SA19883] TextFileBB BBcode Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0xes.ratm has discovered a vulnerability in TextFileBB, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19883/ -- [SA19882] PHP Pro Publish SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 Aliaksandr Hartsuyeu has discovered some vulnerabilities in PHP Pro Publish, which can be exploited by malicious people to conduct SQL injection attacks and by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19882/ -- [SA19876] MaxTrade "categori" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-01 r0t has reported a vulnerability in MaxTrade, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19876/ -- [SA19870] Trac Wiki Macro Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-04-28 A vulnerability has been reported Trac. which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19870/ -- [SA19867] Leadhound SQL Injection and Cross-Site Scripting Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-04-28 r0t has reported some vulnerabilities in Leadhound, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19867/ -- [SA19940] VHCS "server_day_stats.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 O.U.T.L.A.W has reported some vulnerabilities in VHCS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19940/ -- [SA19937] JSBoard "table" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 Alexander Klink has reported a vulnerability in JSBoard, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19937/ -- [SA19935] MyNews Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 DreamLord has reported two vulnerabilities in MyNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19935/ -- [SA19932] SF-Users "register.php" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 Nomenumbra has discovered a vulnerability in SF-Users, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19932/ -- [SA19913] phpkb Knowledge Base "searchkeyword" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-03 d4igoro has reported a vulnerability in phpkb Knowledge Base, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19913/ -- [SA19909] Thyme "searchfor" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-02 O.U.T.L.A.W has discovered a vulnerability in Thyme, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19909/ -- [SA19901] Invision Power Board Topic Deletion SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-05-02 Devil-00 has reported a vulnerability in Invision Power Board, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19901/ -- [SA19878] Pinnacle Cart "setbackurl" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-02 r0t has reported a vulnerability in Pinnacle Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19878/ -- [SA19877] OrbitHYIP Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0t has reported some vulnerabilities in OrbitHYIP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19877/ -- [SA19871] SunShop Shopping Cart Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-01 r0t has reported some vulnerabilities in SunShop Shopping Cart, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19871/ -- [SA19865] MyBB Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-04-28 o.y.6 has discovered some vulnerabilities in MyBB, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19865/ -- [SA19929] MySQL Information Disclosure and Buffer Overflow Vulnerabilities Critical: Less critical Where: From local network Impact: Exposure of sensitive information, System access Released: 2006-05-03 Stefano Di Paola has reported some vulnerabilities in MySQL, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19929/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 5 01:26:57 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:26:57 -0500 (CDT) Subject: [ISN] Avian Flu: Can IT Handle a Pandemic? Message-ID: http://www.eweek.com/article2/0,1895,1957612,00.asp By Larry Dignan May 4, 2006 VeriCenter Chief Technology Officer Dave Colesante is a rare bird. Unlike many IT executives, Colesante has actually thought about a potential avian influenza virus, or bird flu, pandemic and reckons his company, which provides technology services, is relatively prepared if the virus becomes transmitted through human contact. After all, Colensante's 225-person support staff is used to managing VeriCenter's seven data centers from home. And that's a good thing if a bird flu pandemic hits, because the federal government would encourage "social distancing" to prevent further illness. According to the Department of Health and Human Services, a severe bird flu pandemic would make 30 percent of the population, or 90 million people, ill and result in 2 million deaths. Companies would have absentee rates of about 40 percent. "You would have to set up to remotely manage IT," said Colesante in Houston. "You'd have to leverage connectivity." The big question: How many companies are prepared for a bird flu pandemic? An AMR Research study released May 2 found that 68 percent of companies with more than $1 billion in revenue aren't ready for a pandemic. An earlier study by Deloitte & Touche concluded that two-thirds of companies aren't prepared for a pandemic. Among the issues: How do you manage a work force at home? What workers would be on site in data centers to swap servers and manage power? Can companies rely on Internet access in employees' homes? Those questions are likely to pick up for technology workers and others involved with business continuity. Through April 27, the World Health Organization tracked 205 cases of bird flu that led to 113 deaths. On April 28, a mild form of bird flu was found at a live-bird market in New Jersey. Meanwhile, public awareness?not to mention your boss' - could be stoked by "Fatal Contact: Bird Flu in America," an ABC movie airing May 9. "This is just now becoming a hot button issue," said Henry Fieglein, chief innovation officer of thin-client company Wyse Technology, in Austin, Texas. Fieglein, who was the global director of infrastructure and security architecture at Deutsche Bank, led a task force to prepare the bank for a pandemic. According to Fieglein, the bank is exploring thin-client technology that would extend into workers' homes to securely re-create on-site technology such as telephony and trading applications. Deutsche Bank said in a statement that its business continuity plan can "cover a wide range of contingencies, including pandemics," but officials declined further comment. While preparations are fluid, there is one bright side: We have time. "An avian flu pandemic is not coming tomorrow, and the disease is probably a ways off," said Alex Tabb, principal at The Tabb Group, a New York-based consultancy to financial services firms. "But that doesn't mean you don't plan now." M. Lewis Temares, CIO and dean of the engineering school at the University of Miami, said it can't hurt to bring bird flu preparations to the forefront. "Companies aren't paying attention to this at all," said Temares. "It's like Y2K - no one worried about it until right before Y2K. Most don't have a plan." Companies remain mum about bird flu preparations, but they note the risks. For the fiscal year ended April 24, bird flu was mentioned in annual and quarterly reports 388 times, according to regulatory filings with the Securities and Exchange Commission. Where's the Return? Tabb said the biggest reason companies are quiet about their planning is that they are just getting started. In addition, it's hard to generate a return for something that may never happen. Given the uncertainty, Tabb said executives need technologies that will deliver a return even if a pandemic doesn't occur. "The main thing to determine is what you have lying around today that can be reused in the case of a pandemic," said Tabb. "Being pragmatic is important if you are going to have your staff working from home." The lack of a short-term return on bird flu planning means many companies are viewing a pandemic scenario as an extension to current business continuity plans. "We have our hurricane playbook as far as contingency planning goes, and we'd probably amend that for bird flu," said George Chizmar, vice president of IT at Apple Vacations. Colesante said VeriCenter's plan is to make sure its most valuable technology tools are ready in case bird flu breaks out. Fieglein advised that companies schedule work-at-home days to test infrastructure. Among the technology tools that will be necessary in a pandemic: * VPN: "The VPN is the most important technology to create a redundant tunnel so workers can tunnel from various locations securely," said Colesante. The challenge: It has to be tested so it can handle a crush of at-home workers, he said. * Desktop support: Some workers will use their home PCs. Companies will need to keep desktop applications standardized and maintain security. The challenge: Security could be an issue. "It's easy to say employees will work from their house, but less secure if they don't have the same level of software protection they have at work," Colesante said. * Identity management: Steve Ross, global leader of Deloitte's business continuity management practice, said a pandemic would force companies to cross-train workers on technologies. Perhaps an auditor has to fill in to manage a database. The challenge: A company will need technologies to track and provision worker roles and access permissions quickly, most likely from afar. * Citrix MetaFrame: One way around standardizing applications would be to allow workers to tunnel into applications through software from Citrix, Tabb said. The challenge: Bandwidth constraints could hamper performance. * Thin clients: Fieglein said Wyse has discussed streaming software that would deliver applications remotely to PCs. Deutsche Bank is already a Wyse hardware customer. The challenge: Companies would need to build the centralized architecture to support thin-client use in the home. Ross said those technologies only go so far because some productivity will be lost. "People are used to working together, and if you separate them, it may not go as well," he said. "Teleworking is a major issue, and there are problems with social distance." Wild Card: Cable and DSL Access Of course, all this planning isn't going to help companies if so-called last mile access to workers' homes falters. Tabb said companies with workers at home will rely on cable and DSL providers for connectivity. "If a massive number of people have to work from home, that last mile is going to get clogged quickly," Tabb said. "There will be congestion if industry has to move significant data back and forth." VeriCenter's Colesante said his workers also have wireless cards that connect to cellular networks to use in case of DSL or cable outages. The rub with all that telecommuting: Someone has to pick up the tab. "You need a continuity policy that dictates how a company approaches broadband," Tabb said. "Should the company reimburse broadband for those that aren't connected?" Add that to the long list of bird flu planning yet to be done. "No one wants to tempt fate and say we have all of this covered," said Ross, in New York. "Especially when they haven't really started to consider the implications." From isn at c4i.org Fri May 5 01:27:11 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:27:11 -0500 (CDT) Subject: [ISN] Rumsfeld urged to reverse DOD's clearance processing halt Message-ID: http://www.fcw.com/article94283-05-04-06-Web By David Hubler May 4, 2006 The Professional Services Council and six other organizations want Secretary of Defense Donald Rumsfeld to immediately reverse the Defense Security Services' decision to cease the processing of industry applications for new clearances and for periodic reviews of existing clearances. In a letter to Rumsfeld, released Thursday, the seven organizations call on him to "immediately restart the industry clearance granting process and ensure it continues for the remainder of the current fiscal year." The DSS announced April 28 that it was halting the security clearance process due to a funding shortage and the overwhelming number of requests. The announcement caught many contractors and lawmakers on Capitol Hill by surprise. The other organizations that signed the letter are the Aerospace Industries Association, Armed Forces Communications and Electronics Association, Contract Services Association, National Defense Industrial Association, Information Technology Association of America, and Intelligence and National Security Alliance. From isn at c4i.org Fri May 5 01:27:48 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 5 May 2006 00:27:48 -0500 (CDT) Subject: [ISN] A million little pixels Message-ID: http://www.pitch.com/Issues/2006-05-04/news/feature_full.html By David Martin May 4, 2006 Today's seminar on raising venture capital will be presented by a man wearing a long-sleeved checkered shirt, blue jeans and black tennis shoes. "This is dressed up for me," John Flowers announces at the outset of his PowerPoint demonstration. "Usually, I'm dressed in sandals and shorts and a T-shirt that says something offensive." Flowers is the 35-year-old founder and CEO of an Overland Park technology company called Kozoru. He is standing at the front of a room at the Kauffman Foundation Conference Center. His audience is a group of two dozen young entrepreneurs, guys and gals in their twenties willing to sacrifice a Friday evening for the opportunity to learn the ways of parting investors from their money. In spite of his casual appearance (or maybe because of it), Flowers is well-qualified to make the presentation. The Silicon Valley veteran says he's raised $70 million in his career. He has even been backed by the government: Kozoru received $500,000 from a Kansas state agency that spends lottery and race-track proceeds on economic development. Flowers assures the entrepreneurs that his lesson will be something special. "Every time I do a presentation, I start from scratch," he says. His head shot pops up on a projector screen behind him. "Let's talk about me," he says. Flowers' story begins with his doing "skunk works," or secret projects, at Microsoft in the early 1990s. "There was a time when Microsoft was actually cool," Flowers says. In addition to working for Bill Gates, Flowers says he was a computer hacker. He talks about having attended Def Con, a 1994 hacker convention. Six companies that sell computer software meant to keep out hackers offered $10,000 to anyone who could crack their security systems in a Capture the Flag contest, he says. Flowers claims that he scored five of the six "flags" and then went for drinks with friends. Flowers used his hacker background to start a network security company. Hiverworld, which became nCircle, today employs 300 people. Forty-foot brass lions stand sentry in the company's San Francisco office. One of the young entrepreneurs, Mark Pydynowski, stops Flowers. "Why did you leave nCircle?" he asks. Clad in a dark suit, Pydynowski seems curious to know why someone would walk away from a flourishing company. Flowers says he's the type of person who needs to move on and do something new after a while. He says there were "no hard feelings" when he left nCircle. Flowers moves on to his current project, Kozoru. He created the company to develop a search engine that understands natural language. Instead of typing keywords, users would enter questions to find their answers. Getting computers to understand linguistics has been called the holy grail of search technology. Ask Jeeves built a brand name on the idea, but the technology itself didn't really work. Flowers came up with what he thought was a unique approach ? and a hell of a back story. He claims that he decided to start the company after studying Buddhism at a temple in Thailand. Flowers moved to Johnson County in 2003 and started Kozoru a year later. He raised a total of $3 million and recruited a team of computer experts from the Bay Area and Austin, Texas. The company planned to launch its service in the summer of 2005. But the deadline came and went without a product debut. The problems, it turned out, were more difficult to solve than Flowers had imagined. Also, the appeal of a question-and-answer search remains in doubt. At one point, the Kozoru team brought in a focus group. Test subjects sat in front of computers and were instructed to enter questions into the Kozoru search bar. "Nobody asked it a question," Flowers says in an interview. "Every single person typed in keywords. It's the funniest thing. You put a search bar in front of someone, it's like someone has trained you to think like Google rather than you thinking like you." Kozoru is now concentrating on a search engine for instant-messaging and mobile devices. The technology is supposed to be available to the public sometime next month. A successful launch would quiet doubters. On more than one occasion, Flowers has compared Kozoru with the Manhattan Project. He's undoubtedly intelligent and knowledgeable. But like A Million Little Pieces author James Frey, a talented writer who embellished the facts of his addiction to drugs and alcohol, Flowers is not all that he says he is. The daring of his hacking exploits is disputed. He lied to the state of Kansas about his education. And Pydynowski was right to wonder if there was more to the nCircle story. In fact, a fellow programmer accused Flowers of stealing his work. A "serial entrepreneur" in denim, Flowers has dazzled the local business community. But his relocation here looks as much like the arrival of a Silicon Valley washout as it does the coming of a hero. Flowers is sitting in a chair at the Kozoru office. A small hoop hangs from his left earlobe. His beard is full today, but his facial hair goes through frequent revisions. A bottle of Fiji water, his brand of choice, is within reach. His mien is calm and friendly, like that of a patient teacher. Flowers reminisces about his days of studying English literature and philosophy in college. He was attracted to the liberal arts, he says, because he didn't want to be near the nerds in computer labs. "I'm socially awkward, but they were way more awkward than I was," he says. A man of diverse interests (he edits video and writes novels and film scripts in his spare time), Flowers built Kozoru in his image. Eleven people work at the company, which leases space in a bland office park near Metcalf and Shawnee Mission Parkway in Overland Park. Most members of the Kozoru team are in their thirties and strike a hip pose. Flowers met the communications manager, Justin Gardner, through the Kansas City Screenwriters club. Network Administrator Chris Downs plays in a death-metal band and wrote and directed a horror film, Shunned. Downs left Kozoru earlier this year to work at Kansas City design agency VML. Downs says he thought that quitting a start-up would allow him more time to work on his outside projects. He immediately regretted the decision and returned after three and a half weeks. "We're happy you're back," Flowers tells Downs, who is headed outdoors for a smoke break. "You don't want to work there anyway. Bureaucracy." "First day I was there, this is what happened," Downs says. "I walked in and sat down at my desk, and I went, 'Holy shit, what have I done?'" The Kozoru work schedule is flexible but demanding. Flowers asks his crew to be present or available via video chat from 10 a.m. to 4 p.m. An approaching deadline typically means late nights and seven-day workweeks. "I'm pretty tough," Flowers says of his management style. Early spring felt like final-exam week for Flowers and his staff. Last month, Kozoru invited a group of industry types to use a trial of the new cell-phone and instant-messaging search engine. Originally, Flowers talked about Kozoru taking on search giants such as Google. The plan was to build a search engine that responded to questions with authoritative answers. In Flowers' example, the question "Who is Gordon Downie?" would return a pithy reply describing Downie as the lead singer of the Tragically Hip, a Canadian rock band. Kozoru sought to deliver needles where so many keyword searches produce haystacks. Search technology has always frustrated Flowers. He says he can remember being 9 years old and asking his Tandy TRS-80, "Why is the sky blue?" The computer simply beeped at him. Flowers says he began talking with friends in the late '90s about how cool it would be to build a better search engine. If he was going to improve search, Flowers decided that he needed to use mathematics. Math, after all, is something that computers do very well. "Our approach is to take a mathematical or statistical approach to language," he explains. "You don't care what the words are. You don't care what the words mean. You just map them to numbers and then figure out how close they are and how far they are and put them in a big graph. And then you just keep doing that and doing that until you get this nice set of patterns." Flowers says Kozoru has found something valuable. Experts may disagree. The idea is nothing new, says Marti Hearst, an assistant professor in the School of Information Management and Systems at the University of California-Berkeley. "This is a very standardized approach in the field," Hearst says. "In fact, this is what everyone in the field does now. It's like saying about FedEx that they use airplanes to deliver packages." However unique its approach, the Kozoru team ran into problems. For one thing, not all questions are as simple as "Who is Gordon Downie?" Ask an Irishman "Who is the Great Emancipator?" and he's apt to say radical Catholic lawyer Daniel O'Connell, not Abraham Lincoln. A question like "Does God exist?" introduces even more variables. "The big realization for us along the way was that we built this system that's really powerful, and it's right a lot, but there's a subjectivity to questions that you can't produce mathematically," Flowers says. "It's like trying to understand emotion ? you just can't do it." So the holy grail of natural-language search remains elusive ? much like Flowers himself. Flowers says he was born in Topeka in 1970. He tells the Pitch that he was adopted and his father (now deceased) was in the military. His grandmother bought him his first computer. "I grew up really poor, so it was a big deal," he says. "It was a $600 computer." Flowers does not volunteer much information about his childhood. One event that he has mentioned on his blog and in other settings is his arrest at age 13. Flowers tells the Pitch that the FBI kicked down his door one day. "I had committed wire fraud, which is making free long-distance phone calls." Flowers says he made the illegal calls to connect to bulletin-board systems, which were precursors to the World Wide Web. "I thought it was ridiculous that I had to pay long-distance charges to connect to another computer, so I figured a way to get around it." Flowers says he spent several months in a juvenile-detention center in San Diego run by the FBI. He says his confinement coincided with the popularity of the 1983 geek classic WarGames. Adult counselors, he says, worried about his ability to start Armageddon with the push of a few buttons. Flowers says he survived detention by befriending a big, tough guy named Andre. "I think he blew up a building ? it was awful," Flowers recalls of his protector. Flowers showed Andre how to make free calls from a cellblock pay phone. In gratitude, Flowers says, Andre "kind of bodyguarded me." Juvenile records are sealed, so no public documents exist to support or refute Flowers' story. But the FBI does not run detention centers. Juveniles convicted of federal crimes do their time at facilities run by state or local governments. "It sounds kind of fishy," Sandra Hijar, a spokeswoman for the Western Regional Office of the Federal Bureau of Prisons, tells the Pitch after hearing Flowers' tale of incarceration at age 13. "I have never heard of a juvenile FBI facility." True or false, Flowers' story bears similarities to the plight of John Draper, a famous figure in computer circles. Draper discovered in the 1960s that a toy whistle found in certain cereal boxes could be used to manipulate long-distance calling switches. The subject of a 1971 Esquire story, in which he was identified only as "Captain Crunch," Draper taught future Apple founders Steven Jobs and Steve Wozniak his secrets. He was later tracked down by the FBI and spent time in prison. After his release, Flowers says he left home when he was not quite 16 and moved in with a friend who had an apartment. He got a job delivering pizza and tried to stay in school, he says. Often unsure of dates and places ("Temporality eludes me for some reason," he says), Flowers guesses that he lived in Texas at the time he left home. He says he moved to Massachusetts and then Berkeley. Flowers' teenage years would provide still another amazing technology-related story: He claims to have come up with an idea for making movie times available by phone. Flowers wrote a version of the story on his blog two years ago: In the early 1990s, Flowers was staring at a poster for the movie Three Days of the Condor when lightning struck: a computer program that generated lists of theaters and show times from zip codes. Flowers submitted the idea to a contest run by the telephone industry. "Six days later," he wrote, "someone wrote a check for what we called 444-FILM and I purchased a brand new, 1990 Porsche Carrera 911 4X4 with the profit ..." In an interview, Flowers does not say that his application became Moviefone, the company behind 777-FILM. Rather, he notes that he came up with the idea the year before Moviefone launched. Editing the story he told on his blog, Flowers tells the Pitch that he wrote the program in 1988, not the early 1990s, perhaps remembering that Moviefone launched in 1989. AOL bought Moviefone in 1999 for $388 million, but Flowers claims no bitterness. "I was 17, and somebody wrote me a check for $80,000 because of a computer thing that I did," he says. Like the arrest, the 444-FILM story is unverifiable. Flowers says confidentiality agreements prevent him from revealing the identity of the person who wrote the $80,000 check. But Russ Leatherman, a Moviefone founder (as well as the famous voice of 777-FILM), tells the Pitch through a spokesman that he's never heard of Flowers. Doubt surrounds another story that Flowers likes to tell: his contest-winning performances at Def Con. The annual Las Vegas hacker convention called Def Con was founded by Jeff Moss in 1993. When a Pitch reporter recounted the story Flowers told at the Kauffman Foundation, Moss quickly answered: "Utter bullshit." The convention didn't include a Capture the Flag contest until the fourth Def Con in 1996, Moss says ? not 1994 or 1995, years in which Flowers has claimed to have won the prize. Moss recalls that another individual won the first two Capture the Flag contests. "It was this guy called A.J. Reznor, who won it in a pretty famous way," Moss says. "This guy won it with no monitor, attacking the machine with a keyboard only. He memorized the entire attack and did it." When asked about the discrepancy last week, a Kozoru spokesman said Flowers may have misspoken at the Kauffman Foundation and that the issue is one of semantics. In fact, Moss does acknowledge that Flowers may have a Capture the Flag victory to his credit. The problem, Moss says, is that Flowers has continually claimed he won on years when he didn't, and he fails to mention that he was part of a hacker team. Flowers did present a paper at Def Con 8. A video of his speech, available on the Internet, shows an overweight and grungy-haired Flowers talking in a hotel conference room about network security. At one point in the hourlong presentation, he pops open a bottle of beer. At another point, he holds up a white paper by Network Associates, a leading security company now known as McAfee. Flowers expresses his contempt for corporate network security by flinging the document into the crowd. "Fuck that," he says. Flowers, who is 6 feet 1 inch tall, is standing next to his blue 1994 Mazda RX-7 in the parking lot outside the Kozoru office. He is wearing a "Cult of Chuck Palahniuk" T-shirt under a light jacket. Palahniuk, the author of Fight Club, is one of Flowers' heroes, along with Steve Jobs and the late physicist Richard P. Feynman. Like the T-shirt, the car speaks to Flowers' identity. A decal of his beloved Apple Computers is stuck to the rear window. Below the Apple sticker is a word in kanji, a Japanese writing system based on Chinese characters. The word, Flowers explains, translates to elite, a term hackers use to identify themselves. The workday is over. Flowers leaves to meet his 3-year-old son, Case. He calls the boy "my own little organic learning engine." Flowers is learning what it means to be a divorced father. Flowers and Case's mother, Gretchen, separated last year after 12 years of marriage. The divorce was finalized last month. The couple married in Arlington, Texas. They lived in Kansas City for a time in the mid-'90s, when Flowers helped UtiliCorp (now Aquila) install an e-mail system. He moved to the Bay Area in 1996 for a job at Farcast, a now-defunct Internet company. Flowers founded Hiverworld, the network security company, in 1998. He left in 2003. Five years, he says, is about twice as long as he can spend doing anything. "I left and decided, 'That's it. I'm done with technology. I'm going to write a screenplay. I'm going to write a book. I'm going to find a million things that aren't technology.'" Whatever his artistic yearnings, Flowers did not leave the company in a blaze of glory. A year after founding the company in 1998, Flowers was accused of lifting the work of security expert Fyodor Vaskovich. Several employees left the company after the incident, which contributed to the decision to rename the business nCircle. Restricted in what he can say by a confidentiality agreement, Vaskovich tells the Pitch that his copyright dispute with Hiverworld was "settled amicably" in 2001. "Since their reincarnation with new management, nCircle has become an important partner and a pleasure to work with," he writes in an e-mail. Flowers calls the copyright claim "complete and utter bullshit" and says it has been settled. He adds: "I was accused of stealing something, but you know what? People get accused of stealing stuff all the time. The resolution was, there was no resolution. It never went anywhere. There was no trial. There was no case ? nothing. Never went anywhere. It was just an accusation by someone who was mad at me when they quit. I have kind of a strong personality, and some people don't respond well to that." Flowers says he stayed on for three years after the accusation was made. He also notes that he was able to convince a few nCircle veterans to join his new venture. After leaving the Bay Area, Flowers says he and his wife were traveling around the country when they found a house they liked in Mission, Kansas. They hit the road again a few months after Gretchen gave birth to Case at Menorah Medical Center. "One of us had a rucksack, the other one had the kid, and we just took off." What follows is another remarkable John Flowers story. The young family went first to Boston and then visited several countries in Europe. "It was total Zen travel," Flowers says. "We would just wake up [and say], 'What do you want to do today?'" Flowers wanted to see Hong Kong, but during a layover in Bangkok, he became captivated by Thailand. John, Gretchen and their toddler son moved about the country, staying in bungalows, before arriving in a place called Chiang Rai. There, Flowers knocked on the door of a temple and announced that he wanted to study Buddhism. A person who answered the door spoke some English and told him that his request would be difficult to meet. Flowers asked to see the teacher in charge. With the man who answered the door serving as interpreter, Flowers spoke with the teacher. "I said something that apparently impressed him," he says. Flowers received an invitation to spend a month in the temple. Gretchen and Case returned to the States. Flowers says the teacher gave him the arduous task of grinding pepper with a mortar and pestle. His eyes watered, and his skin blistered. "I did that for hours every day," Flowers says. "It was brutal." Using broken Thai, Flowers was eventually able to communicate with the teacher, who, he says, was "a fairly well-known Buddhist monk." When he was not grinding pepper or taking walks with the monk, Flowers meditated. He discovered that he wasn't very good at meditating. "Sort of on the dirt floor, staring at the white wall, that's when I decided, 'You know what, I think I have another company in me.'" He says he was back in the United States for only 30 days before convincing investors to fund Kozoru. As for the Thailand story, Flowers agreed last week to show his passport after a Pitch reporter asked for evidence of the journey. But as of press time, he had produced nothing. Mike Peck met John Flowers in the spring of 2004. Peck was serving as the fund manager at the Kansas Technology Enterprise Corporation (KTEC). A state economic-development agency, KTEC has the authority to make direct investments in promising Kansas tech companies. With his stories of raising seven figures in investments and his journey in Thailand, Flowers left quite an impression on Peck. Peck is no rube. He received an MBA from Northwestern University and worked at C-Tribe, a failed San Francisco dot-com of the late '90s. He spent time with Flowers as KTEC considered investing in Kozoru. Peck sat in as Flowers made a presentation to venture capitalists on the West Coast. Eventually, KTEC invested $500,000 ? double the size of any of the agency's previous investments. Additionally, KTEC has awarded $372,000 in tax credits to private investors in Kozoru. "From the first meeting with John Flowers, it was pretty apparent that he was an exceptional individual and had an exceptional vision," Peck told the Pitch in 2004. Peck said Kozoru was a "perfect storm" of an outstanding board, management and idea. Now a partner in the private-equity fund Open Prairie Equity Partners, Peck subleases office space from Kozoru. Today, Peck calls the KTEC investment in Kozoru the right opportunity at the right time. KTEC has $6.8 million invested in Kansas companies and funds, according to its most recent annual report. Tracking the performance of the investments is difficult. Of the 15 companies KTEC helped in 1998, 10 had either closed or had failed to grow beyond nonfamily employees, according to a 2003 state audit. KTEC President Tracy Taylor tells the Pitch that his staff does due diligence when looking at possible investments. "[It's] good governance and good partnering rather than just giving somebody money," he says. On paper, Kozoru looked like the kind of company that Kansas ? with only two Fortune 500 companies ? should recruit. In addition to Flowers, Kozoru had two prominent Bay Area board members: David Warthen and Ridgely Evers. Warthen was a co-founder of Ask Jeeves. Evers conceived QuickBooks accounting software. Though associated with recognizable products, Warthen and Evers were not exactly ascendant figures at the time they joined the Kozoru board. Ask Jeeves had raised $42 million in its initial public offering in 1999. But the company failed to deliver on the promise of a question-based search. Ask Jeeves acquired new technology in 2001, and the site now looks and feels very much like Google. Warthen left Ask Jeeves and stayed mostly out of the news until 2004. That year, Warthen married Cristina Schultz ? who, federal prosecutors claim, paid her way through Stanford Law School by working as a high-priced call girl under the name "Brazil." Schultz made headlines in the Bay Area when the federal government seized $61,000 from her that prosecutors say she earned as a prostitute. Warthen later stepped in to claim that the money was his, not proceeds from unlawful activity. Warthen gave the money to Schultz to hold prior to their marriage, his attorney, Doug Schwartz, says. "Of course, they were going to use it for vacations, weddings and/or a honeymoon, to be precise," Schwartz tells the Pitch. The case is still being fought in federal court. Warthen declined to comment to the Pitch about the incident. But he spoke highly of Flowers, who he said is always full of ideas. "He has not only a very strong technical knowledge, but he is a very creative thinker," he said. Evers became president of Hiverworld in 2000. He left the business at around the same time that Flowers did. Evers says he took a vacation and "did something approaching nothing [in the technology field] for a while." He joined the Kozoru board largely because of his belief in Flowers. "One of the things that I like about John is that he is interested in ? maybe only interested in ? solving big problems," Evers tells the Pitch. "What he was setting out to solve with Kozoru was nothing less than the unfulfilled promise of search. That's really what it comes down to. That's a big challenge. I like that." KTEC officials appear to have done little but talk to Flowers believers like Evers. A section of Kozoru's application for KTEC funding is subject to open-records laws. In the description of the management team, Flowers claims to hold bachelor's and master's degrees from Berkeley and a master's degree from the University of Texas in Austin. The degrees do not exist. Kathleen Maclay, spokeswoman at Berkeley, says the university has no record of a John S. Flowers attending the school in the past 25 years. Officials at Texas also could not find record of a student named John Flowers who was born in 1970. In response, Flowers replied: "That's bizarre. I don't know what to tell you. That's pretty strange. Maybe I should give them [Berkeley] a call and figure out what's going on." "When we started, we sort of naively thought we were going to create an Ask Jeeves that works," Flowers says. Turns out, nobody really cared if they could. "That ship has sailed," Flowers says. "I think people, either they don't want it or they were burned by it or they believed and then they lost faith because it didn't work the way they thought it would." The Kozoru team regrouped and decided to create a search engine that catered to mobile devices and instant-messaging software. Flowers describes a scenario in which a cellular-phone user finds the right restaurant with Kozoru's help. "Imagine being able to say, 'I want Chinese in San Francisco that's cheap, that's good for me to bring a date to and is run by the Mafia,' and getting that kind of answer, which is way outside of 411 or even what the Web is doing for you right now," he says. A few weeks ago, Kozoru gave a group of people in the information-technology business access to the system. Flowers says the early feedback has been "extremely positive." Even if a launch is successful, Kozoru is unlikely to become the area's next Sprint. Flowers itches to sell the company. Flowers spent time last fall talking to officials at Google, Apple and Yahoo. On his blog, loneronin.net, he wrote with unusual candor about his experiences as a possible acquisition target. Flowers described a visit that he and members of his team made to Google headquarters in Mountain View, California. "Everything we saw and heard and felt seemed like we were getting along great with everyone there," he wrote on December 1. "Everything, that is, until three weeks ago when ? without warning ? they stopped responding to e-mails or returning our phone calls." In a December 19 post, Flowers moaned that Google had "banned" Kozoru from using its system after a demonstration in which Kozoru had improved on Google search results. The posts shook a corner of the blogosphere that keeps watch on new computer technology. "If I were Google, I wouldn't return this guy's calls either," technology writer Nicholas Carr wrote on his blog, Rough Type. "A crank is a crank." Carr also made fun of Flowers for glossing himself as a "Futurist, Strategist, Technologist, Visionary & Polymath" on his blog. The description was later removed. Another blogger, Scott Reynolds, called Flowers "Mr. Ego" in the comment thread on Carr's blog. Reynolds faulted Flowers for creating his own page on Wikipedia, the user-edited online encyclopedia. Showing a measure of sportsmanship, Flowers participated in the comment thread, saying he agreed with a lot of what Carr had said, "except for the part about me being a crank." Addressing Reynolds' comments, Flowers said he edited but did not create the Wikipedia page. Logs showed that the original author lived in Missouri. "My guess is someone I know wrote it. I do ? after all ? have actual friends," Flowers responded. Whoever originally authored his Wikipedia page, Flowers certainly approved of its existence. "If I ever get an entry in the Wikipedia system, I will consider myself successful," he wrote on his blog seven months prior to the page's creation. As for Google's nonresponsiveness, Flowers tells the Pitch he learned later that a company rep he was expecting to hear from took a five-week vacation in Fiji. Unbowed by the banned-by-Google experience, Flowers continued to negotiate in public. In January, his blog listed the 11 reasons that Apple should buy Kozoru. A few days later, Flowers shared the comment of someone named Mark who said Flowers had "hung his dick over the fence." Flowers wrote that he was "pretty much joking" when he had entreated Apple to purchase Kozoru. During Flowers' speech at the Kauffman Foundation Conference Center, the phrase "The Spooky Art" appears on a PowerPoint slide. Flowers uses the term to describe the process of raising venture capital. The term has a familiar ring: The Spooky Art is the title of a 2003 Norman Mailer book about writing. Flowers, however, does not credit the Pulitzer Prize-winning author. A whiff of plagiarism notwithstanding, Flowers proves to be an engaging and informative speaker. Gone are the nervous laughs and incessant throat clearings that tarnished his performance at Def Con in 2000. "Your idea is not what is going to get you funded," Flowers explains in an effort to get the entrepreneurs to think about the importance of attitude and technique. Flowers seems to delight in debunking conventional wisdom. At one point, he tells the entrepreneurs to forget about writing a business plan. "Every time I say this, people throw tomatoes at me," he says. Flowers dispenses practical advice, too, much of it surely of value. He encourages the entrepreneurs to incorporate early and file a lot of patents, which he compares to arrows in a quiver. He even recommends what fonts to use in PowerPoint presentations ? Trebuchet, Georgia and, in a pinch, Monaco. Flowers says his ideas are based on "15 years of pain and suffering." A little imagination also went into the presentation. Flowers tells the audience that he served for a time as "entrepreneur in residence" at Industry Ventures, a San Francisco venture capital outfit. But Hans Swildens, a principal at Industry Ventures, says Flowers is mistaken. "We funded his last company, but he never worked here," Swildens tells the Pitch. Flowers says later that he misspoke. Instead, he says he was a "technical adviser" who looked at some deals. Toward the end of the talk, Flowers produces a list of reality-challenged statements that every successful tech entrepreneur needs. Valuable fibs include "We have clients" and "Microsoft won't be a threat." Flowers justifies the deceit on the grounds that venture capitalists expect to be told a few whoppers. Besides, the moneymen have their untruths, too. Flowers begins this section of the presentation by saying, "Here's a collection of lies you need to tell them." From isn at c4i.org Tue May 9 03:18:51 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:51 -0500 (CDT) Subject: [ISN] Antispam firm says it was victim of sophisticated attack Message-ID: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=111208 By Jaikumar Vijayan May 05, 2006 Computerworld The CEO of an antispam firm whose service was knocked off-line by a spammer earlier this week claimed that his company was the victim of a sophisticated attack carried out, in part, with the help of someone at a top-tier Internet service provider (ISP). But some security experts expressed doubts abut the company's claims and said they appear to be an attempt to deflect attention from the criticism it has recived for the way in which it handled the attacks. Eran Reshef, CEO of Blue Security Inc., an Israeli antispam firm, said his company was attacked by a major spammer named PharmaMaster who used a combination of methods to knock out the company's Web site and the servers hosting its services. Blue Security, which has its U.S. headquarters in Menlo Park, Calif., operates an antispam service designed to deter junk-mailers by spamming them back. Blue Security's Do Not Intrude program allows individuals to register their e-mail addresses with the company and essentially flood spammers who send them e-mail with automated opt-out requests. The attacks that crippled Blue Service were preceded by PharmaMaster sending out threatening e-mails to subscribers of the Do Not Intrude Registry, warning them of even more spam if they did not withdraw their subscriptions. PharmaMaster then appears to have gotten someone at a major ISP to block Blue Security's IP address on the Internet's backbone routers, most probably via a process called black-holing, Reshef claimed. With black-holing, an ISP essentially removes the advertised path to a particular Web site or IP address -- making it completely inaccessible to the outside world. According to Reshef, PharmaMaster informed Blue Security that he had gotten an ISP to agree to black-hole the company before the attacks started. "Immediately, we started seeing our IP address getting blacklisted by other ISPs," Reshef said. As a result, traffic to the company's main Web site dropped from the usual 100 hits per minute to about two per minute in less than an hour -- and nothing at all from outside of Israel. At almost the same time, massive distributed denial-of-service (DDoS) attacks were launched against the dedicated servers that provide Blue Security's antispam service. The servers, located at five separate hosting provider sites, were bombarded with up to 2GB of traffic per second, rendering them inaccessible. In what Reshef said was a bid to tell subscribers what was happening, Blue Security pointed the company's corporate Web server URL to its blog, which is hosted by Six Apart Ltd. in San Francisco. PharmaMaster then launched a DDoS attack against the server hosting Blue Security's blog. That caused thousands of other blogs hosted by Six Apart to be knocked off-line. The DDoS attacks against the company's dedicated servers meanwhile resulted in service disruptions to five hosting providers as well as major Domain Name System service provider Tucows Inc., he said. Pointing the company's main URL to the Blue Security blog site on Six Apart when it was under attack may not have been the best idea, Reshef said. But at the time, the company had little idea that the attacker would launch a separate DoS attack on the blog site as well. But Todd Underwood, chief operations and security officer at Renesys Inc., a Manchester, N.H.-based Internet monitoring company, said that based on traffic analysis, Blue Security's main Web site appears to have been under a DDoS attack for at least two days before it redirected its URL to the blog. "I do think if you are under attack, it is your duty not to redirect it against someone else," Underwood said. "It is not a fair or an ethical decision," he said, adding that it is hard to imagine that Blue Security didn't know it was being hit with a DDoS attack when it pointed its URL to the blog site. Underwood also said that it was unlikely that a spammer would have been able to get an individual at a major ISP to install a "no route" to Blue Security, as Reshef claimed. "These are not the kind of networks where people can sneak in and make routing configuration changes" without logging that change or discussing it with others, he said. "The suggestion that some Russian spammer could bribe someone to install a no-route" is hard to believe, he said. John Levine, chairman of the Internet Anti-Spam Research Group, said that other antispam efforts have been similarly targeted as well. But they did not involve an ISP. And neither did those who were attacked respond like Blue Security did, he said. "If you know you are under a DoS attack, pointing your DNS at other parties is irresponsible," he said. From isn at c4i.org Tue May 9 03:18:04 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:04 -0500 (CDT) Subject: [ISN] Crafts website hacked by terrorists Message-ID: http://www.boston.com/news/local/massachusetts/articles/2006/05/07/crafts_website_hacked_by_terrorists/ By Michael Levenson Globe Staff May 7, 2006 A plumber who loves glass etching, Andrew Roberge had crafts to sell. His son, Mike, knew Web design. Carriage House Glass is the marriage of their talents, an online catalog of sandblasted vases and goblets that ''caters to those who love beautiful and unique gifts," the site proclaims. But the website, which they started four years ago, offered more than just beautiful baubles, specialists in terrorism say. The site contained hidden files filled with the radical writings of a top aide to Osama bin Laden, including ''The International Islamic Resistance Call," Abu Musab al-Suri's 1,600-page manifesto advocating jihad. The website was hacked a year ago by followers of Suri, a Syrian-born Al Qaeda leader, who turned the Roberge's labor of love into an online reading room for aspiring mujahadeen, the specialists said. The revelation came as a shock to the Roberges, who said they had no idea that Islamic extremists had intruded on their website. ''We got hacked! Unbelievable!" exclaimed Mike Roberge, when told last week of the hidden content on his site. His startled father added, ''Believe me, I wouldn't let this [expletive] get on my site. I don't need that. I don't need none of that. I'm a firm believer in minding my own business." The father and son from Lawrence vowed to delete the postings and replace them with images of eagles and American flags, ''something wicked patriotic," Mike Roberge said. A link to the hidden files on the website was circulated on bulletin boards frequented by Muslim extremists for a year, said Jarret Brachman, director of research at the Combating Terrorism Center at the US Military Academy in West Point, N.Y. Regular visitors to www.carriagehouseglass.com could never see the hidden material, specialists said. Only visitors who knew the address of the pages inside could access the cache of downloadable Arabic writings, and see the flash animation featuring the Kaaba, the black stone cube that Muslims face when they pray in Mecca. Brachman and other researchers had been aware of the files, but said the intrusion onto the site was not unusual in the burgeoning world of online Islamic extremism. ''This is a very tangential, very peripheral site that only those who are actively following this sort of literature would be accessing," Brachman said. ''It doesn't cause me alarm: these guys are pests in terms of this stuff," he said. ''This is standard procedure for these guys to post this kind of material." FBI spokeswoman Gail A. Marcinkiewicz declined to comment on whether the agency knew of the website or was monitoring it. She said the FBI would investigate a website only if it directly advocated violence. Specialists said Suri's writings advocate violence, but Marcinkiewicz said, ''unless . . . there's something very urgent in that paper, it's not that we wouldn't take a look at it, it's just that we have to prioritize. There's no quick and easy answer here." ''Without knowing what it's saying, it may go the bottom of the pile of all the 101 things we have to do over here," she added. Piggybacking on Carriage House Glass, which is password-protected, allowed extremists to avoid using a credit card or other traceable data needed to start a new website, said Rita Katz, director of the Search for International Terrorist Entities in New York. ''Of course, it's a disturbing phenomenon, but we know that Al Qaeda and the jihadist online community is quite sophisticated, and they use our own techniques against us," Katz said. ''It's disturbing because it could happen to anyone." As more terrorist training grounds shut down globally, more extremists are going online, said Steven R. Corman, an Arizona State University professor who has studied the shift. Michael Levenson can be reached at mlevenson (at) globe.com. ? Copyright 2006 The New York Times Company From isn at c4i.org Tue May 9 03:18:20 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:20 -0500 (CDT) Subject: [ISN] Gone in 60 seconds -- the high-tech version Message-ID: http://news.com.com/Gone+in+60+seconds--the+high-tech+version/2100-7349_3-6069287.html By Robert Vamosi Special to CNET News.com May 6, 2006 Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system. After you pull into a Starbucks to celebrate with a grande latte and a scone, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later, you look up to discover your new Mercedes is gone as well. Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care. Wireless or contactless devices in cars are not new. Remote keyless entry systems--those black fobs we all have dangling next to our car keys--have been around for years. While the owner is still a few feet away from a car, the fobs can disengage the auto alarm and unlock the doors; they can even activate the car's panic alarm in an emergency. First introduced in the 1980s, modern remote keyless entry systems use a circuit board, a coded radio-frequency identification (RFID) technology chip, a battery and a small antenna. The last two are designed so that the fob can broadcast to a car while it's still several feet away. The RFID chip in the key fob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings: With each use, the code changes slightly, creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code, along with an instruction to unlock the car doors. If the synced-up receiver gets the 40-bit code it is expecting, the vehicle performs the instruction. If not, the car does not respond. A second antitheft use of RFID is for remote vehicle immobilizers. These tiny chips, embedded inside the plastic head of the ignition keys, are used with more than 150 million vehicles today. Improper use prevents the car's fuel pump from operating correctly. Unless the driver has the correct key chip installed, the car will run out of fuel a few blocks from the attempted theft. (That's why valet keys don't have the chips installed; valets need to drive the car only short distances.) One estimate suggests that since their introduction in the late 1990s, vehicle immobilizers have resulted in a 90 percent decrease in auto thefts nationwide. But can this system be defeated? Yes. Keyless ignition systems allow you the convenience of starting your car with the touch of a button, without removing the chip from your pocket or purse or backpack. Like vehicle immobilizers, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, they are passive, don't require a battery and have much shorter ranges (usually six feet or less). And instead of sending a signal, they rely on a signal being emitted from the car itself. Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall, the authors of a study from Johns Hopkins University and the security company RSA carried out an experiment using a laptop equipped with a microreader. They were able to capture and decrypt the code sequence, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key. They even provided an online video of their "car theft." But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong. Real-world examples Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's alleged to have stolen several expensive cars in and around Prague using a laptop and a reader. Soucek is not new to auto theft--he has been stealing cars since he was 11 years old. But he recently turned high-tech when he realized how easily it could be done. Ironically, what led to his downfall was his own laptop, which held evidence of all his past encryption attempts. With a database of successful encryption strings already stored on his hard drive, he had the ability to crack cars he'd never seen before in a relatively short amount of time. And Soucek isn't an isolated example. Recently, soccer player David Beckham had not one, but two, antitheft-engineered BMW S5 SUVs stolen. The most recent theft occurred in Madrid, Spain. Police believe an auto theft gang using software instead of hardware pinched both of Beckham's BMWs. How a keyless car gets stolen isn't exactly a state secret--much of the required knowledge is Basic Encryption 101. The authors of the Johns Hopkins/RSA study needed only to capture two challenge-and-response pairs from their intended target before cracking the encryption. In an example from the paper, they wanted to see if they could swipe the passive code off the keyless ignition device itself. To do so, the authors simulated a car's ignition system (the RFID reader) on a laptop. By sitting close to someone with a keyless ignition device in his pocket, the authors were able to perform several scans in less than one second without the victim knowing. They then began decrypting the sampled challenge-response pairs. Using brute-force attack techniques, the researchers had the laptop try different combinations of symbols until they found combinations that matched. Once they had the matching codes, they could then predict the sequence and were soon able to gain entrance to the target car and start it. In the case of Beckham, police think the criminals waited until he left his car, then proceeded to use a brute-force attack until the car was disarmed, unlocked and stolen. Hear no evil, speak no evil The authors of the Johns Hopkins/RSA study suggest that the RFID industry move away from the relatively simple 40-bit encryption technology now in use and adopt a more established encryption standard, such as the 128-bit Advanced Encryption Standard (AES). The longer the encryption code, the harder it is to crack. The authors concede that this change would require a higher power consumption and therefore might be harder to implement; and it wouldn't be backward-compatible with all the 40-bit ignition systems already available. The authors also suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks, and that automobile manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range and make it harder for someone outside the car to eavesdrop on the code sequence. Unfortunately, the companies making RFID systems for cars don't think there's a problem. The 17th annual CardTechSecureTech conference took place this past week in San Francisco, and CNET News.com had an opportunity to talk with a handful of RFID vendors. None wanted to be quoted, nor would any talk about 128-bit AES encryption replacing the current 40-bit code anytime soon. Few were familiar with the Johns Hopkins/RSA study we cited, and even fewer knew about keyless ignition cars being stolen in Europe. Even Consumer Reports acknowledges that keyless ignition systems might not be secure enough for prime time, yet the RFID industry adamantly continues to whistle its happy little tune. Until changes are made in the keyless systems, any car we buy will definitely have an ignition key that can't be copied by a laptop. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue May 9 03:18:37 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:18:37 -0500 (CDT) Subject: [ISN] SCADA on thin ice - Industrial control systems pose little-noticed security threat Message-ID: http://www.fcw.com/article94273-05-08-06-Print By Michael Arnone May 8, 2006 The electronic control systems that act as the nervous system for all critical infrastructures are insecure and pose disastrous risks to national security, cybersecurity experts warn. Supervisory control and data acquisition (SCADA) and process control systems are two common types of industrial control systems that oversee the operations of everything from nuclear power plants to traffic lights. Their need for a combination of physical security and cybersecurity has largely been ignored, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research group funded by the Homeland Security Department. Control systems security is one of six areas of critical vulnerabilities Borg included in a new cybersecurity checklist released in April by the research group. The private-sector owners of critical infrastructure refuse to release data and deny that their aging, inherently insecure systems pose any security risk, said Dragos Ruiu, an information technology security consultant to the U.S. government who runs several hacker conferences. Control systems security has been a hot topic in the past year at those conferences. "It's one of those issues that is so big, you just don't want to see it because any solutions will be expensive, awkward and prohibitive," Ruiu added. Average hackers can break into the systems, said Robert Graham, chief scientist at Internet Security Systems (ISS). He, Borg and other experts fear that major cyberattacks on control systems could have socioeconomic effects as severe and far-reaching as Hurricane Katrina or even the 1986 Chernobyl nuclear disaster in Ukraine. Most experts agree that measuring the risk from cyberattacks on critical infrastructure is difficult. Attacks are rare because control systems are still complex and individualized enough to make cracking them difficult, although a hacker who knows a particular system well can break into it easily, said Jason Larson, senior cybersecurity researcher at the Idaho National Laboratory, which leads federal efforts into critical infrastructure cybersecurity. Even if a facility has not been attacked, that doesn't mean it's secure or the threat isn't real, said Michael Assante, senior manager of critical infrastructure protection at the laboratory. "The idea that the technology is obscure and not well-understood by a potential aggressor is dangerous thinking," he wrote in an e-mail message. Government and industry have known for years that critical infrastructures offer ripe targets for attack. In 2002, the FBI's National Infrastructure Protection Center found that al Qaeda members had sought information on control systems for water supply and wastewater management facilities. Open-heart surgery Control systems are built to run around the clock for decades without interruption or human intervention. A single critical infrastructure facility can have thousands of SCADA devices spread over hundreds of miles. Because of the systems' structure and management, standard IT security practices don't work for them, experts say. "It's more like open-heart surgery," said William Rush, a physicist at the Gas Technology Institute, a nonprofit research organization for the natural gas industry. The systems have proprietary operating systems and applications that run on 20- to 30-year-old hardware built before security became a major IT issue, leaving them riddled with vulnerabilities. According to conventional wisdom, critical infrastructure owners can't upgrade or patch systems because any jitter or delay caused by IT security features could lead to catastrophic breakdowns costing millions of dollars. Any mistakes in IT implementation could affect the processes the systems control, leading to product alterations, chemical interactions, explosions or worse. The situation got even more complicated in late 2001 when infrastructure owners started connecting their control systems to Internet-enabled corporate networks to maximize the use of their sophisticated equipment, said Eric Byres, research leader at the Internet Engineering Lab at the British Columbia Institute of Technology, a leading industrial cybersecurity research facility. That introduced new vulnerabilities on top of existing ones and created complex connections that opened new backdoors, Byres said. The result is a smorgasbord for would-be attackers. "It's open season," he said. 'The stories here are terrifying' Utility owners say they realize cyberattacks pose a risk but don't see it as a huge problem, Rush said. The federal government says industry is responsible for protecting critical infrastructure and has told both industry and vendors to get moving. Vendors, however, are waiting for sufficient demand for security products to make them, while industry is waiting for an ample supply of products to buy them. "It's a chicken-and-egg situation," Rush said. All parties are waiting for government standards to guide and certify their efforts. But Rush and other experts who are passionate about improving security fume at the delays. "Everyone's waiting for a major catastrophe to happen before they do anything," Graham said. "There will never be a big move until the government or [malicious] hackers force it." Until then, tailored attacks by an individual or a massive worm attack could bring down critical infrastructure. "The stories here are terrifying," Borg said. In January 2003, the Slammer worm infected the safety monitoring system at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, and replicated so fast that it disabled the system for nearly five hours. The worm knocked out the plant's central command system for six hours. A report from the North American Electric Reliability Council found that power wasn't disrupted, but the failure stopped commands to other power utilities. At the Black Hat Federal conference in Arlington, Va., in January, Graham presented a dozen horror stories of control system insecurity. For example, during negotiations to provide penetration testing to a critical infrastructure facility, the facility's operators confidently told an ISS team they didn't need help because their control system was already secure. The ISS team promptly found an unsecured wireless access point connected to the facility's business network, which in turn linked to the control system, Graham said. Using a 10-year-old exploit for Sun Microsystems' Solaris operating system, the team took over the control system as the operators watched. When the team was within a few keystrokes of breaking something sensitive, the facility's operators begged them to stop. Needless to say, he said, ISS got the job. Solutions grow into maturity The control systems security situation isn't all bad, said John Sebes, chief technology officer and general manager of the public sector at Solidcore, which develops software that monitors changes to servers and prevents unauthorized code from running on them. The vulnerabilities are real and serious, but facilities now have their pick of mature security products to harden their systems, he said. With work and patience, critical infrastructure sectors have found they can use IT security best practices and install commercial IT security products without crashing control systems, he said. "Industry as a whole has been moving away from the Chicken Little syndrome," said Keith Stouffer, a mechanical engineer in the Intelligence Systems Division of the National Institute of Standards and Technology's Mechanical Engineering Laboratory. "The problem is addressable. Let's start addressing it." Industry better get a move on as attackers ramp up attacks, Graham said. ISS is predicting an increased frequency of minor attacks on control systems during the next three years. "We see it's inevitable," Graham said. "We have seen it in every other industry, and these guys are next." From isn at c4i.org Tue May 9 03:19:04 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:19:04 -0500 (CDT) Subject: [ISN] Malaysia welcomes the world in fight against cyber-terrorism Message-ID: http://thestar.com.my/news/story.asp?file=/2006/5/7/nation/14173729 BY JOHAN FERNANDEZ May 7, 2006 IMPACT is its name, and making an impact in the battle against cyber-terrorism is its mission. Unveiled in Austin, Texas, the Malaysian initiative seeks to bring together governments and the international private sector to deal with increasing threats in cyberspace. Known as the "International multilateral partnership against cyber-terrorism" or "IMPACT" it will serve as a pioneer platform to allow governments of the world to exchange notes and ideas, as well as to facilitate the sharing of skills and best practices, with the ultimate objective of combating these constantly evolving threats. Prime Minister Datuk Seri Abdullah Ahmad Badawi who made this announcement at the closing ceremony of the 15th World Congress on IT (WCIT 2006) here on Friday said that IMPACT was not just a Malaysian concern. "IMPACT is conceived as a partnership - between governments, as well as between governments of the world and the international private sector. "Given that some of the best skills and technologies in cyber-security reside in the private sector, it is only natural that all governments need to work closely with businesses to effectively combat cyber-terrorism," he said. He said the potential to wreak havoc and cause disruption to people, firms, governments and entire global systems have increased as the world became more globalised and dependent on information and communications technology (ICT). "Today, governments across the world must be prepared to deal with threats in cyberspace. "Even if one were to exclude the risks to life and limb, the economic loss caused by the disruption of a cyber-attack can be truly severe - for example, a nationwide blackout, collapse of trading systems or perhaps the crippling of a central bank cheque clearing system," he said. He said the threats posed by cyber-terrorism were something that modern societies and their governments could no longer ignore. "No country can manage this problem in isolation and to effectively overcome this global threat and it is imperative that countries throughout the world work in concert to wipe out this danger." IMPACT has got off to a good start with some leading names lending their support. "America's Symantec Corporation, Japan's Trend Micro, and Russia's KaperskyLlab have already agreed to be key partners and to serve on IMPACT's international advisory board to be established soon," he said. The Prime Minister said he was encouraged that the private sector, globally, has given its strong support and expected more of such world-class companies following suit. For a start, IMPACT would focus its activities in three key areas - security certification, research and development; as well as establishing a global emergency response centre. IMPACT will be sited in Cyberjaya, at the heart of "MSC Malaysia," with access to world-class ICT infrastructure. "I am confident that IMPACT, with the co-operation of governments and the global private sector, will be able to find effective solutions to the global threat of cyber-terrorism," Abdullah said. "I would like to invite all governments and the global private sector to partner with us in this worthy cause," he added. On the WCIT, the Prime Minister said Malaysia was honoured and excited about hosting the next congress in 2008. "Apart from expanding our partnerships with global technology leaders, we see our hosting of WCIT 2008 as an opportunity to stimulate further discussion on technology and technology-related policy development," Abdullah said. He also thanked former US secretary of state Colin Powell, who was one of the keynote speakers on Friday, for his kind words about Malaysia. From isn at c4i.org Tue May 9 03:19:16 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:19:16 -0500 (CDT) Subject: [ISN] Wells Fargo computer missing Message-ID: http://www.twincities.com/mld/pioneerpress/14513672.htm BY SHERYL JEAN Pioneer Press May. 06, 2006 Wells Fargo & Co., the largest bank in Minnesota and the nation's fifth largest, said Friday that a computer containing sensitive data for some of its mortgage customers is missing and might have been stolen. It's not known whether the computer contained Minnesota customers' information. The computer, which was being transported by an unidentified global shipping company between Wells Fargo locations, had names, addresses, Social Security numbers and mortgage loan account numbers of some Wells Fargo mortgage customers and potential customers. It did not contain other types of customer account numbers. Wells Fargo spokeswoman Peggy Gunn wouldn't estimate the number of individuals who could be affected, citing an ongoing law enforcement investigation. She added, "The event affects a relatively small percentage of Wells Fargo's customers." San Francisco-based Wells Fargo said it had no indication that the customer information has been accessed or misused. Gunn said the computer has two layers of security, but she declined to elaborate. She also declined to describe the type of computer or how and when it disappeared. Wells Fargo will notify by mail individuals whose information was stored on the computer by May 30. The bank is offering those affected a free one-year credit monitoring service. Wells Fargo has reported two other computer security breaches, in 2003 and 2004. The bank has had no indication that the information was accessed or misused in either case, Gunn said. Also Friday, Union Pacific Corp., the nation's largest railroad, said it's investigating the theft of a computer containing the names and Social Security numbers of 30,000 current and retired employees. The computer was stolen April 29 from a human resources employee. Nationally, more than 160 security breaches have occurred in the past 15 months, affecting more than 55 million accounts, according to Privacy Rights Clearinghouse, a nonprofit privacy advocacy group based in San Diego. Those breaches included more than 40 cases of stolen or missing computers or laptops. "The general population is waking up to the fact that personal data is not well secured," said Beth Givens, director of the Privacy Rights Clearinghouse. New federal and state laws require companies to notify customers when personal information is lost or stolen, which makes them vulnerable to identity theft. Online: Privacy Rights Clearinghouse, www.privacyrights.org From isn at c4i.org Tue May 9 03:19:30 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:19:30 -0500 (CDT) Subject: [ISN] Universities given security guidelines for foreign students Message-ID: http://www.abc.net.au/pm/content/2006/s1632039.htm This is a transcript from PM. The program is broadcast around Australia at 5:10pm on Radio National and 6:10pm on ABC Local Radio. Reporter: Sabra Lane 5 May, 2006 MARK COLVIN: The fight against terrorism is shifting to Australian university campuses and research institutions. The Departments of Defence and Foreign Affairs want academics to report foreign students enrolled in particular subjects. The Government also want to broaden export controls, forcing lecturers to apply for licences if they're going to share their knowledge abroad. Sabra Lane reports. SABRA LANE: It's not a so much a crackdown on students recruiting for extremist causes, rather an attempt to detect spies in our midst and stop them from getting their hands on research at conferences. Last month, the Departments of Defence and Foreign Affairs sent the document called "Export Controls, Your Responsibilities" to universities and research institutions. It says universities must inform the Government if suspicious parties are trying to get their hands on material or research that could be used in weapons of mass destruction programs. President of the National Tertiary Education Union Carolyn Allport acknowledges the need for national security measures, but says academics weren't consulted. (to Carolyn Allport) Are your members comfortable with dobbing in students? CAROLYN ALLPORT: I don't think they will be. I certainly don't think they will be. So I think they're going to be very concerned about this paper. We recognise it's an important strategic objective of the Government, but at the same time, universities aren't there to be the secret police. SABRA LANE: Former senior intelligence analyst David Wright-Neville, who now heads up the Global Terrorism Research Unit at Monash University, says it's off the mark. DAVID WRIGHT-NEVILLE: I think it's a little clumsy in the sorts of obligations it places on academics. Academics certainly are aware of the sorts of risks that we confront in the contemporary environment. I don't think they need to reminded of that. It's unreasonable to expect that academics can identify terrorist activities. Trained intelligence officers with many years of experience often find it very difficult to identify terrorists, so how an academic with experience in fairly esoteric areas sometime, can do the jobs of people who are trained to do it, is really beyond me. SABRA LANE: With universities expanding offshore, the document says the likelihood countries will exploit Australian expertise for WMD programs is increasing. While short on details, it also reveals export control laws are under review, with the Government keen to include "intangible technology transfer". Carolyn Allport explains. CAROLYN ALLPORT: Research, papers produced by academics in universities, or working papers, you know, seminar papers, seminars themselves, conferences, this is what's listed in the paper. They also suggest that people who are making requests from certain designated countries to come to a conference here are also seen to be risky. If there was a conference on, I don't know, some sort of chemical conference here, for example, and someone from Iran or North Korea or China made a request to come to that conference, I'm assuming from what I read here that the Government automatically sees these people as potential terrorists. SABRA LANE: A 2004 report to the United States Congress on economic and industrial espionage found some foreigners deliberately sought jobs at universities and research houses to acquire secrets for their home countries. An intelligence analyst who declined to be interviewed by PM says the guidelines are needed as America's enemies are targeting allies like Australia and Canada. Countries he claims have underestimated espionage. David Wright-Neville disagrees. DAVID WRIGHT-NEVILLE: It suggests that we're still in the stage of sort of knee jerk panic reactions, and I really think we need to have a Bex and have a good lie down for a while, that really none of this sort of stuff is going to address the long-term threat posed by terrorism and in fact I think it runs the risk of being counter-productive. MARK COLVIN: David Wright-Neville ending that report by Sabra Lane. From isn at c4i.org Tue May 9 03:21:59 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:21:59 -0500 (CDT) Subject: [ISN] Petrol firm suspends chip-and-pin Message-ID: http://news.bbc.co.uk/1/hi/england/4980190.stm BBC News 6 May 2006 Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than ?1m was siphoned out of customers' accounts. Eight people, including one from Guildford, Surrey, and another from Portsmouth, Hants, have been arrested in connection with the fraud inquiry. The Association of Payment Clearing Services (Apacs) said the fraud related to just one petrol chain. Shell said it hoped to reintroduce chip-and-pin as soon as possible. Plastic crime The fraud is being investigated by the Metropolitan Police cheque and plastic crime unit. "These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed," said Apacs spokeswoman Sandra Quinn. She said Apacs was confident the problem was specific to Shell and not a systemic issue. A Shell spokeswoman said: "Shell's chip-and-pin solution is fully accredited and complies with all relevant industry standards. "We have temporarily suspended chip-and-pin availability in our UK company-owned service stations. "This is a precautionary measure to protect the security of our customers' transactions. "You can still pay for your fuel, goods or services with your card by swipe and signature. "We will reintroduce chip-and-pin as soon as it is possible, following consultation with the terminal manufacturer, card companies and the relevant authorities." Shell has nearly 1,000 outlets in the UK, 400 of which are run by franchisees who will continue to use chip-and-pin. From isn at c4i.org Tue May 9 03:23:19 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 9 May 2006 02:23:19 -0500 (CDT) Subject: [ISN] Hacker Sentenced in Spam Case Message-ID: http://www.latimes.com/technology/la-fi-spam9may09,1,7522827.story?coll=la-headlines-technology By Charles Piller Times Staff Writer May 9, 2006 A Downey man was sentenced to nearly five years in federal prison Monday for using malicious software to seize control of 400,000 computers and then selling access to the "zombie" machines to spammers and hackers. Prosecutors said the 57-month sentence for Jeanson James Ancheta, 21, was the longest ever handed down for spreading computer viruses. The case also marked the first federal prosecution for using such hacking methods for financial gain. Ancheta pleaded guilty in January to selling access to so-called botnet software that can remotely control computers to deliver spam and orchestrate distributed denial-of-service attacks against websites. Such attacks send overwhelming streams of requests to the sites, causing them to shut down. Ancheta advertised his botnets online under the heading "botz4sale." "Your worst enemy is your own intellectual arrogance that somehow the world cannot touch you on this," U.S. District Judge R. Gary Klausner said at the sentencing hearing. Ancheta also admitted to directing armies of infected computers to download adware ? malicious software that causes advertising messages to appear on the user's screen and can harm affected computers. He collected $107,000 in commissions from the advertising companies. Ancheta used an elaborate subterfuge to hide his actions from the victims and from the companies whose messages were displayed on their computers, said Assistant U.S. Atty. James M. Aquilina. Ancheta also was ordered to pay $15,000 in restitution to the Naval Air Warfare Center in China Lake and the Defense Information Systems agency, whose computers were compromised by the botnet attacks. "Every conviction raises the barrier to entry for these guys," said Scott Weiss, CEO of IronPort Systems in San Bruno, Calif., which produces anti-spam software. But, he predicted, such crimes would remain common. "Most of these bot networks are not being run from suburban L.A.," Weiss said. "They hire guys in places like Ukraine where the long arm of the law doesn't reach as easily." From isn at c4i.org Wed May 10 02:09:04 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:04 -0500 (CDT) Subject: [ISN] Museum unscrambles secret agency's past Message-ID: http://www.theregister.co.uk/2006/05/09/inside_nsa/ By Wendy Grossman 9th May 2006 Inside the NSA A few of us got through the metal detectors before the National Security Agency (NSA) realised we were in the wrong place. We had arrived, expunged of all electronic devices from mobile phones to cameras, at the Visitors' Centre, a security outpost for visiting security personnel, instead of the National Cryptologic Museum 370 metres away by eagle. Oops. There was a time when the very existence of the National Security Agency was completely secret. Many of the sort of people who are interested in it (such as this crowd from the annual Computers, Freedom, and Privacy conference) are, therefore, somewhat surprised by the idea that it has a cryptologic museum. Approximately 50,000 people a year find their way to Fort Meade, where the museum and NSA's headquarters are located. The curators will tell you openly that the museum's creation in an abandoned hotel in 1993 was a public relations exercise. The Cold War had ended, and although cryptology has been used in American wars all the way back to George Washington, between wars the effort was generally closed down. So the NSA had to answer: why should the nation keep funding it? You would think that if anyone was likely to say "we shouldn't" it would be this group of gearheads and privacy wonks. Jostling with the NSA tour for pride of place on the programme was a panel on wiretapping featuring James Bamford, author of The Puzzle Palace, the 1982 expos? of the NSA. The NSA hasn't really forgiven him yet; mentioning his name at the museum draws a waspish response. David Kahn, whose 1967 book The Codebreakers drew a government suit when it was published, however, is now a scholar working there. The curators seem refreshingly open, at least in the sense that they voice opinions they disassociate from the NSA. Still, the last 40 years of increasingly controversial activity is omitted. For national security reasons, of course. No one argues about wiretapping in World War II or even Korea; it's today's warrantless wiretapping that's controversial. So there is no mention of Bush, the class action suit brought on behalf of AT&T customers, or the revelations by AT&T employee Mark Klein that the NSA has been cheerfully and illegally wiretapping US citizens' domestic phone calls. It's a sign of how far the American government monolith has depressed people's free spirits that even this group does not bring up the subject. When this museum opened it was also the height of the crypto wars, and cryptography was the hottest topic at this conference. Two government efforts made it so. One: continuing to promote the International Traffic in Arms regulations, which restricted the export of strong cryptography, slowing its adoption to protect, for example, ecommerce transactions. Two: backing a government standard known as the Clipper Chip, which would have included encryption in devices such as telephones and modems, but at the price of storing an escrowed key with the government. ITAR was ultimately defeated by the demands of ecommerce; Clipper Chip by the cracking work of Matt Blaze. The museum has a display of secure telephones, but mentions neither the Clipper Chip nor the ITAR battles. As sanitised as the NSA's secret history arguably is for this display, this is a much better museum than the private Spy Museum in downtown DC, which we visited a day later. The Spy Museum is all flash and celebrities, using the worst of today's multimedia jazz to distract and entertain while failing to provide anything of substance outside the book section of its gift shop. The NSA museum, by contrast, is filled with detail and history, even if it is the NSA's greatest hits: Enigma machines, the Bombe; the "CodeTalker" Navajos from World War II, SIGSALY, its first secure voice telephone system, and other such safely past triumphs. Many of the machines in question are the originals, though the SIGSALY, like the great seal the KGB used to spy on the US Embassy in Moscow, is a mock-up. A logical decision, since the original weighed 55 tons, was made up of 40 racks of equipment, and took 13 people to operate for a single call between the Pentagon and the machine's London home, the basement of Selfridge's (it didn't fit in Churchill's office, so they ran a wire). The Spy Museum also, being private, does not allow photography. The NSA museum, despite its owner's secrecy, is public, so except for the rarest 16th century books, you can photograph anything you like and admission is free. Everything in the museum is unclassified. "We hope," the curator said, "that the successes of the past will help people understand the role cryptology has played in protecting national security throughout history and that they will be able extrapolate to the present day." In other words, they hope we will believe that they are doing just as great, important stuff right now even if they can't tell us about it. The museum, he added, also provides NSA staff with a way of explaining their jobs to their friends and family. Vietnam is probably the best example of the museum's dual nature. The curator freely admitted it was a losing battle, citing a story told on a recent trip to the country by Daniel Ellsberg (time has gone by; people who used to face off angrily on opposite sides can be nostalgic together now) listing the number of nations the Vietnamese have fended off. Even so, he says, the NSA's work enabled them to predict the biggest offensives. Like Tom Lehrer in Folk Song Army: "They may have won all the battles - but we had all the good songs!" Where the NSA's intelligence efforts failed them is in the gift shop, where the choice of T-shirts had narrowed to Small and XXL. ? From isn at c4i.org Wed May 10 02:09:17 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:17 -0500 (CDT) Subject: [ISN] Nevada's cyber-security chief charged with embezzlement Message-ID: http://www.lasvegassun.com/sunbin/stories/nevada/2006/may/06/050610367.html ASSOCIATED PRESS May 06, 2006 CARSON CITY, Nev. (AP) - Randy Potts, chief of security for Nevada's Department of Information Technology, has been charged with theft, embezzlement and falsifying records. The Nevada Attorney General's Office began an investigation after Potts filed claims seeking $1,757 in reimbursement for expenses incurred while attending a homeland security conference last year in Denver. According to the criminal complaint issued Thursday, Potts obtained permission to attend the four-day conference that began last Nov. 29 after submitting a flier about it to department Director Terry Savage. But the conference actually was held in April 2005, the complaint alleges. Potts is accused of falsifying information in his request to attend the conference and of altering the date on the flier submitted to Savage. Potts has been on administrative leave since the formal investigation began in March. Potts has worked for the department for about three years, and has done an excellent job improving cyber-security for state agencies, Savage said. Savage said he would talk with the attorney general's office to determine what course of action he would take concerning Potts' job future. "I hope to resolve that issue next week," Savage told the Nevada Appeal. When questioned about the expenses, Potts submitted a two-page memo citing meetings with Colorado's chief information security officer and the Colorado Information Management Commission. But the memo did not mention anything about the homeland security meeting he used to justify the trip in the first place, Savage said. The money approved to pay for the trip came from a federal homeland security grant designated for use only on homeland security awareness training. From isn at c4i.org Wed May 10 02:09:32 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:32 -0500 (CDT) Subject: [ISN] UK could learn from Sarbox mistakes Message-ID: http://www.accountancyage.com/accountancyage/analysis/2155644/uk-learn-sarbox-mistakes Paul Grant Accountancy Age 04 May 2006 The worst seems to be over for US companies forced to comply with the burdensome Sarbanes-Oxley Act, with further evidence emerging that auditing costs related to section 404 of the rules are dropping. The general opinion now is that, as well as identifying efficiencies during the second year under the new laws, the higher costs first time around were also attributable to many mistakes made by companies trying to implement the new rules. UK companies could do well to learn from this, according to Dawn Cresswell, part of UHY Hacker Young's Sarbox advisory team. From 15 July, UK companies with a listing in the US will also have to face the same tough rules on internal controls. But as Cresswell said: 'UK companies have the advantage of being able to see what mistakes have been made in the US and making sure they don't make the same ones. 'US companies found they had misallocated a lot of their time and money in trying to achieve the first year of Sarbox compliance. They have now learnt from these mistakes and the dramatic reduction in costs in the second year reflects a more considered approach.' This view is backed by a recent report from consultants CRA International. Using data from Big Four clients, it found that audit costs for section 404 compliance among a sample of Fortune 1000 companies had dropped 44% on the previous year to an average of $4.8m (?2.7m). From isn at c4i.org Wed May 10 02:09:44 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:09:44 -0500 (CDT) Subject: [ISN] Utility may face investigation for sale of unscrubbed drives Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000333 Sharon Fisher May 09, 2006 State and federal regulatory agencies have not yet determined whether Idaho Power faces any penalties after a salvage operator offered unscrubbed hard disk drives for sale on eBay Inc.'s auction Web site. The utility had sold 230 disks to a salvage operator, who sold 84 on eBay. Most of the drives have been returned to Idaho Power. The incident was disclosed earlier this month. The Federal Trade Commission would not confirm or deny whether the incident is under investigation.. "In theory, there are different statutes that might come into play, but whether it was a basis for action would depend on the underlying circumstances," said Alain Sheer, an attorney in the division of privacy and identity protection in the bureau of consumer protection for the FTC, in Washington. The Idaho Public Utilities Commission, which governs Idaho Power, would only investigate the incident if it has a direct financial impact on rate payers. a spokesman said. "If they were to file a rate case and include costs of this mishap, we?d probably deny those costs," he said. "The only way we would be involved is if a rate payer filed a complaint that he was harmed." Meanwhile, a computer security expert who bought 10 unscrubbed Idaho Power drives over eBay, said he disclosed the problem only after the utility failed to respond to his inquiries for a month. Karl Hart, director of information technology at the University of Cincinnati's college of nursing and a security consultant, bought ten SCSI drives, in two lots of five, from eBay for $40 per lot. "That batch came from Idaho Power completely full of data, not cleaned up at all." Data on the drives included diagrams of the electric supplier's power grid, confidential data stored by the Idaho Power legal department about lawsuits, contracts, property transactions, and complaint letters, and personal employee data, including Social Security numbers, birth dates, and payroll information, Hart said. "There were hundreds of thousands of files on these drives," he said. Hart said he disclosed his purchase of the unscrubbed drives publicly after first unsuccessfully trying to notify the utility about the problem. A short time later, Hart said he was contacted by Blank Law & Technology PS in Seattle, a law firm hired by the utility to investigate the situation. The firm thanked him for notifying Idaho Power's attention. Hart has since returned the drives to the utility for disposal. The university received a refund for the purchase, he said. The law firm declined comment. The Boise, Idaho-based utility, which supplies electricity to some 460,000 customers in southern Idaho and eastern Oregon, had hired Grant Korth of Nampa, Idaho, to recycle the 230 drives, the company said. Hart said that Idaho Power should have required its outsourcing firm certify that the drives had been cleaned. He also noted that the issue extends beyond Idaho Power -- even to his own organization. Hart noted that he bought 25 used computers from the University of Cincinnati a year ago to test its drives for a presentation to be made by his consulting firm, Cincinnati-based Cybercon. Hart found that the computers unscrubbed drives held university public safety and criminal records data. The university is now putting policies putting in place policies to prevent similar problems, Hart said. "Even working at the university, it took a while to bring it to their attention," he said. From isn at c4i.org Wed May 10 02:08:48 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:08:48 -0500 (CDT) Subject: [ISN] UK hackers condemn McKinnon trial Message-ID: http://news.bbc.co.uk/1/hi/technology/4984132.stm BBC News 8 May 2006 The UK's hacking community has strongly criticised how fellow hacker Gary McKinnon has been treated. Accused of hacking into US military computer networks, Mr McKinnon this week is expected to find out if he is to be extradited for trial in the US. British hackers say he is being made an example of to serve political ends rather than improve computer security. The punishment he faces, up to 70 years in jail, was also too harsh a sentence for the crimes he has confessed to. No defence The US government alleges that between February 2001 and March 2002, Mr McKinnon repeatedly hacked into dozens of computers used by the US Army, Navy, Air Force, and Department of Defense. While Mr McKinnon has admitted that he spent years wandering round military computer networks, he denies that his hacking was ever motivated by anything other than curiosity. Despite this, the US government is attempting to extradite him to stand trial for what one American prosecutor called "the biggest military computer hack of all time". If extradited, tried and found guilty he could face decades in jail and millions of dollars in fines. But hackers, gathered at the regular London meetings of the UK's hacking community, have decried the treatment meted out to their fellow technophile. Mark, one of the regular attendees of the meeting, said there was little doubt that Mr McKinnon was being made a scapegoat because some of his hacking took place after 9/11 in America. What needed to be addressed by the US military, he said, was the freedom Mr McKinnon had to wander around supposedly secure computer networks. "Hackers are not just skilled," said Mark, "they are lucky people and they are persistent people. It's a combination of all three. "He was not caught for nearly two years," said Mark. "The big error was that they did not detect it in two years." Even then the only reason Mr McKinnon, aka Solo, was caught was because of mistakes he made. "It got so routine and blase that he got sloppy," said Mark. "If he had done it for two weeks they would never have caught him." Public example Mark also questioned why he was only indicted by the US government in 2005 despite being arrested by the UK's National Hi-Tech Crime Unit in 2002. Mark, and another attendee Rat, suggested that Mr McKinnon was being treated harshly to send a message to the rest of the hacking community to clean up its act. "But," they said, "the idea of clamping down on some unlucky guy and threatening him with 70 years in jail will not make the blindest bit of difference." "All [hackers] think they will not get caught," said Mark. Rat said that almost every message received by the blogs set up to document Mr McKinnon's treatment and the progress of the court case had been supportive. Dr K, another UK hacker interviewed by the BBC News website, questioned why Mr McKinnon had to be extradited to be tried for the crimes for which he has already confessed. "We have laws in this country to deal with this kind of trans-national data crime," he said, "Gary McKinnon should be tried here under UK law. "Gary McKinnon should not be extradited - he's just a hacker - not a terrorist - and the UK should resist any attempts to hype up his activities by the US government in order to pillory and crucify him in public in America," he added. From isn at c4i.org Wed May 10 02:10:15 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:10:15 -0500 (CDT) Subject: [ISN] Windows, Exchange flaws patched Message-ID: http://news.com.com/Windows%2C+Exchange+flaws+patched/2100-7350_3-6070350.html By Dawn Kawamoto Staff Writer, CNET News.com Published: May 9, 2006 Microsoft on Tuesday released three security updates, two of which address critical flaws in its Exchange e-mail server and third-party software in Windows. Critical vulnerabilities in Microsoft Exchange Calendar and Adobe's Macromedia Flash Player in Windows can lead to a remote execution of code on a user's system, according to Microsoft's security bulletins. The software giant also issued a "moderate" update for flaws in Windows, according to the software giant's bulletin. A malicious attacker could launch a denial-of-service attack by sending a specially crafted network message through the system to exploit the flaw. The critical Microsoft Exchange flaws affect Microsoft Exchange Server 2000 with Post-Service Pack (SP) 3, Microsoft Exchange 2000 Enterprise Server, and Microsoft Exchange Server 2003 with SP 1 or SP 2. "An attacker could exploit the vulnerability by constructing a specially crafted message that could potentially allow remote code execution when an Exchange Server processes an e-mail with certain...properties," according to Microsoft's bulletin. Security firm Symantec said the Microsoft Exchange flaw is the most serious of the three. "Because the majority of Exchange servers are configured to receive e-mails from anonymous users, this vulnerability has the potential to manifest itself in the form of a worm if machines are not properly patched," Oliver Friedrichs, Symantec Security Response director, said in a statement. Microsoft also issued a Windows update for what it described as critical flaws in Adobe's Macromedia Flash Player 5 and 6. An attacker could exploit these vulnerabilities in the Flash Player by constructing a malicious Flash animation file. Users visiting a Web site containing the specially crafted file may find their computer system taken over. The Flash Player flaws affect Windows XP Home Edition, with SP 1 or SP 2; XP Professional; Windows 98 with Gold service pack or SP1; Windows 98 SE with Gold service pack; and Windows ME with Gold service pack. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed May 10 02:10:29 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:10:29 -0500 (CDT) Subject: [ISN] Call for Papers hack.lu 2006 Message-ID: Forwarded from: info As several potential speakers for the hack.lu 2006 conference have asked for more time to submit their paper, the conference committee has decided to extend the deadline to the 15th of June. As a bonus, the registration is now open, be sure to register early to benefit from the early bird rates ! The details for the Call for Papers are as follows: Call for Papers hack.lu 2006 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2006 (19-21.10.2006). Scope Topics of interest include, but are not limited to : * Software Engineering * Honeypots/Honeynets * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Malware and malicious software * New security vulnerabilities in Computer Science * Network security! Deadlines As requested by some people, we extended the date for abstract submission to the 1st July and full paper to the 1st August in order to be equitable with all the people taking part in the CfP. Abstract submission : 1 May 2006 (extended to 15th June) Full paper submission : 15 June 2006 (extended to 15th July) Notification date : around end of July beginning of August Submission guideline Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to : hack2006-paper(AT)hack.lu Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. Program Committee http://2006.hack.lu/index.php/ProgramCommittee Publication and rights Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to supportus(AT)hack.lu Web site and wiki http://www.hack.lu/ - Edition 2005 : http://2005.hack.lu/ From isn at c4i.org Wed May 10 02:10:02 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 10 May 2006 01:10:02 -0500 (CDT) Subject: [ISN] I'm the Blue Security Spammer Message-ID: http://www.wired.com/news/technology/security/0,70831-0.html By Joanna Glasner May, 05, 2006 An anonymous spammer took credit on Friday for taking part in a campaign by hundreds of junk e-mailers to disable the websites of antispam firm Blue Security and affiliated internet companies. In a message to Wired News, a writer claiming to be "one of the spammers behind (the) Blue Security scandal," said junk e-mailers have organized to collect all e-mail addresses of Blue Security's users. The writer claimed that spammers have collected e-mails of 70 to 90 percent of Blue Security's half-million registered users and sent messages to their inboxes. "Blue Security is indeed hurting our business, but not by taking down our websites," the purported spammer wrote. "Instead, they create a daily nuisance to our server administrators." Officials at Blue Security, based in Herzlia, Israel, could not be reached Friday to comment on the letter's authenticity. A representative of Blue Security's public relations firm, Affect Strategies in New York, said she and co-workers who use its software have not received similar messages. Earlier this week, Blue Security's CEO, Eran Reshef, said a Russian spammer operating under the name PharmaMaster orchestrated a string of attacks this week that disabled its site and sent threatening messages to its users. The spammer, Blue Security said, also took credit for launching denial of service attacks against five hosting providers and SixApart, one of the internet's largest blog networks, where the antispam firm had posted content. Blue Security appears to have drawn spammers' ire for its method of eliminating junk e-mail, which involves sending automated opt-out requests on behalf of its registered users to companies whose products are advertised by spammers, among other things. The company claims its methods comply with the U.S. CAN-SPAM Act, an antispam law that allows recipients of unwanted e-mail to opt out of e-mail lists. Only one opt-out request is allowed per spam received. But Blue Security effectively has been able to put the squeeze on spammers by coordinating legal opt-out requests from thousands of customers at once. In the message to Wired News, the self-described Russian spammer said "attacks" sent by computers running Blue Frog, the tool installed on users' computers to send automated opt-out requests, are easy to handle, but time consuming. "The point of it is to get Blue Frog software to stop turning its subscribers' computers into zombies that attack our servers," the spammer wrote. "If you want to be removed from our mailing list, please opt out first." John Levine, a board member of the Coalition Against Unsolicited Commercial Email, said that while it's not clear the letter's author is who they claim to be, a spammer could realistically gather Blue Security's users' e-mail addresses. "The problem with any antispam list is you can reverse engineer it," Levine said. "People can find out who's on the list." Blue Security's website was operating normally on Friday, after being inaccessible most of the week. Reshef said on Thursday the attack appeared to involve a breach of the internet's backbone that blocked incoming traffic to the site. However Todd Underwood, chief operations and security officer at internet routing analysis firm Renesys, said the site's inaccessibility seemed to result from a traditional denial of service attack, in which an attacker floods a target with incoming packets of data. In response to DoS attacks, ISPs commonly block all incoming traffic to a site, but they usually notify its operators first, he said. From isn at c4i.org Thu May 11 05:22:03 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:22:03 -0500 (CDT) Subject: [ISN] Spot a Bug, Go to Jail Message-ID: http://www.wired.com/news/columns/circuitcourt/0,70857-0.html By Jennifer Granick May, 10, 2006 A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities. On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers. For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it. The incident might have ended there, but didn't. The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law. Will they ever learn? In 2002, the U.S. Attorney in Texas charged Stefan Puffer with violating section 1030 after Puffer demonstrated to the Harris County District Court clerk that the court's wireless network was readily accessible to attackers. The prosecution claimed that Puffer, a security consultant, unlawfully accessed the system. Puffer argued that he was trying to help the county. A jury acquitted Puffer in about 15 minutes. In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction. The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent. Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant." But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them. In any event, McCarty had arguably already done enough to get himself prosecuted by this Justice Department. The federal statute and copycat state laws prohibit accessing computers or a computer system without authorization, or in excess of authorization, and thereby obtaining information or causing damage. What does it mean to access a networked computer? Any communication with that computer -- even if it's simply one system asking another "are you there?" -- transmits data to the other machine. The cases say that e-mail, web surfing and port scanning all access computers. One court has even held that when I send an e-mail, not only am I accessing your e-mail server and your computer, but I'm also "accessing" every computer in between that helps transmit my message. That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop. One Western District of Washington case, Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., says that when a company employee knows he is going to leave his position to go work for a competitor, but continues to use his computer account and copy information there for the purposes of aiding his new bosses, his access is unauthorized. A federal court in Maryland went the other way in a case with similar facts: In International Association of Machinists and Aerospace Workers v. Werner-Matsuda, a union employee who accessed her computer account for the purposes of helping a rival union recruit members did not violate the law. The statute proscribes unauthorized access, not authorized access for unwanted purposes, said the court. What this means for McCarty is that there are ample legal reasons for the prosecution to drop the charges against him. Yet, there are also ample legal reasons why a security professional, upon finding a database flaw, might worry that the find would bring criminal charges rather than thanks. This situation must change. People need to be able to exercise a little bit of self-help before plugging their data into web forms, and security professionals who happen upon vulnerabilities shouldn't have to choose between leaving the system wide open to attack and prosecution. One solution might be to focus more heavily on whether the user has criminal intent when accessing the system. Another might be to criminalize specific activities on the computer, but not access to a public system itself. A third might be to define unlawful access as the circumvention of some kind of security measure. As we have more cases like McCarty's, McDanel's and Puffer's, perhaps security professionals will pressure state legislatures and Congress to improve the computer crime laws. -=- Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. ? Copyright 2006, Lycos, Inc. From isn at c4i.org Thu May 11 05:22:18 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:22:18 -0500 (CDT) Subject: [ISN] Voting glitch said to be 'dangerous' Message-ID: http://www.insidebayarea.com/search/ci_3804675 By Ian Hoffman STAFF WRITER 05/10/2006 Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines. The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways. "This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa. "In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat." The Argus is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available. A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official allowed the expert to examine the machines. Black Box Voting was to issue two reports today on the security hole, one of limited distribution that explains the vulnerability fully and one for public release that withholds key technical details. The computer expert, Harri Hursti, quietly sent word of the vulnerability in March to several computer scientists who advise various states on voting systems. At least two of those scientists verified some or all of Hursti's findings. Several notified their states and requested meetings with Diebold to understand the problem. The National Association of State Elections Directors, the non-governmental group that issues national-level approvals for voting systems, learned of the vulnerability Tuesday and was weighing its response. States are scheduled to hold primary elections in May, June and July. "Our voting systems board is looking at this issue," said NASED chairman Kevin Kennedy, a Wisconsin elections official. "The states are talking among themselves and looking at plans to mitigate this." Pennsylvania, California and Iowa are issuing emergency notices to local elections officials, generally telling them to "sequester" their Diebold touch screens and reprogram them with "trusted" software issued by the state capital. Elections officials are to keep the machines sealed with tamper-resistant tape until Elections Day. In California, three counties - San Joaquin, Butte and Kern - plan to rely exclusively on Diebold touch screens in their polling places for the June primary. Nine other counties, including Alameda, Los Angeles and San Diego, will use Diebold touch screens for early voting or for limited, handicapped-accessible voting in their polling places. California elections officials told those counties Friday that the risk from the vulnerability was "low" and that any vote tampering would be revealed to voters on the paper read-out that prints when they cast their ballots, as well as to elections officials when they recount those printouts for 1 percent of their precincts after the election. "I think the likelihood of this happening is low," assistant Secretary of State for elections Susan Lapsley said. "It assumes access and control for a lengthy period of time." But scientists say that is not necessarily true. Preparations could be made days or weeks beforehand, and the loading of the software could take only a minute once the machines are delivered to the polling places. In some cases, machines are delivered several days before an election to schools, churches, homes and other polling places. Scientists said Diebold appeared to have opened the hole by making it as easy as possible to upgrade the software inside its machines. The result, said Iowa's Jones, is a violation of federal voting system rules. "All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design," he said. ? 2000-2006 ANG Newspapers From isn at c4i.org Thu May 11 05:22:34 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:22:34 -0500 (CDT) Subject: [ISN] Laws won't stop cybercriminals, say experts Message-ID: http://www.infoworld.com/article/06/05/10/78183_HNlegalsol_1.html By Grant Gross IDG News Service May 10, 2006 Terrorists and organized criminals are using computer vulnerabilities to line their pockets, but many cybersecurity ideas coming out of the U.S. Congress may not help much, some experts said Wednesday. Legislation that would require companies with data breaches to notify affected customers will create new expenses for companies, much the way the Sarbanes-Oxley Act did, said Bruce Kobayashi, a law professor at George Mason University. Congress passed Sarbanes-Oxley, or SOX, in 2002, and the law requires public companies to report their internal processes for ensuring the accuracy of financial reports. "I think Congress has to ... slow down," said Kobayashi, speaking at a data security conference sponsored by conservative think tank the Progress & Freedom Foundation (PFF). "Otherwise, we're going to get some SOX-type legislation in which firms spend a lot of money sending out notifications." Since a rash of data breaches in early 2005, Congress has introduced more than 10 bills related to data breach notification. Four bills are awaiting action on either the Senate or the House of Representatives floor, but the bills differ in their approach, and each would have to pass through the other chamber to become law. Congress is scheduled to adjourn for the year in early October. The working model for a data breach bill seems to be the SOX law, which has cost U.S. businesses hundreds of millions of dollars, Kobayashi said. "The model is a sledgehammer," he said. "What economists hope is Congress steps back and looks at the costs and benefits before they do something like that." But others speaking at the PFF conference said cybersecurity problems are more serious than most people realize. The U.S. Federal Bureau of Investigation gets frequent reports of hackers attempting to extort companies by threatening to release customer data, and the U.S. Department of State has warned of terrorist organizations training hackers, said Alan Paller, director of research for the SANS Institute. "You get shot trying to rob jewelry stores," Paller said. "[Hacking] is a much better way to raise money to buy the bombs." Some consumer groups and businesses have called for a national data breach notification law. Businesses such as data broker ChoicePoint Inc., which in February 2005 announced a breach affecting about 150,000 people, have called for a national breach notification law instead of complying with a "patchwork" of nearly 30 such state laws. Kobayashi called for Congress to pass a law allowing companies to comply with one state law, much the way U.S. corporations register in Delaware because of its corporate tax law. "We have seen innovation at the states," he said. "I don't have any answers, but I'm sure that neither does Congress." Instead of waiting for Congress to act, businesses should demand more secure IT products, said Ken Silva, chief security officer for security vendor VeriSign Inc. He encouraged technology buyers to join organizations that advocate for more secure products. "We can't wait for Congress to solve this problem because it's not going to solve the problem," Silva said. "The fact of the matter is extortion is already illegal. Passing a law to make electronic extortion even more illegal looks good on television, but it doesn't really solve the problem." From isn at c4i.org Thu May 11 05:23:08 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:23:08 -0500 (CDT) Subject: [ISN] Court: Alleged hacker can be extradited Message-ID: http://seattlepi.nwsource.com/national/1103AP_Britain_US_Hacker.html By DAVID STRINGER ASSOCIATED PRESS WRITER May 10, 2006 LONDON -- A British court recommended Wednesday that a man be extradited to the United States to face charges in the largest attack on U.S. government computer networks - including Army, Air Force, Navy and NASA systems. Gary McKinnon, 40, of London has been indicted in New Jersey and Virginia for allegedly hacking into U.S. government computers between February 2001 and March 2002. He was arrested in 2002 and has fought his extradition by claiming he could face prosecution under U.S. anti-terror laws. "My intention was never to disrupt security. The fact that I logged on and there were no passwords means that there was no security," McKinnon said, outside the hearing at London's Bow Street Magistrates Court. "I was looking for UFOs." Court records in Virginia said McKinnon caused $900,000 in damage to computers, including those of private companies, in 14 states. In New Jersey, he is accused of hacking into a network of 300 computers at the Earle Naval Weapons Station in Colts Neck, N.J., and stealing 950 passwords. The break-in - which occurred immediately after the Sept. 11, 2001, terrorist attacks - shut down the whole system for a week, Judge Nicholas Evans said. The station is responsible for replenishing the Atlantic fleet's munitions and supplies. Though McKinnon was able to view sensitive details about naval munitions and shipbuilding on the secure U.S. systems, he did not access classified information, an investigation found. British Home Secretary John Reid will make the final decision on extradition. If he approves it, McKinnon will appeal to the High Court, his lawyer Karen Todner said. Edward Lawson, another attorney for McKinnon, told an earlier hearing that his client feared prosecution by a U.S. military commission under powers introduced after the Sept. 11 attacks. But the judge said there was no "real, as opposed to fanciful, risk" of McKinnon being prosecuted under anti-terror laws, asking the suspect to accept an assurance provided by the U.S. Department of Justice. He told McKinnon that in choosing to target the United States he had "run the risk of being prosecuted in that country." Officials in New Jersey and Virginia would have to decide where McKinnon should stand trial. If convicted of the charges in New Jersey, McKinnon faces a maximum sentence of five years in federal prison and a $250,000 fine. From isn at c4i.org Thu May 11 05:23:28 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 11 May 2006 04:23:28 -0500 (CDT) Subject: [ISN] The Complete, Unquestionable, And Total Failure of Information Security. Message-ID: http://www.securityabsurdity.com/failure.php by Noam Eppel Vivica Information Security Inc. May 8th, 2006 Boiling Frog Syndrome They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerated it since we are use to it. It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect. The ramifications of our failure is immense. The success of the Internet and the global economy relies on trust and security. Billions of dollars of ecommerce opportunities are being lost due to inadequate security. A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime. A recent Gartner survey that indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. People are simply losing trust in the Internet. The security community is not just failing in one specific way, it is failing across multiple categories. It is being out innovated. It is losing the digital battle over cyberspace. Failing? Says Who? Today we have forth and fifth generation firewalls, behavior-based anti-malware software, host and network intrusion detection systems, intrusion prevention system, one-time password tokens, automatic vulnerability scanners, personal firewalls, etc., all working to keep us secure. Is this keeping us secure? According to USA Today, 2005 was the worst year ever for security breaches of computer systems. The US Treasury Department's Office of Technical Assistance estimates cybercrime proceeds in 2004 were $105 billion, greater than those of illegal drug sales. According to the recently released 2005 FBI/CSI Computer Crime and Security Survey, nearly nine out of 10 U.S. businesses suffered from a computer virus, spyware or other online attack in 2004 or 2005 despite widespread use of security software. According to the FBI, every day 27,000 have their identities stolen. And companies like IBM are putting out warning calls about more targeted, more sophisticated and more damaging attacks in 2006. Something is seriously wrong. One only has to open a newspaper and view current headlines documenting the almost constant loss of personal and financial data due to carelessness and hacking. It isn't just careless individuals that are leaking confidential information - it is large, multinational corporations with smart, capable I.T. departments with dedicated security professionals and huge security budgets. [...] From isn at c4i.org Fri May 12 04:10:38 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:10:38 -0500 (CDT) Subject: [ISN] Hackers slam McKinnon extradition ruling Message-ID: http://www.theregister.co.uk/2006/05/11/mckinnon_extradition_bevan_interview/ By John Leyden 11th May 2006 The prosecution of alleged Pentagon uber-hacker Gary McKinnon shows that the US is failing to take even basic precautions to protect its military systems, according to a reformed computer hacker accused of similar crimes 10 years ago. Mathew Bevan, whose hacker handle is Kuji, was accused of breaking into US military computer systems but escaped without punishment when a 1997 case at Woolwich Crown Court was dropped after a long-running legal battle. After the case, Bevan became an ethical hacker and security consultant with Tiger Computer Security, and later on a freelance basis with his firm the Kuji Media Corporation. "The internet was just starting out and in its infancy at the time of my alleged crimes. The prosecution against McKinnon, and what he says he was able to do, show that US military security has not changed. The authorities have not woken up," Bevan told El Reg. Earlier on Wednesday, a judge gave the go-ahead to the extradition of McKinnon (AKA Solo). If Home Secretary John Reid confirms the decision, which may become the subject of appeal, McKinnon faces the possibility of trial by a military tribunal and the prospect of decades in jail. McKinnon is accused of causing damage to US military and NASA systems that he allegedly conducted in search of evidence the US government was suppressing alien technology salvaged from wrecked UFOs. Bevan, like McKinnon, has an interest in free energy and evidence of UFOs. "You might say Gary was following in my footsteps and doing the same thing, albeit using different techniques. McKinnon has admitted hacking into systems in interviews. He's unfortunate because what he's done is a few years too late and in a different political climate," Bevan said. Bevan said the military systems McKinnon is accused of hacking were an open resource that were likely used by numerous hackers, some with hostile intent. "McKinnon was just snooping and what he did was not motivated by personal gain. There is no reason for his extradition. He ought to be tried in the UK. The US has labeled him as a cyberterrorist and the 'biggest military hacker ever', but this just looks like an attempt to drum up publicity for the case," he added. Daniel Cuthbert, a London-based security consultant tried over allegations that he illegally accessed the Tsunami appeal website, and subsequently convicted on what many in the security industry reckon was questionable grounds, also feels McKinnon has been harshly treated. "I do feel he is being made an example of. He screwed up and shouldn't have been in the systems at all, but at the same time the punishment he is facing just doesn't match the crime. For the amount of years he is looking at, it would have been better in the eyes of the law to be a rapist or some other type of violent criminal," Cuthbert told El Reg. "It's another example of the CPS [Crown Prosecution Service] and legal system not being able to cope with the movement of technology. They are still 10 years behind and using the CMA [Computer Misuse Act] as the backbone for all technology related cases," he added. ? From isn at c4i.org Fri May 12 04:10:50 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:10:50 -0500 (CDT) Subject: [ISN] China now global hub for spyware Message-ID: http://www.techworld.com/security/news/index.cfm?newsID=5983 By John E. Dunn Techworld 11 May 2006 China has overtaken the US as the major distributor of spy and malware, the latest trend report from Webroot has claimed. The company used its "Phileas" malware tracking system to reckon China's proportion of global spyware as being 42 percent for the first quarter of 2006, with the US a distant second at 17 percent. This reverses the figures for Q4 of 2005, where the US was ahead. If accurate, the figures are a strong indication that 2006 will be the year that China, as long predicted, overtakes the US as the world?s number one malware producer. Last month, Sophos rated China as now only a fraction behind the US in the bellweather spam production league. The Netherlands, France and Spain come next with a combined total of 12.5 percent of malware, but no one country comes close to two main offenders. Other statistics include the news that the cumulative figure for malware-distribution sites has risen from 400,000 in 2005 to 427,000 in the first quarter of this year. The report notes that phishing attacks have made a comeback, after a period of relative stability, something the company attributes to the easier availability of Trojan source code on the Internet. Keyloggers are also advancing, with new techniques such as kernel-level driver designs and rootkits to the fore. More and more of these programs are setting out to disrupt anti-malware software as part of their attempt to avoid detection. The average piece of malware now comes in ten different variants. Explanations for China's increasing prominence in malware vary. Some have said that the country is favoured as a relay point for attacks that originate elsewhere thanks to its lax controls and legislation. So the statistsics don't necessarily mean that China is the world's largest producer of malware, only its new distribution hub. Webroot points to legislation as being the deciding factor. "One reason for China's hosting growth could be due to impending anti-spyware legislation in the United States driving spyware writers to less monitored and regulated countries," the report says. From isn at c4i.org Fri May 12 04:11:43 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:43 -0500 (CDT) Subject: [ISN] Ship security system draws FBI's attention Message-ID: http://www.chron.com/disp/story.mpl/business/3858026.html By BILL HENSEL JR. Copyright 2006 Houston Chronicle May 11, 2006 A ship security concept being marketed out of Houston would be a welcome tool for authorities if terrorists tried to hit the Port of Houston, the FBI said Thursday. While the agency doesn't endorse commercial products, Special Agent Jim Walsh said, a remote-control security system like that developed by VIP Systems could be useful. "I do think this is a unique system," Walsh said of the satellite-driven vessel security program being offered by VIP Systems and its partners. The system, unveiled in 2004, was reviewed Thursday at a maritime security gathering at the Port of Houston Authority headquarters. Among the features of the VIP system is one that would allow authorities to see, via satellite, inside a vessel like an oil tanker at sea and remotely shut down its engines if it were commandeered. The FBI, which would respond jointly with the Coast Guard, would rather deal with such a vessel out at sea than in port, Walsh said. One major fear of port officials throughout the world is that an oil tanker could be commandeered and used as a weapon of mass destruction, said Alex Genin, chief executive and president of VIP Systems. SkyPort International, a secure broadband satellite communications provider that is working with VIP on the system, has a contract with one company that had a vessel commandeered by pirates on the open seas in Asia. VIP is talking with several foreign governments about using its security system, Genin said, but vessel owners or insurance companies likely would have to be the ones to fund implementation. The system also features biometrics to identify ship crew members. SkyPort also is working with a Florida company that has developed a system to scan vessels and containers before they enter or leave ports. That company, SeaAway, wants to test its system at the Port of Houston, according to Bernadette Kroecker, chief executive and managing director. From isn at c4i.org Fri May 12 04:11:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:56 -0500 (CDT) Subject: [ISN] Hacker gets private data on students at Ohio University Message-ID: http://www.ohio.com/mld/beaconjournal/14554413.htm Associated Press May. 11, 2006 ATHENS, Ohio - Private information for all students enrolled at Ohio University since fall 2001 was stolen in the third electronic security breach discovered in three weeks, the school reported Thursday. It was the first time Social Security numbers and other private information for current students was compromised in the data thefts. The FBI found and alerted the school to the first breach last month, and two more have been discovered in the university's own review of all its systems. More breaches could be found as 20 employees working seven-day weeks continue the review, which could take another 10 days to finish, said Bill Sams, head of information technology. "We're going through every system from top to bottom," he said. Names, birth dates, Social Security numbers and medical information for 60,000 people were accessed in records at the school's Hudson Health Center, the university discovered last Thursday. The student clinic has records on all Athens campus students dating back to 2001, plus faculty, workers and regional campus students who sought treatment there. As it did with the previous thefts, the university sent e-mails Thursday to the affected people and will follow up with letters. The alerts couldn't be sent to students earlier because names in the database couldn't be accessed while the school backed it up to preserve evidence and rebuilt it with proper security, Sams said. The university reported two data thefts within three days of each other in late April. Someone gained unauthorized access to records on more than 300,000 people and organizations in the alumni relations department, including 137,000 Social Security numbers, and to a server at the school's business incubator that contained e-mails and patent and intellectual property files. After those thefts, the university set up a Web site and hot line, (740) 566-7448 or (800) 901-2303, with tips on how to prevent fraudulent use of personal information. The school also has hired a security consultant. "Given the breadth and the number of these we are operating under the assumption that we've got to make major changes very quickly," Sams said. Ohio University also has called other schools that had breaches, including Miami University in Oxford in southwest Ohio. Miami reported in September that someone had accidentally posted a grade report that included student names and Social Security numbers on a site accessible by the Internet. ON THE NET Ohio University data theft: http://www.ohiou.edu/datatheft From isn at c4i.org Fri May 12 04:11:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:14 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-19 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-05-04 - 2006-05-11 This week: 91 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Microsoft has released their monthly security bulletins for May, which fixes several vulnerabilities. Additional details can be found in the referenced Secunia advisories listed below. All users of Microsoft products are advised to visit Windows Update and apply available patches. Reference: http://secunia.com/SA20000 http://secunia.com/SA20029 http://secunia.com/SA20045 -- A vulnerability has been reported in various Sophos Anti-Virus products, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code. The vendor has issued updated versions, please refer to the referenced Secunia advisory below. Reference: http://secunia.com/SA20028 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 2. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 3. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 4. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 5. [SA19802] Firefox "contentWindow.focus()" Deleted Object Reference Vulnerability 6. [SA20029] Microsoft Exchange Server Calendar Vulnerability 7. [SA19969] AWStats "migrate" Shell Command Injection Vulnerability 8. [SA19926] Linux Kernel SCTP Netfilter Denial of Service Vulnerability 9. [SA19927] PHP Multiple Unspecified Vulnerabilities 10. [SA20045] Microsoft Windows Flash Player Code Execution Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20045] Microsoft Windows Flash Player Code Execution Vulnerabilities [SA20029] Microsoft Exchange Server Calendar Vulnerability [SA19975] Anti-Trojan unacev2.dll Buffer Overflow Vulnerability [SA19970] XM Easy Personal FTP Server USER Command Vulnerabilities [SA19968] Cryptomathic Cenroll ActiveX Control "createPKCS10()" Buffer Overflow [SA20048] Novell Client DPRPCW32.DLL Buffer Overflow Vulnerability [SA20043] EImagePro SQL Injection Vulnerabilities [SA20039] MaxxSchedule SQL Injection and Cross-Site Scripting [SA20035] IdealBB Multiple Vulnerabilities [SA20033] FileCOPA FTP Server USER Command Denial of Service [SA20030] MultiCalendars "calsids" Parameter SQL Injection Vulnerability [SA20017] EDirectoryPro "keyword" Parameter SQL Injection [SA20004] VP-ASP Shopping Cart "cid" SQL Injection Vulnerability [SA19978] acFTP USER Command Denial of Service Vulnerability [SA19977] PowerArchiver unacev2.dll Buffer Overflow Vulnerability [SA20000] Microsoft Windows MSDTC Heap Overflow Vulnerabilities [SA20061] Microsoft Windows "itss.dll" Heap Corruption Vulnerability [SA20036] Ocean12 Calendar Manager Pro Multiple Vulnerabilities [SA20006] EPublisherPro "title" Cross-Site Scripting Vulnerability [SA19981] Ublog "text" Script Insertion Vulnerability [SA20001] Intel PROset/Wireless Software Insecure Shared Section UNIX/Linux: [SA20051] Gentoo update for mozilla-thunderbird [SA20019] Gentoo update for mozilla-firefox [SA20015] Debian update for mozilla [SA20013] Gentoo update for nagios [SA19998] Ubuntu update for nagios [SA19991] Nagios Content-Length Handling Buffer Overflow Vulnerability [SA19969] AWStats "migrate" Shell Command Injection Vulnerability [SA20065] Gentoo update for quake [SA20064] Gentoo update for ruby [SA20055] Gentoo update for pdnsd [SA20042] Avaya S87X0/S8500/S8300 Tar PAX Extended Headers Buffer Overflow [SA20024] Red Hat update for ruby [SA20023] Red Hat update for libtiff [SA20021] Debian update for tiff [SA20014] SUSE update for cyrus-sasl-digestmd5 [SA20012] pstotext Filename Shell Command Injection Vulnerability [SA20011] Gentoo update for rsync [SA19994] ISPConfig "go_info[server][classes_root]" File Inclusion [SA19990] Linux Kernel SCTP Denial of Service Vulnerabilities [SA19987] vpopmail Cleartext Password Authentication Bypass [SA19985] Debian update for cgiirc [SA20022] Avahi Denial of Service and Buffer Overflow Vulnerabilities [SA19983] Sun Solaris update for Xorg X Server [SA20052] Gentoo update for php [SA20050] Sun Solaris libike Denial of Service Vulnerability [SA20046] Slackware update for apache [SA19979] SUSE updates for php4 / php5 [SA20002] Ubuntu update for mysql [SA20056] UnixWare update for Ghostscript Other: [SA20058] 3Com TippingPoint SMS Server Information Disclosure [SA20044] Cisco PIX/ASA/FWSM WebSense URL Filtering Bypass Cross Platform: [SA19993] Jetbox CMS "relative_script_path" File Inclusion Vulnerability [SA20041] ACal "path" File Inclusion Vulnerability [SA20040] EQdkp "eqdkp_root_path" File Inclusion Vulnerability [SA20031] StatIt "statitpath" Parameter File Inclusion Vulnerability [SA20028] Sophos Anti-Virus Cabinet File Processing Memory Corruption [SA20027] phpRaid "phpbb_root_path" File Inclusion Vulnerability [SA20003] Claroline File Inclusion Vulnerabilities [SA19980] Dokeos "includePath" Parameter File Inclusion Vulnerability [SA19976] Fast Click SQL Lite "path" File Inclusion Vulnerability [SA20054] Dreamweaver Server Behavior SQL Injection Vulnerability [SA20047] openEngine "template" Parameter Local File Inclusion Vulnerability [SA20037] IA-Calendar Cross-Site Scripting and SQL Injection Vulnerabilities [SA20034] SaphpLesson SQL Injection Vulnerabilities [SA20032] IBM Websphere Application Server Multiple Vulnerabilities [SA20025] IBM Websphere Application Server Welcome Page Security Bypass [SA20020] PassMasterFlexPlus "Hack Log" Script Insertion Vulnerability [SA20018] OpenFAQ "q" Parameter Script Insertion Vulnerability [SA20016] Flexcustomer Login SQL Injection Vulnerability [SA20007] X7 Chat "avatar" Parameter Script Insertion Vulnerability [SA20005] Online Universal Payment System "read" Parameter Two Vulnerabilities [SA19999] Creative Community Portal SQL Injection Vulnerabilities [SA19997] Drupal "project.module" Script Insertion Vulnerability [SA19996] 2005-Comments-Script Multiple Vulnerabilities [SA19992] PHP-Fusion Multiple Vulnerabilities [SA19989] evoTopsites Multiple SQL Injection Vulnerabilities [SA19984] Quake3 Engine "remapShader" Buffer Overflow and Directory Traversal [SA19982] Cute Guestbook Multiple Script Insertion Vulnerabilities [SA19972] Newsadmin "nid" SQL Injection Vulnerability [SA19971] Big Webmaster Guestbook Script Multiple Script Insertion Vulnerabilities [SA20057] xpoll Authentication Bypass Security Issue [SA20053] Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities [SA20038] EasyEvent "curr_year" Cross-Site Scripting Vulnerability [SA20026] CuteNews "search.php" Cross-Site Scripting Vulnerabilities [SA20008] PHP Arena paCheckbook Multiple SQL Injection Vulnerabilities [SA19995] Dynamic Galerie "pfad" Cross-Site Scripting and Information Disclosure [SA19986] PunBB "redirect_url" Cross-Site Scripting Vulnerability [SA19973] Invision Community Blog Module "selectedbids" SQL Injection [SA19988] Netscape "View Image" Local Resource Linking Weakness [SA19974] WebCalendar User Account Enumeration Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20045] Microsoft Windows Flash Player Code Execution Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20045/ -- [SA20029] Microsoft Exchange Server Calendar Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 A vulnerability has been reported in Microsoft Exchange Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20029/ -- [SA19975] Anti-Trojan unacev2.dll Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 Secunia Research has discovered a vulnerability in Anti-Trojan, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19975/ -- [SA19970] XM Easy Personal FTP Server USER Command Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-05 Two vulnerabilities have been discovered in XM Easy Personal FTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19970/ -- [SA19968] Cryptomathic Cenroll ActiveX Control "createPKCS10()" Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-05 Dennis Rand has reported a vulnerability in Cryptomathic Cenroll ActiveX Control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19968/ -- [SA20048] Novell Client DPRPCW32.DLL Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-05-10 A vulnerability with an unknown impact has been reported in Novell Client. Full Advisory: http://secunia.com/advisories/20048/ -- [SA20043] EImagePro SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-09 Dj_Eyes has reported some vulnerabilities in EImagePro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20043/ -- [SA20039] MaxxSchedule SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-08 Dj_Eyes has reported two vulnerabilities in MaxxSchedule, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20039/ -- [SA20035] IdealBB Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2006-05-09 CodeScan Labs have reported multiple vulnerabilities in IdealBB, which can be exploited by malicious users to compromise a vulnerable system or by malicious people to disclose certain sensitive information, conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20035/ -- [SA20033] FileCOPA FTP Server USER Command Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-08 Bigeazer has discovered a vulnerability in FileCOPA, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20033/ -- [SA20030] MultiCalendars "calsids" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-09 Dj_Eyes has reported a vulnerability in MultiCalendars, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20030/ -- [SA20017] EDirectoryPro "keyword" Parameter SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-09 Dj_Eyes has reported a vulnerability in EDirectoryPro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20017/ -- [SA20004] VP-ASP Shopping Cart "cid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 tracewar has reported a vulnerability in VP-ASP Shopping Cart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20004/ -- [SA19978] acFTP USER Command Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-05 Preddy has discovered a vulnerability in acFTP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19978/ -- [SA19977] PowerArchiver unacev2.dll Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-08 Secunia Research has discovered a vulnerability in PowerArchiver, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/19977/ -- [SA20000] Microsoft Windows MSDTC Heap Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-09 Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20000/ -- [SA20061] Microsoft Windows "itss.dll" Heap Corruption Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2006-05-10 Rub?n Santamarta has discovered a vulnerability in Microsoft Windows, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20061/ -- [SA20036] Ocean12 Calendar Manager Pro Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-08 Dj_Eyes has reported some vulnerabilities in Ocean12 Calendar Manager Pro, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20036/ -- [SA20006] EPublisherPro "title" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-09 Dj_Eyes has reported a vulnerability in EPublisherPro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20006/ -- [SA19981] Ublog "text" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 omnipresent has discovered a vulnerability in Ublog, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19981/ -- [SA20001] Intel PROset/Wireless Software Insecure Shared Section Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-05-09 Rub?n Santamarta has discovered a vulnerability in Intel PROset/Wireless Software, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20001/ UNIX/Linux:-- [SA20051] Gentoo update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2006-05-09 Gentoo has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20051/ -- [SA20019] Gentoo update for mozilla-firefox Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Gentoo has issued an update for mozilla-firefox. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20019/ -- [SA20015] Debian update for mozilla Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-09 Debian has issued an update for mozilla. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20015/ -- [SA20013] Gentoo update for nagios Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Gentoo has issued an update for nagios. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20013/ -- [SA19998] Ubuntu update for nagios Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Ubuntu has issued an update for nagios. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19998/ -- [SA19991] Nagios Content-Length Handling Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-08 A vulnerability has been reported in Nagios, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19991/ -- [SA19969] AWStats "migrate" Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-05 OS Reviews has reported a vulnerability in AWStats, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19969/ -- [SA20065] Gentoo update for quake Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-10 Gentoo has issued updates for multiple packages based on the Quake 3 engine. These fix a vulnerability, which can be exploited by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20065/ -- [SA20064] Gentoo update for ruby Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-10 Gentoo has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20064/ -- [SA20055] Gentoo update for pdnsd Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-10 Gentoo has issued an update for pdnsd. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20055/ -- [SA20042] Avaya S87X0/S8500/S8300 Tar PAX Extended Headers Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-10 Avaya has acknowledged a vulnerability in Avaya S87X0/S8500/S8300 Media Servers, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and to compromise a user's system. Full Advisory: http://secunia.com/advisories/20042/ -- [SA20024] Red Hat update for ruby Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-09 Red Hat has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20024/ -- [SA20023] Red Hat update for libtiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-09 Red Hat has issued an update for libtiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/20023/ -- [SA20021] Debian update for tiff Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-09 Debian has issued an update for tiff. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/20021/ -- [SA20014] SUSE update for cyrus-sasl-digestmd5 Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-08 SUSE has issued an update for cyrus-sasl-digestmd5. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20014/ -- [SA20012] pstotext Filename Shell Command Injection Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-08 Brian May has reported a vulnerability in pstotext, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20012/ -- [SA20011] Gentoo update for rsync Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Gentoo has issued an update for rsync. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20011/ -- [SA19994] ISPConfig "go_info[server][classes_root]" File Inclusion Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-09 ReZEN has reported a vulnerability in ISPConfig, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19994/ -- [SA19990] Linux Kernel SCTP Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-09 Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/19990/ -- [SA19987] vpopmail Cleartext Password Authentication Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-08 A security issue has been reported in vpopmail, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19987/ -- [SA19985] Debian update for cgiirc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-05-08 Debian has issued an update for cgiirc. This fixes a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19985/ -- [SA20022] Avahi Denial of Service and Buffer Overflow Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-08 Two vulnerabilities have been reported in Avahi, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20022/ -- [SA19983] Sun Solaris update for Xorg X Server Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-05 Sun has issued an update for Xorg X server. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19983/ -- [SA20052] Gentoo update for php Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access Released: 2006-05-09 Gentoo has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to gain knowledge of potentially sensitive information, to conduct cross-site scripting attacks, and to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20052/ -- [SA20050] Sun Solaris libike Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2006-05-09 A vulnerability has been reported in Solaris, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20050/ -- [SA20046] Slackware update for apache Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-10 Slackware has issued an update for apache. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20046/ -- [SA19979] SUSE updates for php4 / php5 Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information Released: 2006-05-05 SUSE has issued updates for php4 / php5. These fix some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to bypass certain security restrictions, to gain knowledge of potentially sensitive information, and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19979/ -- [SA20002] Ubuntu update for mysql Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-05-08 Ubuntu has issued an update for mysql. This fixes two vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20002/ -- [SA20056] UnixWare update for Ghostscript Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-05-10 SCO has issued an update for Ghostscript. This fixes some vulnerabilities, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. Full Advisory: http://secunia.com/advisories/20056/ Other:-- [SA20058] 3Com TippingPoint SMS Server Information Disclosure Critical: Less critical Where: From local network Impact: Exposure of system information Released: 2006-05-10 A vulnerability has been reported in 3Com TippingPoint SMS Server, which can be exploited by malicious people to disclose certain system information. Full Advisory: http://secunia.com/advisories/20058/ -- [SA20044] Cisco PIX/ASA/FWSM WebSense URL Filtering Bypass Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-05-09 George D. Gal has reported a vulnerability in Cisco PIX/ASA/FWSM, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20044/ Cross Platform:-- [SA19993] Jetbox CMS "relative_script_path" File Inclusion Vulnerability Critical: Highly critical Where: Impact: System access Released: 2006-05-08 beford has discovered a vulnerability in Jetbox CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19993/ -- [SA20041] ACal "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 PiNGuX has discovered a vulnerability in ACal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20041/ -- [SA20040] EQdkp "eqdkp_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 OLiBekaS has discovered a vulnerability in EQdkp, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20040/ -- [SA20031] StatIt "statitpath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 IGNOR3 has discovered a vulnerability in StatIt, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20031/ -- [SA20028] Sophos Anti-Virus Cabinet File Processing Memory Corruption Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 A vulnerability has been reported in various Sophos Anti-Virus products, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20028/ -- [SA20027] phpRaid "phpbb_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-09 botan has discovered a vulnerability in phpRaid, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20027/ -- [SA20003] Claroline File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 Some vulnerabilities have been discovered in Claroline, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20003/ -- [SA19980] Dokeos "includePath" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-08 beford has discovered a vulnerability in Dokeos, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19980/ -- [SA19976] Fast Click SQL Lite "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-05 R at 1D3N has discovered a vulnerability in Fast Click SQL Lite, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19976/ -- [SA20054] Dreamweaver Server Behavior SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-10 A vulnerability has been reported in Dreamweaver, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20054/ -- [SA20047] openEngine "template" Parameter Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2006-05-09 ck has discovered a vulnerability in openEngine, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/20047/ -- [SA20037] IA-Calendar Cross-Site Scripting and SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-09 Dj_Eyes has reported some vulnerabilities in IA-Calendar, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20037/ -- [SA20034] SaphpLesson SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information Released: 2006-05-08 Devil-00 has reported some vulnerabilities in SaphpLesson, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20034/ -- [SA20032] IBM Websphere Application Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Security Bypass, Exposure of sensitive information Released: 2006-05-09 Some vulnerabilities have been reported in IBM WebSphere Application Server, where some have unknown impacts and others may disclose sensitive information or bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20032/ -- [SA20025] IBM Websphere Application Server Welcome Page Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-05-08 A security issue has been reported in IBM Websphere Application Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20025/ -- [SA20020] PassMasterFlexPlus "Hack Log" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Nomenumbra has discovered a vulnerability in PassMasterFlexPlus, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20020/ -- [SA20018] OpenFAQ "q" Parameter Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Kamil 'K3' Sienicki has discovered a vulnerability in OpenFAQ, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20018/ -- [SA20016] Flexcustomer Login SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 Nomenumbra has discovered a vulnerability in Flexcustomer, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20016/ -- [SA20007] X7 Chat "avatar" Parameter Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Nomenumbra has discovered a vulnerability in X7 Chat, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/20007/ -- [SA20005] Online Universal Payment System "read" Parameter Two Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2006-05-08 Preddy has reported two vulnerabilities in Online Universal Payment System Script, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/20005/ -- [SA19999] Creative Community Portal SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 r0t has reported some vulnerabilities in Creative Community Portal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19999/ -- [SA19997] Drupal "project.module" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 A vulnerability has been reported in Drupal, which can be exploit by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19997/ -- [SA19996] 2005-Comments-Script Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Some vulnerabilities have been discovered in 2005-Comments-Script, which can be exploited by malicious people to conduct cross-site scripting attacks and script insertion attacks. Full Advisory: http://secunia.com/advisories/19996/ -- [SA19992] PHP-Fusion Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-09 rgod has reported some vulnerabilities in PHP-Fusion, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/19992/ -- [SA19989] evoTopsites Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 Hamid Ebadi has reported some vulnerabilities in evoTopsites and evoTopsites Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19989/ -- [SA19984] Quake3 Engine "remapShader" Buffer Overflow and Directory Traversal Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-05 Two vulnerabilities have been reported in the Quake3 Engine, which can be exploited by malicious people to access arbitrary files on a vulnerable system and potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/19984/ -- [SA19982] Cute Guestbook Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 Some vulnerabilities have been discovered in Cute Guestbook, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19982/ -- [SA19972] Newsadmin "nid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-05 Aliaksandr Hartsuyeu has discovered a vulnerability in Newsadmin, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19972/ -- [SA19971] Big Webmaster Guestbook Script Multiple Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 Javor Ninov has discovered some vulnerabilities in Big Webmaster Guestbook Script, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/19971/ -- [SA20057] xpoll Authentication Bypass Security Issue Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-05-09 alp_eren has discovered a security issue in xpoll, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20057/ -- [SA20053] Jadu CMS "register.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-10 Some vulnerabilities have been reported in Jadu CMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20053/ -- [SA20038] EasyEvent "curr_year" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 Dj_Eyes has reported a vulnerability in easyEvent, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20038/ -- [SA20026] CuteNews "search.php" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-08 k4p0 has discovered some vulnerabilities in CuteNews, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20026/ -- [SA20008] PHP Arena paCheckbook Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-05-08 aLMaSTeR has reported some vulnerabilities in PHP Arena paCheckbook, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20008/ -- [SA19995] Dynamic Galerie "pfad" Cross-Site Scripting and Information Disclosure Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2006-05-08 d4igoro has discovered some vulnerabilities in Dynamic Galerie, which can be exploited by malicious people to disclose certain sensitive information and to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19995/ -- [SA19986] PunBB "redirect_url" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-05 o.y.6 has discovered a vulnerability in PunBB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/19986/ -- [SA19973] Invision Community Blog Module "selectedbids" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2006-05-05 o.y.6 has reported a vulnerability in the Invision Community Blog module for Invision Power Board, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/19973/ -- [SA19988] Netscape "View Image" Local Resource Linking Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-05-08 A weakness has been discovered in Netscape, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/19988/ -- [SA19974] WebCalendar User Account Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-05 David Maciejak has discovered a weakness in WebCalendar, which can be exploited by malicious people to identify valid user accounts. Full Advisory: http://secunia.com/advisories/19974/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 12 04:11:29 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:11:29 -0500 (CDT) Subject: [ISN] Execs tell regulators Sarbanes-Oxley costs exceed benefits Message-ID: http://www.networkworld.com/news/2006/051106-sox-costs.html By Ann Bednarz NetworkWorld.com 05/11/06 Two years of compliance with the Sarbanes-Oxley Act (SOX) have shored up corporate accounting practices - but with lopsided costs compared to benefits gained. That's the general consensus of a wide range of business executives and auditors who gathered Wednesday in Washington, D.C., for an all-day roundtable hosted by the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board (PCAOB). The SEC and PCAOB arranged the roundtable to solicit feedback about Section 404 of the legislation, which requires companies to attest to the effectiveness of internal controls put in place to protect financial reporting systems and processes. "The Sarbanes-Oxley Act was a critical step in addressing an unprecedented string of corporate scandals that were rooted in very serious governance, accounting and audit failures," said SEC Chairman Christopher Cox in his opening remarks. Section 404 has the potential to improve the accuracy and reliability of financial reporting - but only if it's implemented properly, Cox said. "In practice it hasn't always worked out that way," he acknowledged. Likewise Bill Gradison, acting chairman of the PCAOB, said that guidance the SEC issued last year and PCAOB's latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls. "Based on the information we already have, it would seem that some further changes may be in order," Gradison said. Over the course of five panel discussions, participants shared their experiences with the internal control reporting requirements. Philip Ameen, vice president and comptroller at General Electric, detailed the benefits of two years of Section 404 compliance: "One, we're certainly more focused on controls, both in our underlying operations and in operations that we're assessing for acquisition. Two, we are more sophisticated in those assessments and we're more targeted in analyzing and assessing the controls that are important to our reporting processes. And thirdly, we have a common vocabulary for talking about the controls," he said. "Overall, on balance, I think the management team, the board of directors and people down in trenches doing the testing are favorably impressed with progress that has been made in the second year of 404." That said, GE didn't experience much relief in terms of the scope and cost of compliance in the second year. It tested 38,000 significant controls in 2005, down slightly from 40,000 the year earlier. In 2004, GE spent about $33 million on Section 404 compliance, and costs ran about the same in 2005, Ameen said. While GE's tally didn't decline, research suggests other companies are seeing compliance costs drop in their second year. Colleen Cunningham, president and CEO of Financial Executives International, said companies with two years of compliance under their belts reported that costs dropped an average of 16%. That said, 85% of respondents to FEI's latest survey believe the costs of SOX compliance still outweigh the benefits. From isn at c4i.org Fri May 12 04:12:08 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:12:08 -0500 (CDT) Subject: [ISN] Teenage 'e-mail bomber' heads back to court Message-ID: http://news.zdnet.com/2100-1009_22-6071227.html By David Meyer ZDNet (UK) May 11, 2006 A teenager faces a retrial over charges that he breached British antihacking laws when he sent millions of messages to a former employer. David Lennon, who is now 18 and can therefore be named for the first time, is alleged to have used an e-mail-bombing program called Avalanche to send approximately 5 million messages to his former employer, Domestic & General Group, in early 2004. The flood crashed the company's e-mail server. The case against him, brought under the Computer Misuse Act, was dismissed in November by District Judge Kenneth Grant at Wimbledon Magistrates Court in London. At the time, Grant said that Section 3 of the act, which concerns unauthorized modification of data, had not been breached, as e-mails sent to a server configured to receive e-mails could not be classified as unauthorized. But on Thursday, judges at the Royal Courts of Justice in London sent the case back to the Magistrates Court, saying Grant "was not right to state there was no case to answer." Justice Jack said the judge should consider what answer Lennon might have expected if he had asked Domestic & General about the messages before starting the mail bombing. The U.K.'s Crown Prosecution Service, which had appealed against the original judgment, said it was pleased by Thursday's ruling. "We have sought to clarify a point of law, to update the interpretation of that law to cope with contemporary high-tech crime. As technology develops at an ever-increasing pace the law may sometimes need to be interpreted in new ways," it said in a statement. "The police and CPS are determined to ensure that those who use the Internet for crime are not beyond the reach of the law, and to make the Internet a safe place for both businesses and domestic users," it said. The case highlighted flaws in the 16-year-old Computer Misuse Act, passed in the days before Internet crime became a significant problem. Critics have complained that it does not specifically outlaw denial-of-service attacks, for example. Security expert Peter Sommer, who has called for the law to be updated, was a defense witness in Lennon's trial last year. He said on Thursday that "the defense (had been) asking the court to take a fairly narrow and literal view of the CMA." "My own view is that they could have made a decision either way. The fact that the Court of Appeal has reversed it is not a colossal surprise," he told ZDNet UK. David Meyer of ZDNet UK reported from London. From isn at c4i.org Fri May 12 04:12:18 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 12 May 2006 03:12:18 -0500 (CDT) Subject: [ISN] Homeland recruits non-profit for cybersecurity software licensing Message-ID: http://www.washingtontechnology.com/news/1_1/daily_news/28526-1.html By Alice Lipowicz Staff Writer 05/10/06 The Homeland Security Department is enlisting the help of a non-profit organization to obtain cybersecurity tools for operating systems, servers and databases used by the federal government. The DHS Office of Procurement Operations said it is awarding a sole-source contract to the Hershey, Pa.-based Center for Internet Security to "provide software licenses for security configuration benchmarks and scoring tools capability," according to a presolicitation announcement [1]. The contract, which is of an unspecified amount, will last for a year. The center is chaired by Franklin Reeder, a former White House director of administration and a former chief of information policy in the U.S. Office of Management and Budget. Its president is Clint Kreitner, former president of a multihospital region of Adventist Health Systems. [1] http://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/HSHQDC%2D06%2DR%2D00033/SynopsisP.html From isn at c4i.org Tue May 16 05:11:05 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:05 -0500 (CDT) Subject: [ISN] Credit card security rules to get update Message-ID: http://news.com.com/Credit+card+security+rules+to+get+update/2100-1029_3-6072594.html By Joris Evers Staff Writer, CNET News.com May 15, 2006 SAN FRANCISCO--Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption. The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. "There is an increase in application level attacks," Maxwell said. While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. "Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more acceptable compensating and mitigating controls," he said. While PCI is good in principal, relaxing encryption requirements is not, said Paul Simmonds, a representative of the Jericho Forum, a group of companies that promote open security technologies. "It basically means that if you hack the system, you get the data," he said. "I can't think of a good alternative for encryption." The challenge with encryption is that older payment systems were not built to support the scrambling technology, said Qualys CEO Philippe Courtot. "Encryption is the ultimate measure of security, but the current applications have not been designed with encryption in mind," Courtot said The PCI security standard was developed by MasterCard and Visa and went into effect last year. It aims to reduce the risk of an attack by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. It also requires frequent security audits and network monitoring, and forbids the use of default passwords. Retailers that don't comply may face penalties, including fines. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Tue May 16 05:11:23 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:23 -0500 (CDT) Subject: [ISN] The War Driver Returns Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000422 David Ramel May 15, 2006 Computerworld I am back on the prowl. Stealthily I slide through the night, searching for unprotected wireless networks. I find one! And then I find hundreds more. Who cares? War driving is so 2004. Wireless security has matured and moved on. When's the last time you heard of a wireless hack? If it happens, it sure doesn't get any publicity anymore. But the news is chock-full of stolen laptops and other data breaches - take a look at our Data Security Breaches page. Why sit out in a parking lot for hours "sniffing" wireless traffic when you can just walk in and grab the finance guy's laptop? Or surf your county's Web site for all kinds of personal data? Also, increased awareness about the much-stronger WPA2 encryption spec and other precautions have cut down on all the fun - er, I mean, made us all safer. For sure, there are plenty of targets out there. Two years ago, I went war driving on my route to work and found more than 100 wireless networks. This year, I found more than 400. Back then, about 70% weren't encrypted; this year it was around 55%. So even though a higher percentage of networks are encrypted, there are now many more total unencrypted networks. Is there really a wireless security problem? So, why the lack of hacks? Is wireless security still a problem? "I think the problem is relatively small and dropping," said Gartner Inc. analyst John Pescatore. He said a big part of the problem a couple of years ago was that companies weren't supporting wireless networking but users were doing it anyway, setting up rogue access points with no central security management or strategy. Now, Pescatore said, companies are supporting wireless and following security precautions. For example, he said businesses are more aware that they need something "stronger than password authentication," so he is seeing more companies rely upon secondary authentication. Fellow Gartner analyst Ken Dulaney agrees. "This has become less of an issue," he said, for two primary reasons. First, "WPA2 has given us very good security, and the devices themselves are better protected than in past years." He said there are now multiple levels of security implemented and extending to the desktop itself - such as PC firewalls - instead of a reliance on perimeter security only. "People are beginning to realize that protecting the environment is not working," he said. Farpoint Group analyst and Computerworld columnist Craig Mathias said in an e-mail response that the wireless security threat should be divided into curious, casual hackers and professional data thieves. As for the casual hacker, he said, "I think the war-driving days are over; there's no real sport left in that, and simple WPA or WPA2 security are quite effective here." Mathias said the bigger threat is the professional data thieves, and they don't typically attack wirelessly. "Rather, they use physical theft, social engineering and exploiting known weaknesses to get what they want. The best way to counter this is to stop thinking about wireless security and start thinking about network security. This means end-to-end VPN-based encryption, encrypting sensitive data anywhere it is stored, and using strong two-factor authentication on every sensitive resource." Any wireless hacks out there? So, aren't there any big wireless hacks out there? "I don't know of any \[recent\] significant wireless breaches," said consultant Jack Gold, of J. Gold Associates, via e-mail. He said most companies have gotten pretty good at security. "Not only have they turned on the security on the AP, but they also generally run some sort of firewall and isolate each location from the rest of the network," he said. "So any 'wireless hackers' would generally have to break through the wireless security, \[and\] then also have to break through the firewalls to get beyond the local network. Not impossible, but this is a hard thing to do, and do you really want to be sitting in a car outside a shopping center trying to hack in for a long period of time? Probably not." Dulaney also didn't know of any such wireless breaches. Pescatore didn't know of any documented cases, but he has his suspicions. "I have to believe that in some cases there have been targeted wireless sniffing attacks or man-in-the-middle attacks," he said. He suspects this because he knows of breaches where the thief left no electronic trail, like there usually is in a wired intrusion. He said the attackers could have been unusually proficient and covered their tracks, but the victim companies kept good network and firewall logs that contained no evidence at all. "That's when you realize, somebody sniffing wirelessly doesn't leave a trail," he said. The computer trade press certainly believes a big wireless security threat still exists. The "Top 10 Tips for Wireless Security" story is a staple, regurgitated again and again in different forms, much like the "How to Lose 10 Pounds in a Week" or "Is He The Right One?" articles in other magazines. In fact, Computerworld just trotted out another one last week. I e-mailed the columnist to ask if it was really a big problem and if he knew of any examples of wireless data theft. He seemed shocked at my ignorance. He said my query could almost be material for another column (look for one soon; these people aren't paid chicken feed!). "Attackers love ignorance, and this is a great case of it," he said. "I am not insulting you. I am just saying that it is these misperceptions that give people a false sense of security and hackers a ... dream." I thanked him for his reply and asked him to help me overcome my ignorance by answering my original questions as to how exactly a wireless hacker would go about stealing data from even an unsecured network at a private home or company and if he knew of any specific instances of such theft, beyond hearsay reports. He didn't provide any specific techniques but said anyone with basic computer and networking knowledge could do it. He said he knew of wireless breaches but couldn't talk about them. I asked several other people and no one knew exactly how to access even an unprotected wireless network and steal stuff. Even the Web wasn't much help ? just a lot of vague references. As near as I can tell, you would have to practically beg somebody to steal from you: don't encrypt, don't change default SSID, don't change default password, turn on sharing for your PC and turn off the firewall, make sure your bank account number and password are readily available, etc. I guess there are people doing all that, but I wonder what they have to steal and who's putting much effort into finding them. If even one default is changed, it appears you would have to resort to sniffers or frame generators or traffic injectors or something equally labor- and time-intensive. So maybe there are master hackers out there with arcane methods of compromising wireless networks and installing bots, spyware, Trojans and what-have-you, and they cover their tracks and no one knows about them. Yeah, right. Please drop me a line if you know of any wireless breaches. Or if you know exactly how one would steal data from a home or company with a wireless network -- what tools you would use and how you would use them. Or if you have any thoughts on the subject at all. I would love to hear from you. Use the "Send Us Feedback" link below or send e-mail to david_ramel at computerworld.com. From isn at c4i.org Tue May 16 05:11:34 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:34 -0500 (CDT) Subject: [ISN] Botnet implicated in click fraud scam Message-ID: http://www.theregister.co.uk/2006/05/15/google_adword_scam/ By John Leyden 15th May 2006 Botnets are being used for Google Adword click fraud, according to security watchers. The SANS Institute has uncovered evidence that networks of compromised PCs are being used to click on banner ads, generating revenue for unscrupulous publishers. Pay-per-click schemes such as Google Adsense have programs to detect fraudulent clicks and suspend publishers implicated in click fraud. In an effort to disguise bogus visits, these publishers have begun hiring botnets to slip under the radar of fraud detection programs. The "bottom line is that the advertiser pays in exchange for a bot visiting him", the SANS Institute reports [1]. Generating traffic from a small number of machines (numbered in the hundreds) makes the traffic generated from compromised machines look innocuous. In return for helping click fraud scammers keep a low profile, botnet owners rake in a percentage from the scam. The ruse came to light after security experts in the SANS Institute's Internet Storm Centre investigated malicious software on a hacker's website. Control panels on the site, designed to facilitate the control of compromised machines infected with malware, were left open. This allowed security experts to analyse the actions of the botnet operator behind the site. "The botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each," a handler at SANS Institute reports in a diary entry [2] filed last weekend. The institute has reported the site and its findings to Google. ? [1] http://isc.sans.org/diary.php?storyid=1334 [2] http://isc.sans.org/diary.php?storyid=1334 From isn at c4i.org Tue May 16 05:10:53 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:10:53 -0500 (CDT) Subject: [ISN] GE security exec shares tips for reducing security risks Message-ID: http://www.networkworld.com/news/2006/051506-ge-security.html By Bob Brown NetworkWorld.com 05/15/06 When it comes to putting data and identity thieves in their place, Peter Costa says there's no room for being Mr. Nice Guy. "Have a public hanging - they have to know you'll go after them," says Costa, who heads up enterprise security at GE Consumer Finance - Americas. Companies need to be "fanatical about prosecution," he says. Costa outlined his views (which he stressed are not all necessarily those of GE as well) for dealing with data and identity theft during a presentation at last week's CIO Forum (more from the conference [1]). The unique annual conference brings together IT suppliers and potential buyers on a cruise ship sailing out of New York City. GE will actually call the parole board when a thief's hearing is coming up to discourage the person's release, Costa says. Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. "You've got to make it easy, you've got to make a point," he says. Costa maintains that there hasn't been an explosion of data theft of late, but rather, we're just hearing about it now as a result of laws that require companies to fess up when their data systems have been breached. Nevertheless, data and identify theft are huge problems that companies need to address by assessing risks and reducing them, he says. The first thing companies need to recognize, Costa says, is that theft or loss takes place in two primary ways: via intentional schemes, such as phishing or even dumpster diving, and unintentional means, such as a tape falling off a truck or a laptop being left behind at an airport. Data is at high risk in the former example, while it is at low risk of being comprised in the latter, he says. "You have to have two different strategies to attack these two types of problems," Costa says. Assessing the risk For starters, companies should figure out which information they hold is most important to them. Examples might be an employee's Social Security number, direct deposit account numbers and passwords. Information relating to partners and customers also needs to be examined. "Now comes the hard part. You have to say: Where does it exist?" Costa says. "You'll be amazed when you start peeling the onion back You need to understand where the physical borders are, where the electronic borders are and where all that data is going back and forth." The next step is looking at high-level risks, which Costa lists as forced entries, such as hacking; interception of transmissions, including "snail mail" and faxes; and the insider threat. On the insider threat, he suggests companies should take a very hard look at their human resources groups, where low-level people can have access to lots of sensitive employee data. "We're far too trusting of insiders," Costa says. Companies also need to examine how they think people might steal data. Underestimated are techniques such as people just walking into supposedly secure areas of a building on the tails of others, Costa says. Companies tend to spend more energy protecting themselves against new or sensational risks (He relates this to people fearing sharks more than pigs even though the farm animals kill more people yearly. "There's no 'Jaws' about pigs. There's no 'Snout.'") Process management tools can help companies get organized in addressing much of this, but companies also need to bring in a wide cross-section of people, from IT to HR to business process owners, Costa says. Reducing the risk The most important step is getting rid of sensitive data that you don't need at your company. "I'm shocked and amazed at how many organizations still use Social Security numbers for employee numbers," Costa says. "It means you're putting your Social Security number everywhere." Companies should also consolidate high-risk vendors, such as marketing or mail firms and institute a layered but uncomplicated security system that includes access controls through identity management, Costa says. Encryption is key, too. "Encryption is important here not [just] because it lets you protect the data, but [also because] it allows you to say, 'We lost the backup tape but it's encrypted so there's no damage' - even though some states will still require you to make an announcement about it," he says. The best thing to come out of all the attention brought to this issue of late is that companies are addressing problems more quickly, which greatly lessens the threat of damage, Costa says. [1] http://www.networkworld.com/news/2006/051206-cio-forum-biometrics-grid-voip.html From isn at c4i.org Tue May 16 05:11:46 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:46 -0500 (CDT) Subject: [ISN] Hi-tech taskforce nets first cyber criminal Message-ID: http://english.vietnamnet.vn/tech/2006/05/570395/ 14/05/2006 VietNamNet - The first hacker to be arrested in Vietnam was taken into custody last week, sending a clear message to cyber criminals.As the nation railroads in IT networks and other solutions, hackers are being told to buck up and obey the law by ending their destructive and illegal attacks on networks and individual machines. The hi-tech crime investigators from the Ministry of Public Security worked with the Bach Khoa Information Securities Centre (BKIS) to trace a distributed denial of service attack back to Nguyen Thanh Cong in Dak Lak province. The attack was launched against e-commerce company Viet Co on March 12. The subsequent investigation also showed Cong had issued himself a fraudulent credit card number for online purchases. Distributed denial of service, or DDoS, uses multiple compromised systems to target a single system, causing a denial of service attack or DoS. In a distributed attack, damage is not limited to the end target system, and cripples all systems controlled by the hacker in the distributed attack. Cong is believed to have written a trojan that masqueraded as a benign application. Unlike viruses, trojans do not replicate themselves but can be just as destructive. As the historical name suggests, a trojan is a shell programme that introduces viruses onto host machines. As the programme spreads, the hacker is able to establish a botnet of any quantity of computers infected with the trojan. Multiple bots can then join on a single channel to flame a targeted network, launching huge numbers of DoS attacks against a target server, causing it to shut down. A hi-tech crime investigator said Cong had pleaded guilty and was out on bail, pending investigation by the People's Supreme Procuracy and impending trial. "This arrest will send a message to hackers that their illegal computer operations must come to an end and that this investigation department will ensure network security in Vietnam," he said. This is the first public move by hi-tech crime investigators in Vietnam, despite the establishment of the unit more than a year ago. "Hackers and criminals now know that there is a unit investigating them inside Vietnam, and they must be cautious, instead of acting as freely as before," the official added. Local hackers have lauded Cong's DDoS attack, and claim his arrest as a victory. They claim the publicity of the attack gives their work credence, as the attack destroyed a commercial server that did not cater for "study purposes", a common, if misguided allegation among Vietnamese hackers. "We are scaring the hi-tech crime investigation unit now," a hacker in Ho Chi Minh City said in response to the arrest. Nguyen Tu Quang, director of the investigation unit, said there have been many instances of attacks on domestic e-commerce websites, and in some instances hackers have used their security breeches for extortion. "Botnets are a real risk to network security in Vietnam, and hackers are using a large number of trojan infected computers to launch DDoS attacks, spread spam and steal financial information. Most people are not aware of the risks and often overlook computer security," said Quang. Meanwhile, the Vietnam Computer Emergency Response Team Coordination Centre is set to start operations this year, after training personnel. The centre will focus on protecting financial and banking, government networks and e-commerce sites which are vulnerable to online and system attacks. From isn at c4i.org Tue May 16 05:11:58 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:11:58 -0500 (CDT) Subject: [ISN] DoD Offers Free Anti-Spyware for Personal Use Message-ID: http://www.news.navy.mil/search/display.asp?story_id=23639 By Journalist 2nd Class (SW/AW) Jennifer Goulart, Naval Network Warfare Command Public Affairs 5/13/2006 NORFOLK, Va. (NNS) -- The Defense Information Systems Agency (DISA) has licensed free anti-spyware software for all government employees and armed forces personnel for use on personal computer systems. According to the Federal Trade Commission's Web site at www.ftc.gov, Spyware is software that monitors or controls the use of your computer. It could send pop-up ads, redirect browsers to certain Web sites, or even record your keystrokes. A pop-up ad could even try to trick someone into typing in bank account information, leading to identity theft. Users may also be able to get the software through their respective Automated Data Processing offices. "ADP can burn the software to a CD for the user to take home," said Information Systems Technician 1st Class (SW) Eric Rucker, an information security officer for Navy Computer Defense Operations Command (NCDOC). "Once the software is downloaded at home, it will automatically update periodically. With the amount of people that use e-mail and zip drives to bring work home and back, the risk of bringing spyware to work is much greater, and that could create weakness that may exploit DoD computers." Steve Saunders, a Network Security Analysts for the NCDOC, said that spyware infection throughout 2005 has become one of the pre-eminent security threats to computer systems. He said that spyware is even able to masquerade as security software while actually doing damage. Saunders expressed caution should be exercised when visiting Web sites if pop-ups start appearing, or if a user's computer starts showing constant or required requests to install browser components and other applications. "Any offer for free software, or 'upgrades' by big names is another thing to watch out for," Saunders said. "The best thing to do is to go to a company's registered Web site to get the legitimate downloads available." "Professional analysts have found that survival time of a brand new computer, just connected to the Internet, is 18 minutes,?" added Saunders. "Out of 6 trillion IP addresses out there, that is like a blink of an eye." To download the free anti-spyware software, go to the DISA Web site at https://iase.disa.mil/sdep, or the Navy's Information Assurance Web site at https://infosec.navy.mil. At the INFOSEC site, click on the COMPUSEC tools tab and scroll down to the anti-spyware link, second from the top. The software can then be saved a local hard drive for writing on a CD-ROM or other portable media for home use. Users must be on a ".mil" workstation to download the software. For more information about spyware and other computer security threats, go to https://infosec.navy.mil, or call the NCDOC 24/7 hotline at 1-888-NAVCDOC. NCDOC is part of NETWARCOM, the Navy's type commander for Information Operations, FORCEnet, networks and Space. Based in Norfolk, Va., the command is the central operational authority responsible for providing ready Information Warfare forces, which are fully trained, properly manned, interoperable, well maintained and supported within the Navy. For related news, visit the Naval Network Warfare Command Navy NewsStand page at www.news.navy.mil/local/nnwc/. From isn at c4i.org Tue May 16 05:12:12 2006 From: isn at c4i.org (InfoSec News) Date: Tue, 16 May 2006 04:12:12 -0500 (CDT) Subject: [ISN] Security is about people Message-ID: http://www.smh.com.au/news/technology/security-is-about-people/2006/05/15/1147545264723.html By PATRICK GRAY May 16, 2006 Australia's foremost private IT security organisation says throwing money at technology problems will not fix them. AusCERT is bringing the world's most influential data security experts to meet executives at a conference on the Gold Coast to find better solutions. Representatives from Qantas, government, banking and an energy company are to attend. The open forum to take place next Monday - the first day of AusCERT's annual conference - aims to educate senior executives on their responsibilities and personal liabilities concerning information security, says AusCERT program manager Mark McPherson. "We're trying to provide a forum for a different style of audience, it's an experiment," Mr McPherson says. So-called techno-philosopher Richard Thieme - one time seminarian, now IT visionary, speaker and author - will speak on the role of propaganda, public relations, illusion, misdirection and ridicule in the world of information security. Bread and butter issues, such as teaching students to write secure software, will also be covered. AusCERT consultant Richard Forno says security is not just a technology issue, "it's a cultural issue". "We're in the habit of throwing technology and money at a problem instead of looking at the people and why we do things a certain way," he says. Mr Forno, who also works for Washington DC-based consultancy KRVW, will deliver a two-day seminar on secure software design. He will also deliver a presentation on the incident-response capability he built for the US House of Representatives in the mid-1990s before incident handling strategies were in vogue. He says that a lack of accountability is a grave concern for security conscious corporations. "The industry focuses on the technology, because frankly it's easier," he says. "There's little accountability. We've got HIPAA (the health records and standards act) and Sarbanes-Oxley (which covers the financial and accounting sectors) but there's no incentive to do more than meet the minimum criteria." Steve Manzuik, of eEye Digital Security, intends to rattle the skeletons he says are in Microsoft's closet. Mr Manzuik says the rate of technological change transforming the security industry has slowed. "People are starting to realise that signature-based stuff is a waste of time," he says. "When it comes to having to deal with new threats I don't think it's slowing down but as protection technologies go things are becoming a little more focused." Generic protection mechanisms built into operating systems are a good start but the "people factor" can never be underestimated, he says. "No matter how well we do with fixing operating systems it will always come down to how aware people are." Copyright ? 2006. The Sydney Morning Herald. From isn at c4i.org Wed May 17 01:45:21 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:45:21 -0500 (CDT) Subject: [ISN] Ways Google is shaking the security world Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000540 Sarah D. Scalet May 16, 2006 CSO Ask Google anything--what's happening to GE's stock price, how to get to 881 Seventh Ave. in New York, where Mission Impossible 3 is showing, whatever happened to Brian W. after he moved away in the ninth grade--and you'll get an answer. That's the power of this $6 billion search engine sensation, which is so good at what it does that the company name became a verb. That kind of power keeps Google on the front page of the news--and sometimes under unfavorable scrutiny, as demonstrated by Google's recent clashes with the U.S. Department of Justice and also with critics displeased by the search giant's stance on Chinese government censorship. CSOs and CISOs have a different reason to think carefully about Google and the implications of having so much information online, instantly accessible by almost anyone. Although these issues relate to all search engine companies, Google gets most of the attention?--not only because of its huge share of the Web search market but because of its unabashed ambitions to catalog everything from images and libraries to Earth, the moon and Mars. "We always get enamored of a new technology, and it takes us a while to understand the price of that technology," says Robert Garigue, vice president of information integrity and chief security executive of Bell Canada Enterprises in Montreal. For security pros, the price is that Google can be used to dig up network vulnerabilities and locations of sensitive facilities, to enable fraud and cause other sorts of mayhem against the enterprise. Here, CSO examines the ways Google is shaking the security world, and what companies can do about them. 1. Google Hacking (strictly defined) What it is: Using search engines to find systems vulnerabilities. Hackers can use carefully crafted searches to find things like open ports, overly revealing error messages or even (egads) password files on a target organization's computer systems. Any search engine can do this; blame the popularity of the somewhat imprecise phrase "Google hacking" on Johnny Long. The author of the well-read book Google Hacking for Penetration Testers, Long hosts a virtual swap meet where members exchange and rate intricately written Google searches. How it works: The way Google works is by "crawling" the Web, indexing everything it finds, caching the index information and using it to create the answers when someone runs a Web search. Unfortunately, sometimes organizations set up their systems in a way that allows Google to index and save a lot more information than they intended. To look for open ports on CSO's Web servers, for instance, a hacker could search Google.com for INURL:WWW.CSOONLINE.COM:1, then INURL:WWW.CSOONLINE.COM:2, and so on, to see if Google has indexed port 1, port 2 and others. The researcher also might search for phrases such as "Apache test page" or "error message", which can reveal configuration details that are like hacker cheat sheets. Carefully crafted Google searches sometimes can even unearth links to sloppily installed surveillance cameras or webcams that are not meant to be public. Why it matters: Suppose someone is scanning all your ports. Normally, this activity would show up in system logs and possibly set off an intrusion detection system. But search engines like Google have Web crawlers that are supposed to regularly read and index everything on your Web servers. (If they didn't, let's face it--no one would ever visit your website.) By searching those indices instead of the systems themselves, "you can do penetration testing without actually touching the victims' sites," points out consultant Nish Bhalla, founder of Security Compass. What to do: Beat hackers at their own game: Hold your own Google hacking party (pizzas optional). Make Google and other search engines part of your company's routine penetration testing process. Bhalla recommends having techies focus on two things: which ports are open, and which error messages are available. When you find a problem, your first instinct may be to chase Google off those parts of your property. There is a way to do this--sort of--by using a commonly agreed-upon protocol called a "robots.txt" file. This file, which is placed in the root directory of a website, contains instructions about files or folders that should not be indexed by search engines. (For a notoriously long example, view the White House's file at www.whitehouse.gov/robots.txt.) Many companies that run search engines heed the instructions in this file. Notice we said "many"? Some search engines ignore robots.txt requests and simply index everything anyway. What's more, the robots.txt file tips off hackers about which public parts of your Web servers you'd prefer to keep quiet. Meanwhile, the information that your pen testers found through Google is already out there. Sure, you can contact search engines individually and ask them, pretty please, to remove the information from their caches. (Visit www.google.com/webmasters for instructions.) But you're better off making the information useless. "The persistence of these caches is impossible to manage, so you have to assume that if it's there, it's going to be there forever," says Ed Amoroso, CISO of AT&T. His solution? Simple. "Let's say you found a file with a bunch of passwords. Change those passwords." Then, fix the underlying problem. Eliminate or hide information that shouldn't be publicly available. Long term, you'll have to do the heavy lifting too, by closing unnecessary ports or fixing poorly written applications. Shock waves: 4 (highest). It's up to you to make sure your company isn't accidentally publishing instructions on how to hack its systems. 2. Google Hacking (loosely defined) What it is: Using search engines to find intellectual property. It's Google intel: The researcher uses targeted Web searches to find bits and pieces of information that, when put together, form a picture of an organization's strategy. Unlike, say, launching a SQL injection attack, doing competitive intelligence using public sources is quite legal (and may in fact be good business). How it works: The researcher scours the Web for information that might include research presented at academic conferences, comments made in chat rooms, r?sum?s or job openings. "Companies leave bread crumb trails all over the place on the Web," says Leonard Fuld, founder of Fuld & Co. and author of the forthcoming book The Secret Language of Competitive Intelligence. One common tactic is using search queries that reveal only specific file types, such as Microsoft Excel spreadsheets (filetype:xls), Microsoft Word documents (filetype:doc) or Adobe PDFs (filetype:pdf). This kind of search filters out a lot of noise. Say you want information about General Motors. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" one day in February yielded 56,400 results. Searching for "GENERAL MOTORS" "FINANCIAL ANALYSIS" FILETYPE:XLS brought up only 34 documents. One of those documents was a spreadsheet from a recruiting agency that contains the current jobs and work history (though not the names) of executives at numerous companies (including GM) who may be on the job market. Another common approach is searching for phrases that may indicate information that wasn't intended to be public. For this, keywords such as "personal", "confidential" or "not for distribution" are invaluable. These targeted searches don't always hit pay dirt, but they can be fascinating. For instance, on that same day in February, the top hit on a search for "GENERAL MOTORS" "NOT FOR DISTRIBUTION" was a PDF from a credit-rating company with poorly redacted information that could be easily viewed by pasting the text into another document. (Oops!) A final tactic is to target the organization's site itself for information, such as phone lists, that could be useful for social engineering scams. Researchers might use the site search function and look for the phrase "phone list" or "contact list". (An actual search might be SITE:CSOONLINE.COM "PHONE LIST", and if you run that particular search, you'll find stories CSO has published about why your company's phone directory is better kept under wraps.) Why it matters: "If it's on Google, it's all legal," says Ira Winkler, information security consultant and author of Spies Among Us. Competitive intelligence of this sort is illegal espionage only when it involves a trade secret--and if something is public enough to appear in Google, can you really argue that it was protected like a trade secret? What to do: That Google hacking party we mentioned earlier should involve a few site searches for sensitive files, such as financial records and documents labeled "not for distribution." Beyond your own borders, it's a good idea to know what people are saying about your organization, even if there's little you can do about it. "Using search engines to figure out what your public-facing view looks like has become a de facto element in any corporate security program," Amoroso says. Brand protection companies such as MarkMonitor and Cyveillance will work the beat for you, if you'd prefer. Creating (and enforcing) good policies about employee blogging or the use of message boards and chat rooms can also limit your exposure. Shock waves: 3 (significant). This kind of competitive intelligence has been going on forever, and it is damaging. The Web means more information gets out, and it's easier to find. 3. Google Earth What it is: A software download that provides highly navigable satellite and aerial photography of the entire globe. (The same images are also available through Google Maps at http://maps.google.com.) The scope and resolution of the photos are eye-popping enough that Google Earth drew ire even as a beta product in 2005. Some people feel threatened that a photo of, say, their backyard is only a few clicks away, and others fear that terrorists will use the images of landmarks or pieces of the critical infrastructure to plot attacks. How it works: After the user installs the software (the basic version is free at http://earth.google.com), she can zoom to any spot on the planet, often with enough detail to see driveways, if not cars. The virtual globe can be overlaid with information on roads, train tracks, coffee shops, hotels and more. Enterprising researchers are also overlaying Google Maps with everything from locations of murders to public rest rooms that have baby-changing tables. Images are up to three years old and come from commercial and public sources, with widely varying resolution. Why it matters: The privacy implications of having this information so readily available are certainly worth discussing as a society, but the security risks to U.S.-based companies are low. Much of the information was already available anyway. For instance, Microsoft stitched together images from the U.S. Geological Survey a decade ago with its Terraserver project It just doesn't work as smoothly. Not only have these types of images long been available online, but they can also be easily purchased from government and private sources, says John Pike, director of the military think tank Global?security.org. There are only a couple of legal restrictions. First, the images must be at least 24 hours old. Second, the U.S. military has what Pike calls "shutter control": the ability to tell commercial satellite companies not to release imagery that might compromise U.S. military operations. To the best of Pike's knowledge, the U.S. military has never invoked this power, nor have the regulations governing satellite imagery changed during the Bush administration's war on terrorism. "If Rummy's not worried about it," Pike says, referring to Secretary of State Donald Rumsfeld, "it's hard for me to see how anyone can lose much sleep over it." What to do: If your organization's security plan is based on no one being able to obtain aerial or satellite photography of a facility, then it probably ain't much of a plan. "Anybody who has the capacity to constitute a threat that rises much above graffiti is going to have it in their power to get imagery of a facility," Pike says. "If security managers have something that they don't want to be seen, they need to put a roof on it." Beyond that, be prepared for cocktail party banter about the risks and rewards of Google Earth and Google Maps. At the U.S. Food and Drug Administration, for instance, CISO Kevin Stine finds Google Earth personally fascinating, and he likes to muse about its potential for use in, say, disaster planning. "From a CISO perspective, I think we need to be aware of these kinds of tools," he says. But for his security group, the only impact he thinks Google Earth might eventually have, if it begins to encompass more business applications, is a drain on bandwidth. In other words, it's a concern about as big as your lawn chairs seen from space. Shock waves: 1 (minimal). Security by obscurity is so 20th century. Google Earth just illustrates why. 4. Click Fraud What it is: The act of manipulating pay-per-click advertising. Perpetrators inflate the number of people who have legitimately clicked an online ad, either to make money for themselves or to bleed a competitor's advertising budget. How it works: With pay-per-click advertising, an advertiser pays each time someone clicks an ad hosted on a website. Google, Yahoo and other search engine companies make their money by selling advertisers the right to have their text-only ads appear when someone searches for a particular keyword. There are two ways to manipulate pay-per-click advertising: competitor click fraud and network click fraud. First, the competitor variety: Let's suppose a company that sells life insurance wants to advertise on Google. The company might bid for and win rights to the phrase "life insurance". Then, when someone runs a Google search for that exact phrase, the company's ad appears next to the search results as a sponsored link. (How close to the top of the list depends on both the price per click and the superpowered algorithms that constitute Google's secret sauce.) Each time someone clicks the sponsored link, Life Insurance Co. pays the agreed-upon price? to Google -- say $5. With competitor click fraud, an unscrupulous competitor tries to run up Life Insurance Co.'s advertising bill by clicking the link. A lot. Network click fraud, on the other hand, cashes in on the fact that Google isn't the only company that hosts Google advertising. Suppose someone has a blog about insurance. She can sign up as a Google advertising affiliate and have ads for insurance run on her site. If Life Insurance Co. is paying Google $5 per click, Ms. Insurance Blogger might pocket $1 for each click her site generates. Network click fraud is when an affiliate generates fraudulent traffic in order to boost its revenue. Google insists it is trying to keep the problem in check. Shuman Ghosmajumder, product manager for trust and safety at Google, says the company monitors for all kinds of what it dubs "invalid clicks," and that it routinely issues refunds to advertisers and closes down fraudulent affiliates. In 2005, Google even won a lawsuit against an affiliate it charged with click fraud. But some advertisers say that Google isn't doing enough to prevent and monitor for fraud because it profits from the fraud. Google faces a class-action lawsuit led by AIT, a Web-hosting company, and is in the midst of reaching a $90 million settlement with Lane's Gifts & Collectibles, a mail-order store. (At press time, the proposed settlement was before a judge.) Why it matters: Click fraud is following a trajectory that will be familiar to any CSO, and it's a telling example of how sophisticated and profitable electronic crime has become. First, the good guys started looking at server logs to find IP addresses in patterns that indicated fraud. The bad guys responded by creating automated bots that simulated different IP addresses and had varying time stamps. Then, the good guys improved their click-fraud detection tools, with a cottage industry sprouting up that specializes in helping online advertisers monitor for fraud. Queue up "click farms," where the bad guys hire people in other countries to do the clicking in a way that looks more realistic. "It's a cat-and-mouse game," says Chris Sherman, executive editor of SearchEngine-Watch.com. What to do: The first step is to put tracking measures in place. In a recent survey done by the Search Engine Marketing Professional Organization (Sempo), a trade group, 42 percent of respondents said they had been victims of click fraud, but nearly one-third of respondents said they weren't actively tracking fraud. "The way you monitor it is you look for something that doesn't make sense," explains Kevin Lee, chair of the group's research committee. "If you spent $100 every day last week, and then this week you spent $130 every day and didn't get any more conversions, or whatever your success metrics are," then you might have a problem, he says. "Usually the engines will catch the obvious fraud, and they won't even bill you for it," Lee continues. But if you have a larger problem, you may need to gather information about why you believe some of the clicks are fraudulent and ask the company hosting the ads for a refund. Ghosmajumder says Google devotes significant resources to a team of investigators who proactively monitor for fraud and also do research about possible fraud reported by advertisers. Google also has engineers working on technical means to identify invalid clicks. According to the Sempo survey, 78 percent of advertisers that have been victims of click fraud have received credit from a paid search provider, and 40 percent of the time it was based on their request. The question, of course, is whether to bother making a request. Who better than the CSO to help the advertising department figure out whether it would cost more for the company to tamp down on the problem or simply to pay for the fraud? Shock waves: 2 (moderate). For companies using pay-per-click, this is one to watch. Click fraud has the potential to dramatically reduce the effectiveness of online advertising. But with more than 90 percent of Google's revenue coming from advertising, the company has a serious incentive to keep the problem in check so that advertisers don't lose faith in the pay-per-click model. 5. Google Desktop What it is: A free tool offered by Google that allows users to quickly search the contents of their hard drives. (Similar tools are offered by MSN, Yahoo and others.) The latest version can also be used to share files between computers. How it works: After the user downloads the tool, it works in the background to index everything on his hard drive, much like Google indexes the Web. All fixed drives are indexed by default, but the user can specify folders to exclude or extra drives to add. The software can be set to return results on text files, spreadsheets, PDFs, Web history, e-mail and more. Once the indexing is done, when the user runs a Google search, items from his own computer appear at the top of the results. Alternately, he can use the tool by itself by opening it on his desktop; he doesn't even need to be connected to the Web. A new version also has a controversial feature that allows a user to share files between computers. With this setting enabled, Google indexes the files on one computer, pulls them up on its servers, then pushes them down onto another computer (which is similarly configured with the software). Then, a search done on one computer returns results from both. Why it matters: It's easy to see why people get all prickly about this one. Once the tool is installed and files are indexed, a snoop needs only a coffee break, rather than a lunch hour, to search someone's hard drive for files about, say, Bob Jones's salary. To make matters worse, freewheeling users may not pay attention or understand how to make sure that sensitive documents aren't indexed. To its credit, Google has tried to improve the standard configuration of the tool. An early version automatically returned results with password-protected files and secure HTTP pages; now, those types of files aren't indexed unless the user changes a setting. "People screamed about that, and Google changed it very quickly," SearchEngineWatch.com's Sherman says. Even so, setting up appropriate exclusions can get complicated. Some companies--as well as many individuals who are concerned about their personal privacy--are also leery of making so much information available to Google. The new Search Across Computers feature only heightens these concerns. With this feature, Google says, copies of users' personal files can sit on Google's servers for up to 30 days. Google downplays this time frame. Says Matthew Glotzbach, product manager for Google Enterprise, "If both of your computers are on and syncing, [the files are on Google's servers] only a matter of minutes"--the time it takes for Google to pull up the information and push it back down onto the second computer. But having the information saved on Google's servers at all is troubling, given that search engine companies are routinely subpoenaed by prosecutors. (Google's privacy policy states: "We may also share information with third parties in limited circumstances, including when complying with legal process, preventing fraud or imminent harm, and ensuring the security of our network and services.") In one especially charged case, Google fought a subpoena from the U.S. Department of Justice, which wanted search results to help analyze its enforcement of the Children's Online Privacy Protection Act. A judge reduced the amount of information Google must turn over, and the ensuing debate raised awareness about the amount (and nature) of information that Google has in its stores. The fact that the software is relatively untested raises additional questions. Last November, an Israeli researcher reported that he had found a vulnerability in Microsoft Internet Explorer that allowed him to illicitly access information in Google Desktop. Google fixed the problem, but legitimate concerns linger. "Anytime you install software from a third party directly on a hard drive of a particular machine, you're potentially opening up holes in the security of that machine," says Matt Brown, a Forrester senior analyst. What to do: It's time to catch up--something that Brown says is especially important given the fact that Sarbanes-Oxley requires companies to keep tabs on where and how long their information is retained. Consider whether your users actually need desktop search for their jobs. If they do, you'll want to have a hand in how it's configured and used. (Bonus points go to the CSO who makes sure that users understand the privacy implications of all these tools, beyond just telling them to read the privacy policy.) At the FDA, Stine is in the early stages of looking at the tool. "There have been some requests [for desktop search] here and there, but there hasn't been a user outcry," he says. If (or when) there comes a point when a lot of users have a legitimate need for desktop search, Stine says he'll look carefully at how the technology identifies, indexes and presents information. "We'd have to ensure that we still maintain complete control--at least as complete as possible--over the information," he says. Fortunately, he'd have plenty of options. Several companies have enterprise desktop search tools that help CISOs keep tabs on the information. Google Desktop 3 for Enterprise, currently in beta, allows administrators to completely disable features such as the Search Across Computers feature. Google says it is working make future versions of this tool easier to manage. "I don't think we anticipated such a concerned or negative response," Glotzbach says. "We've taken to heart the feedback on the Search Across Computers feature, especially in the enterprise context, and we're actively working on making it even easier for the companies to use" in a secure manner, he says. X1 Technologies, which has partnered with Yahoo, offers a competing enterprise search tool that Brown says is more manageable from an IT perspective. "Part of the problem with these technologies is they get announced and people immediately start downloading," Brown says. "It takes companies a little while to catch on to what's happening." Shock waves: 4 (highest). Desktop search is an untested technology with a wide potential for misuse. If your users don't need it, don't let them use it; if they do need it, consider enterprise tools that can be centrally managed and controlled. Future Shocks Google has shaken us, by holding up a mirror and forcing us to look at what we've put online. "Google provides a lot of capability that can do you harm as well as providing you search capabilities," Winkler says. "What makes it its strength makes it its danger." The future will make search technology only more dangerous. Bell Canada's Garigue points out that search technology is still in its very infancy, barely scratching the surface of what he calls the shallow Web. "The shallow Web is everything that's public on Web servers," he says. "The deep Web is what's hidden inside databases." >From the Library of Congress to Lexis-Nexis' legal and news archives, to Medline's medical databases, the great bulk of information that people access online is still available only to subscribers, not to Google. "Google is the first generation of tools," Garigue says. As those tools get more sophisticated, the shock waves will only grow stronger. This story is reprinted from CSO Online.com, an online resource for information executives. Story Copyright CXO Media Inc., 2006. From isn at c4i.org Wed May 17 01:44:37 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:44:37 -0500 (CDT) Subject: [ISN] The four domains of data security Message-ID: http://www.computerweekly.com/Articles/2006/05/16/215898/The+four+domains+of+data+security.htm By Avinash W Kadam 16 May 2006 Security professionals are expected to be proficient with a range of security techniques, but which qualifications do you need to progress your career? Knowing which qualifications you need to progress your career is a dilemma faced by every information security professional. With a myriad of certificates to choose from which one will help you prove that you can do your job better? Which one will be valued by employers? A security professional has to be proficient with a range of security techniques. These include operating system security, network security, application security, penetration testing and incident management techniques. Many suppliers offer certificates that are restricted to specific products. These are appropriate when IT security professionals need to be familiar with specific infrastructure or systems. But you should also consider acquiring certificates that are product independent. The Sans Institute, for example, offers some excellent certificates under the name "global information assurance certification". Information security management is a fast growing discipline, and security professionals are expected to have good exposure to various security management approaches. Many organisations are planning to have their information security management system certified to the ISO 27001 standard. Such organisations look for information security officers with security management qualifications such as the CISSP (certified information systems security professional), offered by the International Information Systems Security Certification Consortium (ISC)2. Organisations also look for business continuity management certification, and the Disaster Recovery Institute offers the CBCP (certified business continuity professional) certificate. Information security governance is another focus area for organisations. This ensures that the efforts and direction of information security programmes are in line with the business goals of the organisation. To this end, it is worth considering the CISM (certified information security manager) certificate from the Information Systems Audit and Control Association (Isaca). Security auditing is another qualification much sought-after by employers. Possessing a good understanding of security audit principles is a prerequisite to ensure that systems comply with audit requirements. Isaca offers the CISA (certified information systems auditor) for security auditors. The different types of certificates complement each other, and IT professionals need to have adequate knowledge of each of the domains if they are to perform a full security role. An IT manager may be required to perform many security-related functions, so acquiring certificates in security management and security governance will definitely be valuable. A security audit certificate will prepare the IT manager to face security audits with more confidence. Certified knowledge of security techniques will improve confidence in technical matters. An information security auditor may start their career with the CISA qualification, but to gain deeper insight, they will have to acquire sufficient experience in security techniques, security management and security governance. Getting the certificate should be a by-product of gaining knowledge and experience. Preparing for the certification examination makes one focus on improving understanding of the subject. All the examinations have objective-type questions that test a candidate on basic understanding of the subject. Since the certificates are independent of any products, testing is for conceptual clarity. So does this mean that information security professionals need to get all the certificates? The fact is that security professionals have to perform all these roles in their career. They will be using various security techniques, be responsible for security management and security governance, and may even be performing security audits. An information security professional needs to acquire adequate knowledge, understanding and experience in each of these areas. Getting this knowledge certified is the best way to convey your expertise to the employer and gain credibility in the workplace. -=- CV: AVINASH W KADAM Avinash W Kadam holds a CISA, CISM, CISSP, CBCP and GSEC. He has been president of the Mumbai Chapter of the Information Systems Audit and Control Association, lead instructor at (ISC)2, mentor for the Sans Institute and is director of MIEL e-Security. ? 2006 Reed Business Information Limited. All Rights Reserved. From isn at c4i.org Wed May 17 01:44:51 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:44:51 -0500 (CDT) Subject: [ISN] New charges expected in defense data theft ring Message-ID: http://www.washtimes.com/national/20060515-110139-9264r.htm By Bill Gertz THE WASHINGTON TIMES May 16, 2006 Federal prosecutors are expected to add new charges against several people in Los Angeles linked to a covert program to provide China with Navy defense technology and at least one will be charged with espionage, U.S. government officials said. Defense contractor Chi Mak and his wife, Rebecca Laiwah Chiu, along with brother Tai Mak were arrested last year and charged with failing to register as Chinese government agents after a yearlong counterespionage probe. Documents obtained after the Oct. 28 arrests provided investigators with new clues about the technology theft ring that included proprietary corporate information and embargoed defense technology related to Navy warships, officials said. Investigators think the spy ring passed the sensitive data to Beijing. The charges, which will be made public as early as this week, will include a new indictment against Chi Mak, Tai Mak, Mrs. Chiu and a fourth Mak relative. All four will be charged with conspiracy to export defense articles and attempted unlawful export of defense articles. Additionally, Chi Mak, an electrical engineer with the Los Angeles defense contractor Power Paragon, will be indicted on charges of unlawful export of defense articles and gathering defense information, an espionage charge, the officials said. Chi Mak is thought to have supplied China with sensitive information about the electrical systems of U.S. warships and submarines, including details of the Virginia-class submarine, and information on a new electromagnetic catapult to launch jets from aircraft carriers. A spokesman for the U.S. attorney in Los Angeles declined to comment, but Assistant U.S. Attorney Gregory Staples said in court last week that the government is expected to seek a new indictment in the case. He did not specify the new charges. Senior Justice Department officials have approved the new charges, which prosecutors will announce in Los Angeles, said the officials, who spoke on the condition of anonymity. Chi, Tai and Rebecca Mak have pleaded not guilty to the original charges in the case. "We presented evidence throughout this case that undermines the government's conclusion that these individuals were involved in espionage," Ronald Kaye, Chi Mak's attorney, said in an interview. An attorney for Mrs. Chiu, Stanley Greenberg, said he is confident that his client will be found not guilty. An attorney for Tai Mak could not be reached for comment. U.S. officials described Tai Mak, an engineer with Phoenix Television, as an intelligence courier for the Chinese military who was carrying an encrypted computer disk holding defense technology data when he was arrested. Tai Mak also will be charged with aiding and abetting and possession of property to aid a foreign government. He and his wife were arrested at Los Angeles International Airport as they were about to fly to Hong Kong. Tai Mak was carrying an encrypted disk that FBI officials said contained data on a new technology for destroyers known as quiet electric drive. Earlier charges that Chi Mak, Tai Mak and Rebecca Mak failed to register as Chinese government agents will be kept in the new indictment. Chi and Tai Mak were born in Guangzhou, China. The new charges were based on thousands of pages of documents found at the home of Chi Mak, officials said. Copyright 2006 The Washington Times From isn at c4i.org Wed May 17 01:45:34 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:45:34 -0500 (CDT) Subject: [ISN] Symantec CEO advocates fair play and Macs Message-ID: http://news.com.com/2100-7355_3-6072540.html By Tom Krazit Staff Writer, CNET News.com May 15, 2006 CORONADO, Calif.--It doesn't appear that Symantec CEO John Thompson's next computer will run Windows. "We think more people ought to buy them," Thompson said of Apple's Macintosh computers, in response to a question from the audience at the Future in Review conference on Monday. The "target-rich" environment created by Windows vulnerabilities means that virus writers and hackers have set their sights on Windows PCs, he said. However, Thompson noted that if more and more people did go out and buy Macs, virus writers might change their tactics. And many attacks are increasingly of the phishing or identity theft variety, which targets computer users independently of their operating system, he said. "We shouldn't assume that any one technology at any layer is sufficient to protect our notion of a connected world," Thompson said. Computer users and network operators need to take many steps to ensure their data will be protected, regardless of which products they use, he said. All of Symantec's computers are standardized on Microsoft's Windows operating system, a company representative said. Security problems haven't gotten as much attention from the U.S. government as Thompson had hoped, although things have improved compared with four years ago, he said. Still, computer "security has fallen off the (government's) radar screen with budget issues and the war in Iraq," he said. However, Microsoft's move into the security software market has clearly gotten Thompson's attention. "We are concerned (whether) they will play fairly. If they do something that is unfair, then that will be something that is difficult to compete against, but we'll have other venues for making our point," he said. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From isn at c4i.org Wed May 17 01:45:49 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:45:49 -0500 (CDT) Subject: [ISN] FBI special agent recounts outsourcing horror story Message-ID: http://www.networkworld.com/news/2006/051606-fbi-outsourcing-horror.html By Bob Brown NetworkWorld.com 05/16/06 The CAD/CAM company thought it was protecting itself, having employees of the Indian outsourcing company that was debugging its source code sign non-disclosure agreements. But when a disgruntled outsourcing employee swiped a copy of the code a few years back and tried to sell it to the CAD/CAM vendor's competitors, the vendor found out that the NDAs were of little use when it came to prosecuting the alleged thief in India. "They weren't worth the paper they were written on," says Nenette Day, an FBI special agent out of Boston who did double duty as both the case agent and undercover agent investigating this crime against software maker SolidWorks. "The employees would have had to sign the agreement with the Indian company, not the American one." Day, who has worked in computer crime for 8 years and calls herself "a geek with a gun," told attendees at last week's CIO Forum that their companies need to do serious research about the laws of any country to which they outsource work. CIO Forum is a unique conference during which IT vendors and 300 potential customers unite on a cruise ship out of New York City. (Other discussions at the event focused on topics such as identity theft and biometrics and grid computing.) A handful of FBI agents were on board to consult with IT pros about cybercrime threats, a topic that FBI agents say companies are often reluctant to talk about. As for protecting yourself when outsourcing to other countries, Day advises IT executives to assume that you have no legal rights. "It should not start with your understanding of American law," she says. In India, for example, there is no theft of trade secret law, Day says. India does have an IT act, she says, but it is mainly focused on copyright violations. Day says that despite the fact that "there was not a shred of evidence that we did not have" against the alleged SolidWorks thief, prosecutors in India have failed to convict the suspect and he continues to work. The FBI initially tried to lure the suspected thief out of India to simplify prosecution, but he was too smart for that, Day says. Indian police nabbed the suspect in 2002 when he allegedly tried to sell the code to Day while she was undercover (she says he initially tried to sell the code for about $250,000, not realizing it was probably worth $300 million). Fortunately, she says, the original source code was recovered and copies were not believed to have been sold. In the wake of that case, Indian software developers have formed a lobby to push for stronger intellectual property protection laws, concerned that companies won't outsource to India if they aren't better protected, Day says. Outsourcing firms, like the one SolidWorks worked with, have also tightened their own security policies considerably in recent years, she says. Another thing to consider when outsourcing to other countries is not just whether there are laws to protect intellectual property, but whether the laws are enforced. "No criminal law exists if the police will not enforce it," she says, noting that the FBI received an unprecedented amount of cooperation from its counterpart in India on the SolidWorks case (after threatening to expose India's laissez-faire attitude toward the case). Questions companies should ask when outsourcing to other nations, Day says, include the following: * Can my company risk loss of this data? * What are my liabilities if I do lose it? * What are your notification requirements if you lose customer data? (She notes that if your data is encrypted, you might not have to report it missing.) * Will the company you are outsourcing to go the distance if you need its help to chase down a criminal? * How long could a prolonged legal battle in a foreign country cost? ("You could lose all your outsourcing savings there," Day says.) "This is all risk analysis," she says. "We're not saying don't outsource. We're saying learn the risk points and add that to your analysis when choosing the country or company wherever you're outsourcing." Mobile computing worries Mobile computing is the other area of networking that has Day very concerned on the cybercrime front. This involves both stolen and lost mobile systems. "Laptops. I don?t even know how to get on this soapbox and scream loud enough," says Day, citing third-party market research about tens of thousands of cell phones and portable computers being left in Chicago taxis during a six-month period last year. "Universities, companies, government. Where could I not go and not tell you a story about the laptop that went missing and did not have the information encrypted." Day points out that even the FBI encrypted its laptops when she joined 8 years ago. "And we are behind the curve in every way electronically, except that," she quips. It's "mind boggling" that information is being kept in the clear on portable devices and that companies aren't being held responsible, Day says. Though she says that companies are starting to pay the price, as a credit card processing company recently settled a compromised data case for big bucks. Cases so far have mainly been civil ones, though she says criminal charges won't be far behind given the emergence of new data protection laws. Day also discussed the dangers of cell phones, which she described as potential monitoring devices, given that so many have cameras and audio recording capacity on them. They can also threaten security by being tapped, through techniques such as someone asking to borrow your phone and downloading a tracking program, she says. The FBI requires members to shed all electronic devices during certain of its top-secret meetings. "We understand how easy these things are to compromise," Day says. "You might want to consider in your own company a no electronics area." This includes devices such as iPods, which can be used to swipe info via "pod slurping," a technique that involves simply sticking an iPod into a USB port on a computer. "They don't even need access to the keyboard," she says. Day urges IT pros to contact the FBI if their intellectual property is stolen, noting that even if criminal charges are brought against someone, civil charges can also be made. All contents copyright 1995-2006 Network World, Inc. From isn at c4i.org Wed May 17 01:46:04 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:46:04 -0500 (CDT) Subject: [ISN] Under Attack, Spam Fighter Folds Message-ID: http://www.wired.com/news/technology/0,70913-0.html By Ryan Singel May, 16, 2006 A startup whose aggressive antispam measures drew a blistering counterattack from spammers two weeks ago that brought down the company's servers along with a wide swath of the internet is shuttering its program that targets junk e-mailers. In an interview with Wired News, Blue Security CEO Eran Reshef said the Israel-based company was closing its service Wednesday since he did not want to be responsible for an ever-escalating war that could bring down internet service providers and websites around the world and subject its users to denial-of-service attacks from a well-organized group in control of a massive army of computer drones. "Our community would very much like us to continue on the fight against spam, and our community has grown over the last week," Reshef said. "But at the end of the day if we continue doing so, within a few days, major websites will go down. I don't feel that this is something I can be responsible for. I cannot go ahead and rip up the internet to make Blue Security work. This is not the decision a commercial entity can make." The abrupt decision ends a high-profile standoff between spammers and a tiny startup whose unorthodox methods had seemingly stymied some of the most prolific purveyors of junk e-mail in the world, if only temporarily. For a few intense days, the fight showed with shocking clarity the lengths to which some spammers will go to protect their businesses, and the devastating arsenals at their command. The lesson to be learned, Reshef said, is that large ISPs and governments need to recognize that spammers are connected to criminal syndicates and that they, not a small startup, are the only ones who can shut down these networks. Blue Security's 500,000 users had been successful in convincing six of the top 10 spam operations in the world to use its open-source mailing-list scrubber, which Reshef said proved that Blue Security's technology and approach was effective. But other spammers responded differently. Starting May 2, a spammer known as PharmaMaster used a massive network of zombie computers to flood Blue Security's database servers with fake traffic and hijacked a little-known Cisco Systems router feature known as "blackhole filtering" to block anyone outside Israel from accessing Blue Security's homepage. The spammer also unleashed a torrent of spam targeted to a subset of Blue Security users, which the spammer had likely gotten by scrubbing an e-mail list and then comparing the old list with the new list. Any addresses removed from the old list could be identified as Blue Security users. The distributed-denial-of-service attack brought down the databases, and the collateral damage included hundreds of thousands of websites and mail servers hosted by Tucows, according to Elliot Noss, president and CEO of Tucows, the internet's largest domain registrar. "Just in terms of pure scale, it's pretty safe to call it massive," Noss said. "I think that really the most interesting observation was how distributed it was. We sampled IP addresses and over 70 percent were unique." Blogging software provider Movable Type's hosted service, TypePad, also fell victim to PharmaMaster's bot network, after Blue Security realized that no one could reach its homepage and posted a message to its users on its old blog. Thirty minutes later, PharmaMaster started an attack that brought down thousands of blogs. Blue Security's Blue Frog antispam tool worked by having customers install a small piece of software in their browsers that they used to report spam. After aggregating the reports, Blue Security would try to contact the spammers, the websites of companies being advertised and their ISPs to try to convince the spammers to clean their lists of e-mail accounts on the company's Do Not Intrude list. If that did not work, Blue Security would write a custom script that spam recipients could use to send an opt-out request to the advertised website. In practice, that meant that hundreds of thousands of Blue Frog users could attempt to opt out at once. In addition, the software would fill in online order forms with the opt-out request if there was no other way to communicate with a spammer-advertised website. This tactic, which Blue Security says is legal under the Can-Spam Act, was controversial with spammers and some antispammers alike. Spammers complained in internet forums that the opt-out requests were simply a denial-of-service attack. Anne P. Mitchell, president and CEO of the Institute for Spam and Internet Public Policy, is also a vocal critic of Blue Security's tactics who thinks the company was breaking computer crime laws by having its members fill in order forms with opt-out requests. "Do you think Blue Frog cares if they are knowingly causing customers to break the law of their own home country?" Mitchell asked. "They don't care because they are sitting in Israel." But Peter Swire, a law professor and former head privacy official for the Clinton administration, looked into the company's operations, found them legitimate and innovative, and signed onto the company's advisory board earlier this year. "I get one spam e-mail and my computer sends one opt-out request," Swire said. "That is exactly what Can-Spam gives me the right to do." Swire says he understands why Reshef has decided to shutter the service, because these levels of attacks are too much for a small company to withstand. But he says the company showed that this tactic can work. "If little Blue Security can affect 25 percent of spam, then this approach shows great promise if the big boys get involved," Swire said. "If there is a concerted effort by the big ISPs or by the government, the Can-Spam Act provably is the basis for reducing spam." Eric Benhamou, chairman and CEO of Benhamou Global Ventures and one of Blue Security's lead investors, said he knew going in that Blue Security's task was difficult. Benhamou is not writing off Blue Security, whose technology he says has other uses, but he supports the company's decision to shut down in order to avoid more collateral damage. "We knew it would get really serious when the adversary was wounded," he said. "There were no surprises on my part. When I first did my due diligence, Eran and Amir (Hirsch) told me clearly that they knew how to build the technology to accomplish this but weren't sure of the overall business proposition. I said that's fine, because I want to explore something that hasn't been done before and before there were only clever filters. This was totally innovative." From isn at c4i.org Wed May 17 01:46:16 2006 From: isn at c4i.org (InfoSec News) Date: Wed, 17 May 2006 00:46:16 -0500 (CDT) Subject: [ISN] Power plant security info leaked onto Net Message-ID: http://search.japantimes.co.jp/cgi-bin/nn20060515a3.html The Japan Times May 15, 2006 NAGOYA (Kyodo) Security data on a thermal power plant has been leaked onto the Internet from a virus-infected personal computer, the company in charge of the plant's security said Sunday. The information was passed onto the Internet through a file-sharing program called Share. The data includes the locations of various facilities in Chubu Electric Power Co.'s thermal power plant in Owase, Mie Prefecture, including the control room, instrument panel room and boilers, officials of the security company, a Chubu affiliate, said. Also leaked were manuals on how to deal with unconfirmed reports of intruders in the plant, as well as a list of the names and home addresses of the security firm's employees and other personal data on guards, they said. The data made its way to the Net from a computer belonging to a 40-year-old employee of the security firm, the officials said. He compiled the data on his PC around 2000. He started to use Share in March, the officials said. Chubu Power, based in Nagoya, operates five nuclear power reactors in Shizuoka Prefecture. From isn at c4i.org Thu May 18 05:02:07 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:07 -0500 (CDT) Subject: [ISN] Auditors: DHS should spur use of critical infrastructure data Message-ID: http://www.gcn.com/online/vol1_no1/40809-1.html By Wilson P. Dizard III GCN Staff 05/17/06 The Homeland Security Department should work to increase use of sensitive information it receives from private companies about vulnerable assets like utilities, private IT networks, energy production and distribution facilities, and transportation assets, the Government Accountability Office said in a report unveiled today. The report [1], titled "DHS Should Take Steps to Encourage More Widespread Use of its Program to Protect and Share Critical Infrastructure Information," describes how the department has been carrying out the Critical Infrastructure Information Act. That law was a response to the frequently repeated fact that more than 85 percent of the essential facilities that terrorists could target are in private hands. The law sought to encourage private companies to submit information about the critical infrastructure assets to DHS by creating special shields against the public release of the data. In particular, the law bars release of the information under the federal Freedom of Information Act. Once the information is gathered and protected, the department is responsible for sharing it with appropriate agencies so they can help protect the assets from terrorist attacks. GAO reported that the department has set up a program office to establish requirements for gathering, protecting, sharing and using the infrastructure information. As of January 2006, the program office had received 260 submissions of critical infrastructure information from various sectors. The office has publicized the program to government agencies and private companies, and trained about 750 potential users in DHS and other federal, state and local agencies to handle the specially protected information. However, according to the report, DHS must overcome challenges in defining government needs for the information, deciding how it will be used, protecting the information and controlling access to it as well as convincing the private companies that they will gain by submitting the information. "If DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the government's ability to use and protect their sensitive information," the report said. The auditing agency added that DHS officials concurred with the report findings in oral comments. [1] http://www.gao.gov/new.items/d06383.pdf From isn at c4i.org Thu May 18 05:02:19 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:19 -0500 (CDT) Subject: [ISN] GAO: IRS procedural flaws leave taxpayer materials vulnerable Message-ID: http://www.govexec.com/story_page.cfm?articleid=34101 By Jenny Mandel jmandel @ govexec.com May 17, 2006 Taxpayer receipts and other sensitive materials were left open and vulnerable to loss or theft, and it was common to find problems with financial and security procedures at Internal Revenue Service facilities visited by auditors during an annual review. As part of a fiscal 2005 audit, Government Accountability Office employees visited a sampling of service centers, taxpayer assistance centers, field offices, financial institutions serving as agents of the government and a finance center, to evaluate how they followed financial and internal controls designed to ensure the appropriate handling of materials. In a report (GAO-06-543R) [1] released last week, GAO described a litany of security problems. At a taxpayer assistance center, auditors repeatedly entered secure areas without challenge by walking from public into controlled areas through an unmarked, unlocked door. At assistance centers newly reconfigured to incorporate security features, reviewers found the same open access and were told that unauthorized people occasionally appeared in secure areas. At service centers where tax returns were opened and processed, reviewers found that procedures for candling envelopes -- passing them over a light source or using other methods to ensure the contents had been removed -- were not routinely followed before the envelopes were marked to be destroyed. At a bank that processed tax remittances, procedures calling for the immediate deposit of large checks were not routinely followed. In one case, reviewers found six checks totaling $1.25 million that had not been processed before a shift change, and new shift leaders were not aware of their existence. GAO also found that references were not verified when individuals under age 18 were hired to handle taxpayer receipts and information. Underage employees routinely had access to taxpayer information beyond what they were cleared to handle, and those who were no longer in school, but without a work history, were not required to submit a standard character assessment form. The report recommended that the IRS improve its procedural guidelines, enhance periodic facility reviews, enforce existing rules and monitor adherence to regulations. In response to a report draft, IRS officials accepted all but one of GAO's recommendations, which they said the agency had already met. "The issues you presented in your report will help us to take the necessary steps to strengthen our controls over property and equipment, safeguarding tax receipts, and improving financial management," Commissioner Mark Everson wrote. He noted that the IRS had acted on and closed 33 outstanding recommendations during fiscal 2005, and developed corrective action plans for others. [1] http://www.gao.gov/cgi-bin/getrpt?GAO-06-543R From isn at c4i.org Thu May 18 05:02:31 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:31 -0500 (CDT) Subject: [ISN] The Ultimate Net Monitoring Tool Message-ID: http://www.wired.com/news/technology/0,70914-0.html By Robert Poe May, 17, 2006 The equipment that technician Mark Klein learned was installed in the National Security Agency's "secret room" inside AT&T's San Francisco switching office isn't some sinister Big Brother box designed solely to help governments eavesdrop on citizens' internet communications. Rather, it's a powerful commercial network-analysis product with all sorts of valuable uses for network operators. It just happens to be capable of doing things that make it one of the best internet spy tools around. "Anything that comes through (an internet protocol network), we can record," says Steve Bannerman, marketing vice president of Narus, a Mountain View, California, company. "We can reconstruct all of their e-mails along with attachments, see what web pages they clicked on, we can reconstruct their (voice over internet protocol) calls." Narus' product, the Semantic Traffic Analyzer, is a software application that runs on standard IBM or Dell servers using the Linux operating system. It's renowned within certain circles for its ability to inspect traffic in real time on high-bandwidth pipes, identifying packets of interest as they race by at up to 10 Gbps. Internet companies can install the analyzers at every entrance and exit point of their networks, at their "cores" or centers, or both. The analyzers communicate with centralized "logic servers" running specialized applications. The combination can keep track of, analyze and record nearly every form of internet communication, whether e-mail, instant message, video streams or VOIP phone calls that cross the network. Brasil Telecom and several other Brazilian phone companies are using Narus products to charge each other for VOIP calls they send over one another's IP networks. Internet companies in China and the Middle East use them to block VOIP calls altogether. But even before the product's alleged role in the NSA's operations emerged, its potential as a surveillance tool was not lost on corporate America. In December, VeriSign, also of Mountain View, chose Narus' product as the backbone of its lawful-intercept-outsourcing service, which helps network operators comply with court-authorized surveillance orders from law enforcement agencies. A special Narus lawful-intercept application does this spying with ease, sorting through torrents of IP traffic to pick out specific messages based on a targeted e-mail address, IP address or, in the case of VOIP, phone number. "We needed their fast packet-detection and inspection capability," says VeriSign Vice President Raj Puri. "They do it with specialized software that can isolate packets for a specific target." Narus has little control over how its products are used after they're sold. For example, although its lawful-intercept application has a sophisticated system for making sure the surveillance complies with the terms of a warrant, it's up to the operator whether to type those terms into the system, says Bannerman. That legal eavesdropping application was launched in February 2005, well after whistle-blower Klein allegedly learned that AT&T was installing Narus boxes in secure, NSA-controlled rooms in switching centers around the country. But that doesn't mean the government couldn't write its own code to do the dirty work. Narus even offers software-development kits to customers. "Our product is designed to comply (with) all of the laws in all of the countries we ship to," says Bannerman. "Many of our customers have built their own applications. We have no idea what they do." From isn at c4i.org Thu May 18 05:01:53 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:01:53 -0500 (CDT) Subject: [ISN] Gossip lands Education hacker in jail Message-ID: http://www.fcw.com/article94547-05-17-06-Web By Michael Arnone May 17, 2006 An Education Department auditor who hacked his boss' computer and told his co-workers about it will spend five months in jail, Justice Department officials said. Kenneth Kwak, formerly an information technology systems auditor at Education's Office of the Inspector General, pleaded guilty in March to one count of intentionally gaining unauthorized access to a government computer and extracting information from it, Justice spokesman Drew Wade said. Kwak admitted he installed software on his supervisor's computer that gave him access to his boss' e-mail messages and Internet activity, Wade said. Kwak then shared the information with his co-workers. He was prosecuted under the U.S. Attorney's Office's new zero-tolerance policy for breaking into federal computer systems, Justice officials said. Once Kwak has served his time, he will spend another five months confined to his home with his movements electronically monitored, Justice officials said. U.S. District Judge Royce Lamberth ordered Kwak to pay $40,000 in restitution to the federal government and spend three years under supervised release, including the five months at home, Wade said. The Computer Crime Investigation Division of Education's Office of the IG conducted the investigation, Justice officials said. Attorneys from the Computer Crime and Intellectual Property Section of Justice's Criminal Division prosecuted the case. "This unfortunate incident demonstrates that accountability applies to everyone," said John Higgins Jr., Education's IG. "We will continue to work with department and law enforcement officials to ensure the integrity of the department's computer systems." From isn at c4i.org Thu May 18 05:02:45 2006 From: isn at c4i.org (InfoSec News) Date: Thu, 18 May 2006 04:02:45 -0500 (CDT) Subject: [ISN] WBAB radio signal hijacked Message-ID: http://www.newsday.com/news/local/longisland/ny-libab0518,0,569247.story?coll=ny-li-bigpix BY BART JONES Newsday Staff Writer May 18, 2006 A popular morning program on WBAB radio was "hijacked" Wednesday, station officials said, by someone who broke in on its broadcast -- apparently by using an illegal transmitter -- and played an offensive song that repeated a racial epithet several times. Station managers, already immersed in controversy over the Roger and JP morning show's airing last week of a "Wetback Steakhouse" fake commercial, said they were angered by the two-minute takeover and contacted the Federal Communications Commission to investigate. "I'd like to find out who did it," program director John Olsen said. "I'm not happy about it." A similar incident occurred with WBAB's sister station WBLI about two weeks ago with the same song, he said. The stations share a studio on Sunrise Highway in Babylon. Wednesday, the pirate broke into WBAB's broadcast about 7:15 a.m., interrupting "Hey You" by Pink Floyd and playing part of a country music-style song that in addition to using the "n word" suggests killing blacks. It also refers to blacks getting welfare checks and includes an offensive reference to Martin Luther King Jr. The show's stunned hosts, John Parise and Roger Luce, and the station's technicians were unable to block the pirate transmission, Olsen said. After the intruder's song ended, several seconds of empty air space followed until regular broadcasting resumed with the end of the Pink Floyd song. Parise and Luce explained to listeners that the transmission had been taken over and stressed they had no part in playing the song. Olsen said the station's engineers were investigating what happened Wednesday, but he had one possible explanation. He said that from its studio in Babylon, WBAB sends a high-frequency microwave signal to its transmitting tower about six miles away in Dix Hills near the Long Island Expressway. "Somebody using an illegal transmitter and small antenna we believe overtook our signal between the studio and the transmitter and that's how they got in," he said. He added that the pirate would have to be near the signal but not necessarily at the transmission tower. "You have to be technologically pretty proficient in order to know how to do it," he said. "The equipment is probably readily available and if you know how to put the equipment together ... then it's something that's possible." He added that the station was taking steps Wednesday to ensure its broadcast isn't hijacked again. One listener said his jaw dropped Wednesday when he heard the song come on, and he pulled over in his car to listen. "At first I thought these guys were looking for a whole bunch of trouble," said Frank Carpenter of Bohemia. But "clearly they were a victim here." One communications security expert, Johannes Ullrich of the SANS Institute in Jacksonville, Fla., said pirate invasions of radio or television stations were rare, although he has heard of some cases such as the Falun Gong religious group hijacking a Chinese television station for about 15 minutes. WBAB, which bills itself as "Long Island's No. 1 Rock Station," reaches all of the Island and operates with two frequencies: 102.3 covers from the Queens border to around the Riverhead area, while 95.3 covers the rest of the East End. Last week, Parise and Luce apologized for the "Wetback Steakhouse" spot, and the station pulled it off the air. Copyright 2006 Newsday Inc. From isn at c4i.org Fri May 19 03:15:14 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:14 -0500 (CDT) Subject: [ISN] Secunia Weekly Summary - Issue: 2006-20 Message-ID: ======================================================================== The Secunia Weekly Advisory Summary 2006-05-11 - 2006-05-18 This week: 54 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia staff is spending hours every day to assure you the best and most reliable source for vulnerability information. Every single vulnerability report is being validated and verified before a Secunia advisory is written. Secunia validates and verifies vulnerability reports in many different ways e.g. by downloading the software and performing comprehensive tests, by reviewing source code, or by validating the credibility of the source from which the vulnerability report was issued. As a result, Secunia's database is the most correct and complete source for recent vulnerability information available on the Internet. Secunia Online Vulnerability Database: http://secunia.com/ ======================================================================== 2) This Week in Brief: Steve Wiseman has reported a vulnerability in RealVNC, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the handling of VNC password authentication requests. This can be exploited to bypass authentication and allows access to the remote system without requiring knowledge of the VNC password. Additional details are available in the referenced Secunia advisory below. Reference: http://secunia.com/SA20107 -- Multiple vulnerabilities have been reported in QuickTime, which can be exploited by malicious people to compromise a user's system. All users of QuickTime are advised to check for available updates. Reference: http://secunia.com/SA20069 -- VIRUS ALERTS: Secunia has not issued any virus alerts during the week. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA20069] QuickTime Multiple Code Execution Vulnerabilities 2. [SA20107] RealVNC Password Authentication Bypass Vulnerability 3. [SA19762] Internet Explorer "object" Tag Memory Corruption Vulnerability 4. [SA20077] Mac OS X Security Update Fixes Multiple Vulnerabilities 5. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of Sensitive Information 6. [SA19521] Internet Explorer Window Loading Race Condition Address Bar Spoofing 7. [SA18680] Microsoft Internet Explorer "createTextRange()" Code Execution 8. [SA20083] Linux Kernel "lease_init()" Denial of Service Vulnerability 9. [SA20082] Symantec Firewall Products Internal IP Addresses Disclosure 10. [SA20084] AliPAGER "ubild" Cross-Site Scripting and SQL Injection ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA20136] FreeFTPd SFTP Key Exchange Algorithm String Buffer Overflow [SA20114] FortressSSH SSH_MSG_KEXINIT Logging Buffer Overflow [SA20107] RealVNC Password Authentication Bypass Vulnerability [SA20146] LiveData ICCP Server Buffer Overflow Vulnerability [SA20112] Azboard Multiple SQL Injection Vulnerabilities [SA20102] DUbanner Insecure File Upload Vulnerability [SA20086] FileZilla Unspecified Buffer Overflow Vulnerability [SA20132] Sun Java JRE Large Temporary File Creation Vulnerability UNIX/Linux: [SA20123] Nagios Content-Length Integer Overflow Vulnerability [SA20117] SUSE Updates for Multiple Packages [SA20094] Empire Server "client_cmd()" Denial of Service Vulnerability [SA20139] Novell eDirectory iMonitor Unspecified Buffer Overflow Vulnerability [SA20124] Debian update for phpldapadmin [SA20137] Ubuntu update for Quagga [SA20127] Sun N1 System Manager Password Disclosure Vulnerability [SA20108] Debian update for webcalendar [SA20116] Quagga bgpd Denial of Service Vulnerability Other: [SA20109] AdderLink IP Unspecified VNC Vulnerability [SA20085] ClamXav freshclam suid Permissions Security Issue Cross Platform: [SA20135] DeluxeBB Multiple File Extensions File Upload Vulnerability [SA20128] NewsPortal Cross-Site Scripting and File Inclusion [SA20121] Squirrelcart "cart_isp_root" File Inclusion Vulnerability [SA20120] Quezza "quezza_root_path" File Inclusion Vulnerability [SA20119] TR Newsportal "file_newsportal" Parameter File Inclusion Vulnerability [SA20115] Php Blue Dragon CMS "vsDragonRootPath" File Inclusion [SA20103] ezUserManager "ezUserManager_Path" File Inclusion Vulnerability [SA20099] Genecys Buffer Overflow and Denial of Service [SA20098] Outgun Multiple Vulnerabilities [SA20097] Raydium Multiple Vulnerabilities [SA20092] phpBB foing Module "phpbb_root_path" File Inclusion [SA20090] Unclassified NewsBoard "ABBC[Config][smileset]" Local File Inclusion [SA20087] PopPhoto "cfg[popphoto_base_path]" File Inclusion Vulnerability [SA20133] RadLance Gold "popup.php" Local File Inclusion Vulnerability [SA20131] Sphider Multiple Vulnerabilities [SA20129] PHP-Fusion "srch_where" SQL Injection Vulnerablility [SA20125] Caucho Resin Two Disclosure of Sensitive Information Vulnerabilities [SA20106] Hitachi EUR Unspecified SQL Injection Vulnerability [SA20104] DeluxeBB "name" SQL Injection Vulnerability [SA20096] GNUnet Empty UDP Datagram Denial of Service Vulnerability [SA20089] e107 "e107_cookie" Parameter SQL Injection Vulnerability [SA20088] phpCOIN E-Mail Address Disclosure of Arbitrary Messages [SA20084] AliPAGER "ubild" Cross-Site Scripting and SQL Injection [SA20144] Sun Java System Directory Server Authentication Bypass [SA20141] phpRemoteView Multiple Cross-Site Scripting Vulnerabilities [SA20130] BEA WebLogic Server/Express Multiple Security Issues [SA20118] Directory Listing Script "dir" Cross-Site Scripting Vulnerability [SA20113] phpMyAdmin "theme" and "db" Cross-Site Scripting Vulnerabilities [SA20111] phpODP "browse" Cross-Site Scripting Vulnerability [SA20110] Jax Guestbook "guestbook.admin.php" Cross-Site Scripting [SA20105] Confixx Pro "login" Parameter Cross-Site Scripting Vulnerability [SA20101] FlexChat "username" Parameter Cross-Site Scripting [SA20095] GPhotos Cross-Site Scripting and Disclosure of Arbitrary Directories [SA20091] OZJournals "vname" Parameter Cross-Site Scripting [SA20093] phpBB "Upload Avatar from a URL" Remote HTTP Request Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA20136] FreeFTPd SFTP Key Exchange Algorithm String Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-17 A vulnerability has been reported in FreeFTPd, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20136/ -- [SA20114] FortressSSH SSH_MSG_KEXINIT Logging Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 Gerry Eisenhaur has discovered a vulnerability in FortressSSH, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20114/ -- [SA20107] RealVNC Password Authentication Bypass Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass Released: 2006-05-15 Steve Wiseman has reported a vulnerability in RealVNC, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20107/ -- [SA20146] LiveData ICCP Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-17 A vulnerability has been reported in LiveData ICCP Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20146/ -- [SA20112] Azboard Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-16 x90c has reported some vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20112/ -- [SA20102] DUbanner Insecure File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-16 Dj ReMix has discovered a vulnerability in DUbanner, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20102/ -- [SA20086] FileZilla Unspecified Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-05-15 A vulnerability has been reported in FileZilla, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/20086/ -- [SA20132] Sun Java JRE Large Temporary File Creation Vulnerability Critical: Not critical Where: From remote Impact: DoS Released: 2006-05-16 Marc Schoenefeld has discovered a vulnerability in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20132/ UNIX/Linux:-- [SA20123] Nagios Content-Length Integer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-16 A vulnerability has been reported in Nagios, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20123/ -- [SA20117] SUSE Updates for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2006-05-15 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to cause files to be extracted to arbitrary locations on a user's system, bypass certain security restrictions, conduct cross-site scripting attacks, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20117/ -- [SA20094] Empire Server "client_cmd()" Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-15 Luigi Auriemma has reported a vulnerability in Empire Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20094/ -- [SA20139] Novell eDirectory iMonitor Unspecified Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-05-18 A vulnerability has been reported in in Novell eDirectory, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20139/ -- [SA20124] Debian update for phpldapadmin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-16 Debian has issued an update for phpldapadmin. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20124/ -- [SA20137] Ubuntu update for Quagga Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of system information, DoS Released: 2006-05-16 Ubuntu has issued an update for Quagga. This fixes two security issues and a vulnerability, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to bypass certain security restrictions, and to disclose system information. Full Advisory: http://secunia.com/advisories/20137/ -- [SA20127] Sun N1 System Manager Password Disclosure Vulnerability Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-05-18 A vulnerability has been reported in Sun N1 System Manager, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20127/ -- [SA20108] Debian update for webcalendar Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2006-05-15 Debian has issued an update for webcalendar. This fixes a weakness, which can be exploited by malicious people to identify valid user accounts. Full Advisory: http://secunia.com/advisories/20108/ -- [SA20116] Quagga bgpd Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2006-05-15 Fredrik Widell has reported a vulnerability in Quagga, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20116/ Other:-- [SA20109] AdderLink IP Unspecified VNC Vulnerability Critical: Highly critical Where: From remote Impact: Unknown Released: 2006-05-16 A vulnerability with unknown impact has been reported in AdderLink IP. Full Advisory: http://secunia.com/advisories/20109/ -- [SA20085] ClamXav freshclam suid Permissions Security Issue Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2006-05-15 Kevin Finisterre has reported a security issue in ClamXav, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/20085/ Cross Platform:-- [SA20135] DeluxeBB Multiple File Extensions File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-17 rgod has discovered a vulnerability in DeluxeBB, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20135/ -- [SA20128] NewsPortal Cross-Site Scripting and File Inclusion Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-05-17 Some vulnerabilities have been reported in NewsPortal, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20128/ -- [SA20121] Squirrelcart "cart_isp_root" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 OLiBekaS has reported a vulnerability in Squirrelcart, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20121/ -- [SA20120] Quezza "quezza_root_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-17 Mustafa Can Bjorn has reported a vulnerability in Quezza, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20120/ -- [SA20119] TR Newsportal "file_newsportal" Parameter File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 Kacper has discovered a vulnerability in TR Newsportal, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20119/ -- [SA20115] Php Blue Dragon CMS "vsDragonRootPath" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-15 Kacper has discovered a vulnerability in Php Blue Dragon CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20115/ -- [SA20103] ezUserManager "ezUserManager_Path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-16 OLiBekaS has discovered a vulnerability in ezUserManager, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20103/ -- [SA20099] Genecys Buffer Overflow and Denial of Service Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-15 Luigi Auriemma has reported two vulnerabilities in Genecys, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20099/ -- [SA20098] Outgun Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-15 Luigi Auriemma has reported some vulnerabilities in Outgun, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20098/ -- [SA20097] Raydium Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-05-15 Luigi Auriemma has reported some vulnerabilities in Raydium, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20097/ -- [SA20092] phpBB foing Module "phpbb_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-15 Kurdish Security has discovered some vulnerabilities in the foing module for phpBB, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20092/ -- [SA20090] Unclassified NewsBoard "ABBC[Config][smileset]" Local File Inclusion Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, System access Released: 2006-05-12 rgod has reported a vulnerability in Unclassified NewsBoard, which can be exploited by malicious people to disclose sensitive information and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20090/ -- [SA20087] PopPhoto "cfg[popphoto_base_path]" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-05-15 VietMafia has reported a vulnerability in PopPhoto, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/20087/ -- [SA20133] RadLance Gold "popup.php" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-16 Mr.CrackerZ has reported a vulnerability in RadLance Gold, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20133/ -- [SA20131] Sphider Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-17 Some vulnerabilities have been discovered in Sphider, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20131/ -- [SA20129] PHP-Fusion "srch_where" SQL Injection Vulnerablility Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-17 rgod has discovered a vulnerability in PHP-Fusion, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20129/ -- [SA20125] Caucho Resin Two Disclosure of Sensitive Information Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-17 Two vulnerabilities have been reported in Caucho Resin, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20125/ -- [SA20106] Hitachi EUR Unspecified SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-17 A vulnerability has been reported in EUR, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20106/ -- [SA20104] DeluxeBB "name" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-16 KingOfSka has discovered a vulnerability in DeluxeBB, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20104/ -- [SA20096] GNUnet Empty UDP Datagram Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-05-15 Luigi Auriemma has reported a vulnerability in GNUnet, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/20096/ -- [SA20089] e107 "e107_cookie" Parameter SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-05-15 socsam has discovered a vulnerability in e107, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/20089/ -- [SA20088] phpCOIN E-Mail Address Disclosure of Arbitrary Messages Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2006-05-12 A vulnerability has been reported in phpCOIN, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/20088/ -- [SA20084] AliPAGER "ubild" Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2006-05-11 Hamid Ebadi has discovered a vulnerability in AliPAGER, which can be exploited by malicious people to conduct cross-site scripting attacks and SQL injection attacks. Full Advisory: http://secunia.com/advisories/20084/ -- [SA20144] Sun Java System Directory Server Authentication Bypass Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2006-05-17 A security issue has been reported in Sun Java System Directory Server, which can be exploited by malicious people to gain unauthorised access. Full Advisory: http://secunia.com/advisories/20144/ -- [SA20141] phpRemoteView Multiple Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-17 Soot has discovered some vulnerabilities in phpRemoteView, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20141/ -- [SA20130] BEA WebLogic Server/Express Multiple Security Issues Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2006-05-16 Multiple security issues and a vulnerability have been reported in WebLogic Server / Express, which can be exploited by malicious people to disclose system and sensitive information, and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/20130/ -- [SA20118] Directory Listing Script "dir" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Kiki has discovered a vulnerability in Directory Listing Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20118/ -- [SA20113] phpMyAdmin "theme" and "db" Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Two vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20113/ -- [SA20111] phpODP "browse" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Kiki has discovered a vulnerability in phpODP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20111/ -- [SA20110] Jax Guestbook "guestbook.admin.php" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 Kiki has discovered a vulnerability in Jax Guestbook, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20110/ -- [SA20105] Confixx Pro "login" Parameter Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-16 LoK-Crew has reported a vulnerability in Confixx Pro, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20105/ -- [SA20101] FlexChat "username" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-15 r0t has discovered a vulnerability in FlexChat, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20101/ -- [SA20095] GPhotos Cross-Site Scripting and Disclosure of Arbitrary Directories Critical: Less critical Where: From remote Impact: Cross Site Scripting, Exposure of system information Released: 2006-05-15 Moroccan Security has discovered some vulnerabilities and a weakness in GPhotos, which can be exploited by malicious people to disclose system information and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20095/ -- [SA20091] OZJournals "vname" Parameter Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-05-12 Kiki has discovered a vulnerability in OZJournals, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/20091/ -- [SA20093] phpBB "Upload Avatar from a URL" Remote HTTP Request Weakness Critical: Not critical Where: From remote Impact: Security Bypass Released: 2006-05-16 rgod has discovered a weakness in phpBB, which can be exploited by malicious people to use it for making HTTP requests to other sites. Full Advisory: http://secunia.com/advisories/20093/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support at secunia.com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 From isn at c4i.org Fri May 19 03:15:27 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:27 -0500 (CDT) Subject: [ISN] ACSAC 22 (Miami Beach, FL) - June 4 submission deadline Message-ID: Forwarded from: ACSAC Distribution Manager Dear colleague. Apologies if you receive multiple copies of this announcement. PDF versions at http://www.acsac.org/2006/cfp_2006.pdf http://www.acsac.org/2006/cfp_2006-a4.pdf --------------------------- Call For Participation --------------------------- Submission deadline approaching! 22nd Annual Computer Security Applications Conference December 11-15, 2006 Miami Beach, Florida http://www.acsac.org Submission Acceptance Deadline Notification Technical Track June 4, 2006 Aug. 13, 2006 Panels June 4, 2006 Aug. 13, 2006 Tutorials June 4, 2006 Jul. 20, 2006 Workshop June 4, 2006 Jul. 20, 2006 Case Studies June 4, 2006 Aug. 15, 2006 Works in Progress Sep. 8, 2006 Oct. 1, 2006 See http://www.acsac.org/cfp for detailed submission information! Please submit blinded papers, at most 10 pages in length at 11pt. ------------------------------------a--------------------------------------- ACSAC is presented by a group of professionals who are working to facilitate information sharing among colleagues. We're an all-volunteer not-for-profit organization. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. You can help ACSAC reach people who might benefit from this information. Feel free to forward this message with a personal note to your friends and colleagues. They can sign up at http://www.acsac.org/list. We have moved to a new web host and are trying to remove duplicates from our mailing lists. If you receive duplicate messages, or simple want to be removed from our list, please reply with the word REMOVE in the subject. From isn at c4i.org Fri May 19 03:15:40 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:40 -0500 (CDT) Subject: [ISN] Not for sale: Military clampdown on stolen computer drives turns market cold Message-ID: http://www.signonsandiego.com/news/military/20060508-1009-afghan-us-stolenintelligence.html By Jason Straziuso ASSOCIATED PRESS May 8, 2006 BAGRAM, Afghanistan - Computer storage devices containing sensitive military information stolen from the U.S. base here and widely available in shops last month are now hard to come by. The U.S. military has increased security measures to prevent Afghan workers from slipping the small portable flash drives into their pockets in order to sell them to shops near the main American base in Afghanistan, a U.S. spokesman and shopkeepers said Monday. One shopkeeper said Afghan workers on the Bagram base are now scrutinized carefully on their way out. "They even look in their shoes," said the 40-year-old shopkeeper, who would only give his first name, Amruddin. In April, dozens of used flash drives were available in markets here. Drives viewed by The Associated Press had the Social Security numbers of hundreds of soldiers, including four generals, and lists of troops who completed nuclear, chemical and biological warfare training. The Los Angeles Times, which broke the story, reported that some drives had classified military secrets, including maps, charts and intelligence reports concerning the Taliban and al-Qaeda. Soon after those stories, the military went from shop to shop and bought all the drives they could find, concentrating on the used devices, which would be more likely to contain military information. Most shopkeepers said Tuesday they no longer had any used drives for sale. Lt. Col. Paul Fitzpatrick, a military spokesman, said the majority of the drives the military bought were unused or had unclassified information on them. He said the investigation into the thefts was ongoing. The military now has measures in place to better protect the storage devices, particularly the ones with classified information on them, Fitzpatrick said. He would not provide specifics. "Could there still be stuff out there? Yes, there could be," he said, noting there were 2,000 Afghan employees on the U.S. base. "But we will continue to monitor the situation. Gray and black market business is common in this country". Shopkeepers said they still received goods from inside the U.S. base, but not at the rate they once did. One shopkeeper, who gave his name as Mohammed Agha, showed the AP three used drives Monday that he said came from the base, though that was impossible to verify. One of the drives had no information on it, and the other two were password protected. Agha said that last month he had dozens of used drives. Agha did, however, show the AP a brand new Toshiba laptop computer he said came from the base. It had most of its original packaging, and scrawled in black marker on the outside of the computer box was: "Mouse keeps freezing." He would not let the AP review the hard drive. Also available at Agha's shop was a used iPod he said came from the base and telephone calling cards from AT&T that said "military exchange" on them. Amruddin said shopkeepers "did a very good business" when the American soldiers came through to buy their goods last month. He said he hasn't had a used flash drive to sell since. "A few people still bring small things from the base, but not like before," he said. From isn at c4i.org Fri May 19 03:14:56 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:14:56 -0500 (CDT) Subject: [ISN] Zimbabwe to introduce legislation on cyber crime Message-ID: http://english.peopledaily.com.cn/200605/18/eng20060518_266621.html Xinhua May 18, 2006 The Zimbabwean government plans to come up with legislation to curb cyber crime in the country in view of its increasing threat to world economies, Transport and Communication Minister Christopher Mushowe said on Wednesday. He said this in a speech read on his behalf during the commemorations to mark World Telecommunications Day under the theme of "Promoting Global Cybersecurity". "Given the threats that are posed to global economies by cyber crime, there is need to come up with measures to combat this crime, " he said. Most countries, including Zimbabwe, had laws and regulations outdated for protecting networked information, he said. On the contrary, he said, perpetrators were always updating their technologies making it difficult for the laws to catch up. "Most of the existing statutes do not have sufficiently deterrent penalties on cyber crime," he said, adding that the government would work with stakeholders including Parliament, in formulating consensus on the way forward in combating cyber crime. Cyber crime takes various forms, including Spam, which disrupts networks, cuts productivity and spreads viruses. It also involves distribution of offensive material like racist propaganda, electronic money laundering, electronic vandalism, terrorism, extortion, hacking and illegal interception of telecommunications, which violates individual privacy. The minister said Zimbabwe would soon come up with measures to curb this crime, including raising awareness through the country's education system, cooperating with other countries in the exchange of technical information and communication network security. Other measures included building capacity of cyber space users and joining forces with the private sector in combating the crime through Public Private Partnerships (PPP). Zimbabwe's telecommunications regulatory body, Potraz said cyber security could be strengthened through development of a national framework that involves public and private sectors. It said lack of adequate security hindered the use of information and communication technologies that rely on the protection and confidentiality of sensitive data. "Unless these security and trust issues are addressed, the benefits of the information society to citizens, business and governments cannot be fully realized," said Potraz. From isn at c4i.org Fri May 19 03:15:54 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:15:54 -0500 (CDT) Subject: [ISN] Blue Security Kicked While It's Down Message-ID: http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html By Brian Krebs May 17, 2006 Hours after anti-spam company Blue Security pulled the plug on its spam-fighting Blue Frog software and service, the spammers whose attack caused the company to wave the white flag have escalated their assault, knocking Blue Security's farewell message and thousands more Web sites offline. Just before midnight ET, Blue Security posted a notice on its home page that it was bowing out of the anti-spam business due to concerted attacks against its Web site that took millions of other sites and blogs with it. Within minutes of that online posting, bluesecurity.com went down and remains inaccessible at the time of this writing. According to information obtained by Security Fix, the reason is that the attackers were hellbent on taking down Blue Security's site again, but had trouble because the company had signed up with Prolexic, which specializes in protecting Web sites from "distributed denial-of-service" (DDoS) attacks. These massive assaults harness the power of thousands of hacked PCs to swamp sites with so much bogus traffic that they can no longer accommodate legitimate visitors. Prolexic built its business catering to the sites most frequently targeted by DDoS extortion attacks -- chiefly, online gambling and betting houses. But the company also serves thousands of other businesses, including banks, insurance companies and online payment processors. For the past nine hours, however, most of Prolexic's customers have been knocked offline by an attack that flanked its defenses. Turns out the attackers decided not to attack Prolexic, but rather UltraDNS, its main provider of domain name system (DNS) services. (DNS is what helps direct Internet traffic to its destination by translating human-readable domain names like "www.example.com" into numeric Internet addresses that are easier for computers to understand.) UltraDNS is the authoritative DNS provider for all Web sites ending in ".org" and ".uk," and also markets its "DNS Shield" service designed to help sites defend against another, increasingly common type of DDoS -- one that targets weaknesses inherent in the DNS system. (Incidentally, UltraDNS was recently acquired by Neustar, which in turn is responsible for handling all ".biz" domain registrations, and for overseeing the nation's authoritative directory of telephone numbers.) In this case, at least, it does not appear that the DNS Shield service worked as advertised. Earlier today, I spoke with Prolexic founder Barrett G. Lyon, who told me the attack on UltraDNS had knocked about 80 percent of his company's clients offline, or roughly 2,000 or so Web businesses. Most of those businesses also remain offline as of this writing. According to Lyon, the unknown attackers hit a key portion of UltraDNS's network with a flood of spoofed DNS requests at a rate of around 4 to 5 gigabits per second, which is enough traffic to make just about any Web site on the Internet fall over (many Internet routers can handle only a few hundred megabits of traffic before they start to fail). But this was no normal DDoS attack-- it was a kind of DDoS on the DNS system that security experts say has become alarmingly more common over the past six to eight months. Known as DNS amplification attacks or "reflected DNS attacks," these kinds of DDoS assaults increase the traffic hurled at a victim by orders of magnitude. In a nutshell, the attackers find a whole bunch of poorly configured DNS servers and use them to create and send spoofed DNS requests from systems they control to the DNS servers they want to cripple. Because the DNS requests appear to be coming from other trusted DNS servers, the target servers have trouble distinguishing regular, legitimate DNS lookups from ones sent by the attackers. Sustained for long enough, the attack eventually overloads the victim's DNS servers with queries and knocks them out of commission. To put the raw power of DNS amplification into perspective, consider the attack that knocked Akamai offline in the summer of 2004. For anyone unfamiliar with this company, Akamai sells a rather pricey service that lets deep-pocketed companies like FedEx, Microsoft and Xerox mirror their Web site content at thousands of different online servers, making DDoS attacks against their sites extremely difficult. Akamai was for a long time considered the gold standard until one day in June 2004, when a DDoS attack knocked the company's services offline for about an hour. Akamai never talked publicly about the specifics of the attack, but several sources close to the investigation told me later that the outage was the result of a carefully coordinated DNS amplification attack -- one that was stopped when the attackers decided they had made their point (which was no doubt to demonstrate to would-be buyers of their DDoS services that they could knock just about anyone off the face of the Web.) So where am I going with all of this? Well, UltraDNS marketed its DNS Shield as a protection against exactly these same types of amplification attacks. Only in this case it doesn't appear to have worked -- though, to be fair I haven't heard UltraDNS's side of the story since they have yet to return my calls. No doubt they are busy putting out fires. At any rate, score another one for the spammers, I suppose. -=- Update, 7:46 p.m. ET: I heard back from Neustar. Their spokesperson, Elizabeth Penniman, declined to discuss anything about today's attacks, saying only that "we have a handle on the situation and continue to work with service providers to ensure the best possible level of service to our customers." From isn at c4i.org Fri May 19 03:16:05 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:16:05 -0500 (CDT) Subject: [ISN] Cyber crooks dip into Frost accounts Message-ID: http://www.mysanantonio.com/business/stories/MYSA051906.01E.frosttheft.216bbd06.html William Pack Express-News Business Writer 05/19/2006 Hackers dipped into the accounts of about 100 Frost Bank customers after they took Visa debit card information from the database of an unnamed national retailer and went on a spending spree, Frost officials said Thursday. The information system breach compromised credit card accounts with banks across the nation, Frost Bank officials said, although Frost was apparently the only one to acknowledge that it was advising affected customers of the incident. The bank restored funds to accounts that sustained losses. "We want our customers to know they have no liability," said Senior Vice President Sharion Scott. Frost, which is contacting affected customers by letter or phone, did not divulge the amount lost. A statement from Visa USA said a domestic merchant had notified the company that a data security breach may have compromised Visa card account information. Visa said it alerted affected financial institutions. The credit-card company did not reveal the number of affected institutions, the retailer involved or the time of the thefts. In a letter to affected customers, Frost said Visa had advised bank officials that Visa, MasterCard, and other debit and credit card numbers from banks across the country could have been compromised. Officials at Bank of America, Citigroup and Wachovia said they did not have enough information to comment Thursday. The incident is lumped in with the burgeoning wave of identity theft that financial institutions are combating. A 2004 Justice Department study said about three of every 100 U.S. households had been recent victims of identity theft. But in this case, no names, Social Security numbers or other personal identification were taken, Scott said. Visa told the bank that personal identification numbers of credit card customers and account numbers were stolen when a national retailer's database was breached. The cyber intruders gained access to about 9,300 Frost debit card accounts but used less than 1 percent of them, Scott said. She emphasized that the break-in affected another company's data system, not Frost Bank's. From isn at c4i.org Fri May 19 03:16:21 2006 From: isn at c4i.org (InfoSec News) Date: Fri, 19 May 2006 02:16:21 -0500 (CDT) Subject: [ISN] OMB official: Too soon to judge computer security law Message-ID: http://www.govexec.com/story_page.cfm?articleid=34111 By David Perera dperera @ govexec.com May 18, 2006 The Federal Information Security Management Act isn't old enough for its most effective provisions to prompt great cybersecurity improvements, an Office of Management and Budget official said Thursday. The act, known as FISMA, took effect in 2002. It called for agencies, over a period of as long as two years, to identify and categorize their information technology systems according to the level of risk that a compromise would pose. The second phase is implementing security controls based on those risks, a process that's been going on for only 18 to 24 months, said Glenn Schlarman, OMB branch chief for information policy and technology. He spoke Thursday on a breakfast panel sponsored by Government Executive. The controls phase "is new, and that has never been done anywhere by anyone," Schlarman said. The federal government has "some very strong pockets of security, and some really weak pockets of security," he added. FISMA lately has been criticized as a paper-based exercise divorced from the real needs of cybersecurity. The law "measures the wrong things, and it measures the wrong things the wrong way," said Bruce Brody, also a panelist at the breakfast. He is a former federal cybersecurity chief and recently became a vice president at INPUT, a Reston, Va.-based government market analysis firm. The federal government is making little headway in tackling cybersecurity problems, said Alan Paller, the third breakfast panelist and director of research at the SANS Institute, a nonprofit cybersecurity research organization. "In order to make progress, you actually [have] to reduce the problem a little bit, [but] the problem is being made harder," he said. A chief information security officer in the audience, who asked not to be identified, said FISMA can be effective, depending on how it is implemented. The official cited the process of certification and accreditation of IT systems, saying, "if you want to do C&A the [Defense Department] way, you will not succeed." The process requires agencies to account for all th